Office (OLE) malware analysis — malicious · 75341d0ed6c8b83e

MALICIOUS

Office (OLE)

472.0 KB Created: 2019-12-23 13:17:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: 8764dc1a14388b2a66186ed013304d17 SHA-1: e852d9eff307aaba119eb173f535c2f7e925e27d SHA-256: 75341d0ed6c8b83ee77ab0e36532b661b7f1b1d671de2aed7a432f2ce680aa58

162 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an Office document containing VBA macros, flagged by multiple high-severity heuristics including CreateObject and CallByName. ClamAV also detected it as a dropper. The VBA code, though partially truncated, indicates an attempt to execute code and likely download a payload, consistent with a malicious dropper.

Heuristics 5

ClamAV: Doc.Dropper.Detected-10024943-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Detected-10024943-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8578 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8578 bytes
SHA-256: `bda8e9b08de839dbdaba6af7ccef117ca3155aa46a24eb9c997c6c91b630a42b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame" 'okey donkey Private Kiolbtfg As String Private Rftyhip As String Private FedcvP As String Private Cdsx_pol As String Private Mkuijp5 As String Sub UpdateALL() Dim oStory As Range For Each oStory In ActiveDocument.StoryRanges oStory.Fields.Update If oStory.StoryType <> wdMainTextStory Then While Not (oStory.NextStoryRange Is Nothing) Set oStory = oStory.NextStoryRange oStory.Fields.Update Wend End If Next oStory lbl_Exit: Set oStory = Nothing Exit Sub End Sub Sub ExtractACRONYMSToNewDocument() Dim oDoc_Source As Document Dim oDoc_Target As Document Dim strListSep As String Dim strAcronym As String Dim oTable As Table Dim oRange As Range Dim n As Long Dim strAllFound As String Dim Title As String Dim Msg As String Title = "Extract Acronyms to New Document" 'Show msg - stop if user does not click Yes Msg = "This macro finds all words consisting of 3 or more " & _ "uppercase letters and extracts the words to a table " & _ "in a new document where you can add definitions." & vbCr & vbCr & _ "Do you want to continue?" If MsgBox(Msg, vbYesNo + vbQuestion, Title) <> vbYes Then Exit Sub End If Application.ScreenUpdating = False 'Find the list separator from international settings 'May be a comma or semicolon depending on the country strListSep = Application.International(wdListSeparator) 'Start a string to be used for storing names of acronyms found strAllFound = "#" Set oDoc_Source = ActiveDocument 'Create new document for acronyms Set oDoc_Target = Documents.Add With oDoc_Target 'Make sure document is empty .Range = "" 'Insert info in header - change date format as you wish .PageSetup.TopMargin = CentimetersToPoints(3) .Sections(1).Headers(wdHeaderFooterPrimary).Range.Text = _ "Acronyms extracted from: " & oDoc_Source.FullName & vbCr & _ "Created by: " & Application.UserName & vbCr & _ "Creation date: " & Format(Date, "MMMM d, yyyy") 'Adjust the Normal style and Header style With .Styles(wdStyleNormal) .Font.Name = "Arial" .Font.Size = 10 .ParagraphFormat.LeftIndent = 0 .ParagraphFormat.SpaceAfter = 6 End With With .Styles(wdStyleHeader) .Font.Size = 8 .ParagraphFormat.SpaceAfter = 0 End With 'Insert a table with room for acronym and definition Set oTable = .Tables.Add(Range:=.Range, NumRows:=2, NumColumns:=3) With oTable 'Format the table a bit 'Insert headings .Range.Style = wdStyleNormal .AllowAutoFit = False .Cell(1, 1).Range.Text = "Acronym" .Cell(1, 2).Range.Text = "Definition" .Cell(1, 3).Range.Text = "Page" 'Set row as heading row .Rows(1).HeadingFormat = True .Rows(1).Range.Font.Bold = True .PreferredWidthType = wdPreferredWidthPercent .Columns(1).PreferredWidth = 20 .Columns(2).PreferredWidth = 70 .Columns(3).PreferredWidth = 10 End With End With With oDoc_Source Set oRange = .Range n = 1 'used to count below With oRange.Find 'Use wildcard search to find strings consisting of 3 or more uppercase letters 'Set the search conditions 'NOTE: If you w ... (truncated)

