Office (OLE) malware analysis — malicious · 1f2be0267a715b65

MALICIOUS

Office (OLE)

128.0 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 091c46b7168f2f18368f120ae2e31197 SHA-1: bd84a8bd2e1380b917baae55124766c5d4c1fd5e SHA-256: 1f2be0267a715b6537e14dc8150b32e5cd48bd2642889f89912ec3d1a4bfe1ea

144 Risk Score

Heuristics 5

ClamAV: Doc.Dropper.Agent-7054692-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7054692-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://t2.symcb.com0 In document text (OLE body)
- http://tl.symcd.com0&In document text (OLE body)
- http://bascif.com/tt2In document text (OLE body)
- http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
- http://tl.symcb.com/tl.crl0In document text (OLE body)
- https://www.thawte.com/cps0/In document text (OLE body)
- https://www.thawte.com/repository0WIn document text (OLE body)
- http://tl.symcb.com/tl.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1815 bytes
SHA-256: `bcf3daeb45156a594d2348a2a302c40b6b378b6b9979eb59a6f2801942ff86f9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'Macro code was removed by Symantec Disarm Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'Macro code was removed by Symantec Disarm Attribute VB_Name = "UserForm8" Attribute VB_Base = "0{24288D79-5638-4C5C-B208-07A6C623B1F7}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm Attribute VB_Name = "UserForm7" Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

1815 bytes

SHA-256: bcf3daeb45156a594d2348a2a302c40b6b378b6b9979eb59a6f2801942ff86f9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm8"
Attribute VB_Base = "0{24288D79-5638-4C5C-B208-07A6C623B1F7}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm7"
Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Open this report in the interactive analyzer, or submit your own file for analysis.