Office (OLE) malware analysis — malicious · 49868cc5616da933

MALICIOUS

Office (OLE)

178.0 KB Created: 2018-05-06 09:57:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 9af05128828f6de9023ca46d7aac0b49 SHA-1: fe75103761f95557724f52a1c052e0bedbd9fff0 SHA-256: 49868cc5616da933500be570913320575c4607ff26b263bee5afb8fbd8ea22bb

64 Risk Score

Heuristics 3

Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER

Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 345 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	345 bytes
SHA-256: `7b80111b03f97c4517f462378b3f00a06a7b75476c31237a1b08c6d4eac333ff`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "masticophis" Attribute VB_Base = "0{2D5EDA5B-EC8D-4841-92D1-BCD1CED149BC}{9A33CC15-8350-4C49-8ACC-AB0E1DC5B334}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 7b80111b03f97c4517f462378b3f00a06a7b75476c31237a1b08c6d4eac333ff

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "masticophis"
Attribute VB_Base = "0{2D5EDA5B-EC8D-4841-92D1-BCD1CED149BC}{9A33CC15-8350-4C49-8ACC-AB0E1DC5B334}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.