SHA-256: bda8e9b08de839dbdaba6af7ccef117ca3155aa46a24eb9c997c6c91b630a42b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Frame1, 0, 0, MSForms, Frame"
'okey donkey


Private Kiolbtfg As String
Private Rftyhip As String
Private FedcvP As String
Private Cdsx_pol As String
Private Mkuijp5 As String


Sub UpdateALL()
Dim oStory As Range
For Each oStory In ActiveDocument.StoryRanges
    oStory.Fields.Update
If oStory.StoryType <> wdMainTextStory Then
    While Not (oStory.NextStoryRange Is Nothing)
        Set oStory = oStory.NextStoryRange
        oStory.Fields.Update
    Wend
End If
Next oStory
lbl_Exit:
Set oStory = Nothing
    Exit Sub
End Sub


Sub ExtractACRONYMSToNewDocument()

    Dim oDoc_Source As Document
    Dim oDoc_Target As Document
    Dim strListSep As String
    Dim strAcronym As String
    Dim oTable As Table
    Dim oRange As Range
    Dim n As Long
    Dim strAllFound As String
    Dim Title As String
    Dim Msg As String

    Title = "Extract Acronyms to New Document"
    
    'Show msg - stop if user does not click Yes
    Msg = "This macro finds all words consisting of 3 or more " & _
        "uppercase letters and extracts the words to a table " & _
        "in a new document where you can add definitions." & vbCr & vbCr & _
        "Do you want to continue?"

    If MsgBox(Msg, vbYesNo + vbQuestion, Title) <> vbYes Then
        Exit Sub
    End If
    
    Application.ScreenUpdating = False
    
    'Find the list separator from international settings
    'May be a comma or semicolon depending on the country
    strListSep = Application.International(wdListSeparator)
    
    'Start a string to be used for storing names of acronyms found
    strAllFound = "#"
    
    Set oDoc_Source = ActiveDocument
    
    'Create new document for acronyms
    Set oDoc_Target = Documents.Add
    
    With oDoc_Target
        'Make sure document is empty
        .Range = ""
    
        'Insert info in header - change date format as you wish
        .PageSetup.TopMargin = CentimetersToPoints(3)
        .Sections(1).Headers(wdHeaderFooterPrimary).Range.Text = _
            "Acronyms extracted from: " & oDoc_Source.FullName & vbCr & _
            "Created by: " & Application.UserName & vbCr & _
            "Creation date: " & Format(Date, "MMMM d, yyyy")
                
        'Adjust the Normal style and Header style
        With .Styles(wdStyleNormal)
            .Font.Name = "Arial"
            .Font.Size = 10
            .ParagraphFormat.LeftIndent = 0
            .ParagraphFormat.SpaceAfter = 6
        End With
    
        With .Styles(wdStyleHeader)
            .Font.Size = 8
            .ParagraphFormat.SpaceAfter = 0
        End With
        
        'Insert a table with room for acronym and definition
        Set oTable = .Tables.Add(Range:=.Range, NumRows:=2, NumColumns:=3)
        With oTable
            'Format the table a bit
            'Insert headings
            .Range.Style = wdStyleNormal
            .AllowAutoFit = False
            
            .Cell(1, 1).Range.Text = "Acronym"
            .Cell(1, 2).Range.Text = "Definition"
            .Cell(1, 3).Range.Text = "Page"
            'Set row as heading row
            .Rows(1).HeadingFormat = True
            .Rows(1).Range.Font.Bold = True
            .PreferredWidthType = wdPreferredWidthPercent
            .Columns(1).PreferredWidth = 20
            .Columns(2).PreferredWidth = 70
            .Columns(3).PreferredWidth = 10
        End With
    End With
    
    With oDoc_Source
        Set oRange = .Range
        
        n = 1 'used to count below
        
        With oRange.Find
            'Use wildcard search to find strings consisting of 3 or more uppercase letters
            'Set the search conditions
            'NOTE: If you w
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.