Office (OOXML) / .OLE malware analysis — malicious · 5bf8bb40d3b7c932

MALICIOUS

Office (OOXML) / .OLE

76.0 KB Created: 2020-06-15 08:19:55 UTC Authoring application: Microsoft Excel 16.0300

MD5: a9bf86474ee6fe20f4990da6a989b3da SHA-1: e1c14f994e68562521e29c9929d03b95caa9ad75 SHA-256: 5bf8bb40d3b7c932dc231501a66205e1ae371ec0bd16426d8d4e8213c22c9f41

240 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is an Office document containing VBA macros that leverage WScript.Shell to execute a downloaded payload. The 'ShowForms_Layout' subroutine reconstructs a string 'm' which is then passed to the Run method of a WScript.Shell object, indicating it's designed to download and execute a second-stage payload. The ClamAV detection name 'Doc.Dropper.Agent' further supports this dropper functionality.

Heuristics 5

Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
ClamAV: Doc.Dropper.Agent-8044619-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-8044619-0
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA project inside OOXML medium OOXML_VBA

Document contains a VBA project — VBA macros present

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `3f87b67c5fe881a1fc88ea88365fd3206e89df95098cf42b11bba9fd055aedc1`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	1259 bytes
`vbaProject_00.bin` `e03a8032a95ea1acc9a28e04d4c54a0929aeee772087f53ffe574923b4dec13a`	vba-project	OOXML VBA project: xl/vbaProject.bin	15872 bytes
`emf_00.emf` `edb6e57d66dea41e16ecd4a4380938a753ca617c572f43194268edfcd2dca013`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	1976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.