Malicious Office (OLE) — malware analysis report

Heuristics 8

• ClamAV: Doc.Dropper.Valyria-6667982-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Dropper.Valyria-6667982-0
• OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
  OLE file is 450,719 bytes but its declared streams total only 69,043 bytes — 381,676 bytes (85%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• VBA macros detected medium 1 related finding OLE_VBA_MACROS
  Document contains VBA macro code
• AutoOpen macro high OLE_VBA_AUTOOPEN
  AutoOpen macro
• Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
  OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.peteka.no/wp-content/uploads/2016/11/mod_filezipr.php In document text (OLE body)

  • http://www.copyland.su/upload/1c_catalog/import_files/79/mod_filezipr.phpIn document text (OLE body)
  • http://www.boldrini.org.br/wp-content/themes/twentyfourteen/images/mod_filezipr.phpIn document text (OLE body)
  • http://www.staybrightrooflight.co.uk/wp-content/plugins/godaddy-email-marketing-sign-up-forms/js/mod_filezipr.phpIn document text (OLE body)
  • http://www.seven-temptations.com/administrator/components/com_templates/tables/mod_filezipr.phpIn document text (OLE body)
  • http://www.personal.nwolb.user.log.security.cod.issue.fondue-at-the-fountain.com/.well-known/yulluo/mod_filezipr.phpIn document text (OLE body)
  • http://www.solomusiclessons.com/wp-content/uploads/2018/03/mod_filezipr.phpIn document text (OLE body)
  • http://www.mrsfashion.net/wp-content/themes/florida-wp/languages/mod_filezipr.phpIn document text (OLE body)
  • http://www.8.prakt123.z8.ru/components/com_content/views/category/mod_filezipr.phpIn document text (OLE body)
  • http://www.avtosteklomarket.ru/administrator/components/com_jshopping/js/mod_filezipr.phpIn document text (OLE body)
  • http://www.17194.p17.justsv.com/demo/inc/mods/cloaka/mod_filezipr.phpIn document text (OLE body)
  • http://www.msajadi.com/wp-content/plugins/wp-private-content-plus/classes/mod_filezipr.phpIn document text (OLE body)
  • http://www.nevadaendo.com/newsite/wp-content/plugins/wordpress-seo/mod_filezipr.phpIn document text (OLE body)
  • http://www.domotextil.ru/image/cache/data/new_2017_05/mod_filezipr.phpIn document text (OLE body)
  • http://www.sprays-omkarenterprises.com/wp-content/plugins/godaddy-email-marketing-sign-up-forms/images/mod_filezipr.phpIn document text (OLE body)
  • http://www.khoabacninh.com/wp-content/plugins/wp-lightbox-2/styles/mod_filezipr.phpIn document text (OLE body)
  • http://www.readygirl.org/Plus/PK/Plus/background/mod_filezipr.phpIn document text (OLE body)
  • http://www.sophiethomasartist.com/wp-content/themes/twentysixteen/inc/mod_filezipr.phpIn document text (OLE body)
  • http://www.doradoux.fr/blog/wp-content/themes/twentyfourteen/mod_filezipr.phpIn document text (OLE body)
  • http://www.handpaintedmurals.ca/tomasfrido/wp-includes/images/wlw/mod_filezipr.phpIn document text (OLE body)
  • http://www.chara-advokat.cz/wp-content/plugins/revslider/admin/mod_filezipr.phpIn document text (OLE body)
  • http://www.softwareworld.co/wp-content/plugins/wordpress-seo/js/mod_filezipr.phpIn document text (OLE body)
  • http://www.bigbit.tk/wp-includes/js/jquery/ui/mod_filezipr.phpIn document text (OLE body)
  • http://www.seshcinematography.com/wp-content/themes/twentyseventeen/template-parts/mod_filezipr.phpIn document text (OLE body)
  • http://www.daverocheleau.com/cgi-bin/CNTRGIFS/_vti_cnf/nowir/ini_mod_filezipr.phpIn document text (OLE body)
  • http://www.wuzuf.net/wp-includes/Requests/Exception/Transport/mod_filezipr.phpIn document text (OLE body)
  • http://www.sesfabrikasi.com/wp-content/uploads/2018/03/mod_filezipr.phpIn document text (OLE body)
  • http://www.qualitycoresystems.com/images/cncm/mod_filezipr.phpIn document text (OLE body)
  • http://www.sefahathane1992.com/wp-content/themes/tracks/styles/mod_filezipr.phpIn document text (OLE body)
  • http://www.formation-prise-de-parole.fr/wp-content/themes/twentyfourteen/inc/mod_filezipr.phpIn document text (OLE body)
  • http://www.rapido.net.br/clientes/hotelsereia/assets/bootstrap/mod_filezipr.phpIn document text (OLE body)
  • http://www.mum2.ru/wp-includes/js/tinymce/themes/mod_filezipr.phpIn document text (OLE body)
  • http://www.serkankoc.com.tr/wp-content/themes/twentysixteen/css/mod_filezipr.phpIn document text (OLE body)
  • http://www.advokatus.lt/wp-content/plugins/wordfence/waf/mod_filezipr.phpIn document text (OLE body)
  • http://www.elaboody.com/ini_mod_filezipr.phpIn document text (OLE body)
  • http://www.sqlforall.com/wp-content/themes/education-park/js/mod_filezipr.phpIn document text (OLE body)
  • http://www.contango.ly/wp-content/plugins/wp-hide-security-enhancer/js/mod_filezipr.phpIn document text (OLE body)
  • http://www.eruslanov.ru/wp-admin/1/3d79a0047359255cc3bef9426/img/mod_filezipr.phpIn document text (OLE body)
  • http://www.mmt.ro/wp-content/plugins/wpml-cms-nav/res/mod_filezipr.phpIn document text (OLE body)
  • http://www.14.deduch.z8.ru/wp-admin/css/colors/coffee/mod_filezipr.phpIn document text (OLE body)
  • http://www.onwardandupwards.org/wp-content/themes/twentyten/languages/mod_filezipr.phpIn document text (OLE body)
  • http://www.etesltd.com/aspnet_client/system_web/1_1_4322/_vti_cnf/ini_mod_filezipr.phpIn document text (OLE body)
  • http://www.stvalentinecare.co.uk/wp-content/themes/appointment/css/mod_filezipr.phpIn document text (OLE body)
  • http://www.plowparts.net/dir/wp-includes/images/crystal/mod_filezipr.phpIn document text (OLE body)
  • http://www.setfireltd.com/wp-content/plugins/godaddy-email-marketing-sign-up-forms/languages/mod_filezipr.phpIn document text (OLE body)
  • http://www.ucardoor.com/ckeditor/plugins/about/dialogs/mod_filezipr.phpIn document text (OLE body)
  • http://www.hq2016.cn/data/attachment/block/08/mod_filezipr.phpIn document text (OLE body)
  • http://www.osotspa-international.com/cn/wp-includes/js/plupload/mod_filezipr.phpIn document text (OLE body)
  • http://www.halong-bay-cruises.com/wp-content/plugins/wp-optimize/templates/mod_filezipr.phpIn document text (OLE body)
  • http://www.tabletcomputerhelp.com/wp-content/uploads/2017/09/mod_filezipr.phpIn document text (OLE body)

  +3200 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.