Office (OLE) malware analysis — malicious · c5c16b0fb0fcff4c

MALICIOUS

Office (OLE)

186.0 KB Created: 2017-01-12 15:28:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 125dcf2398fc76f3f1648e75260bd08d SHA-1: dc31d8573932aef25d8b4bff76942ce76a4d939d SHA-256: c5c16b0fb0fcff4cf7a7a748fb8b960ac6d5b897b3a5a73f57507c0b040b1826

70 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OLE document with a verdict of malicious. A critical heuristic firing indicates the use of the WriteProcessMemory API, suggesting an attempt to exploit a vulnerability for code execution. No VBA macros or embedded scripts were found to contain executable statements, and all extracted URLs were confirmed as benign.

Heuristics 3

Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 343 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	343 bytes
SHA-256: `7c263c291adb98a32b8037673e24d7bf670777302d99eb2ca6c4187563163582`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "steamboat" Attribute VB_Base = "0{7E3D2AB0-C101-4BA5-BDD4-6D5B37D9384A}{5AEFC0FE-C76D-4D20-AD70-8AB7E6D60565}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 7c263c291adb98a32b8037673e24d7bf670777302d99eb2ca6c4187563163582

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "steamboat"
Attribute VB_Base = "0{7E3D2AB0-C101-4BA5-BDD4-6D5B37D9384A}{5AEFC0FE-C76D-4D20-AD70-8AB7E6D60565}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.