Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8022e43af191157e…

MALICIOUS

Office (OLE)

116.0 KB Created: 2019-07-18 19:19:14 Authoring application: Microsoft Excel First seen: 2021-04-10
MD5: 61e8d23a72ec902422358bf40081bf53 SHA-1: c3289d8ad3c08aee9fa4d4412c175e2464f15d1c SHA-256: 8022e43af191157e7691362ab1ad98fdcf99ff968b54a7a87febd0de5c3b1dc9
104 Risk Score

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-7166804-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7166804-0
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tl.symcd.com0& In document text (OLE body)
    • http://t2.symcb.com0In document text (OLE body)
    • http://45.67.229.36/p2In document text (OLE body)
    • http://tl.symcb.com/tl.crl0In document text (OLE body)
    • https://www.thawte.com/cps0/In document text (OLE body)
    • https://www.thawte.com/repository0WIn document text (OLE body)
    • http://tl.symcb.com/tl.crt0In document text (OLE body)
    • http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 SignedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1810 bytes
SHA-256: 67928af27b545c83e42945fdaa7aa6b13d07bf3dc13371288ed333f4c87a3588
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "CodeBlock"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Modu"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{AD22E976-5DF7-4FDB-A69B-8BED853026B6}{F68DAF15-6339-40C4-A711-2CA8AAD63B26}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Class5"
Attribute VB_Base = "0{0707DED2-DC73-4C26-A540-580A851DB866}{C26F84DE-85FD-4BA1-B5FE-A7545C0F307E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Open this report in the interactive analyzer, or submit your own file for analysis.