Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 98fe0b166f550446…

MALICIOUS

Office (OLE)

132.0 KB Created: 2020-02-13 14:53:00 Authoring application: Microsoft Office Word First seen: 2020-07-24
MD5: 3e477c4680e0f3d8fc1fcdf58b29c5fd SHA-1: 6e3da884fbebe14cdd60b6a8930a72c51fe26d19 SHA-256: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836
284 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Files or Information

The sample is a Microsoft Office document containing VBA macros, specifically a Document_Open macro that uses CreateObject to execute code. The document body explicitly instructs the user to 'Enable editing' and 'Enable content', indicating a social engineering lure to bypass macro security. The presence of obfuscated API names like 'MSXML2' suggests an attempt to hide malicious activity. The macro likely downloads and executes a second-stage payload, as indicated by the ClamAV detection name 'Doc.Dropper.Agent-7611638-0'.

Heuristics 9

  • ClamAV: Doc.Dropper.Agent-7611638-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7611638-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.rondebruin.nl/win/s9/win002.htm In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • https://www.google.com/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51381 bytes
SHA-256: ddcb009b8ad009449a09a7e5743c31f9f7abad8c4944e1ceb02467ccd222000b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long

#End If



 Dim BhyeKo As Variant
 Dim GreFvcAc As Variant
 Dim Gteres As Variant

Private pKartentyp As String
Private pKanal As Integer
Private pAnschluss1 As String
Private pAnschluss2 As String
Private pAnschluss3 As String
Private pAnschluss4 As String
Private pAnschlussM As String
Private pAnschlussVS As String

''''''''''''''''''''''
' Kartentyp property
''''''''''''''''''''''
Public Property Get Kartentyp() As String
    Kartentyp = pKartentyp
End Property

Public Property Let Kartentyp(ByVal Value As String)
    pKartentyp = Value
End Property

''''''''''''''''''''''
' Kanal property
''''''''''''''''''''''
Public Property Get Kanal() As Integer
    Kanal = pKanal
End Property

Public Property Let Kanal(ByVal Value As Integer)
    pKanal = Value
End Property

''''''''''''''''''''''
' Anschluss_1 property
''''''''''''''''''''''
Public Property Get Anschluss1() As String
    Anschluss1 = pAnschluss1
End Property

Public Property Let Anschluss1(ByVal Value As String)
    pAnschluss1 = Value
End Property

''''''''''''''''''''''
' Anschluss_2 property
''''''''''''''''''''''
Public Property Get Anschluss2() As String
    Anschluss2 = pAnschluss2
End Property

Public Property Let Anschluss2(ByVal Value As String)
    pAnschluss2 = Value
End Property

''''''''''''''''''''''
' Anschluss_3 property
''''''''''''''''''''''
Public Property Get Anschluss3() As String
    Anschluss3 = pAnschluss3
End Property

Public Property Let Anschluss3(ByVal Value As String)
    pAnschluss3 = Value
End Property

''''''''''''''''''''''
' Anschluss_4 property
''''''''''''''''''''''
Public Property Get Anschluss4() As String
    Anschluss4 = pAnschluss4
End Property

Public Property Let Anschluss4(ByVal Value As String)
    pAnschluss4 = Value
End Property

''''''''''''''''''''''
' Anschluss_M property
''''''''''''''''''''''
Public Property Get AnschlussM() As String
    AnschlussM = pAnschlussM
End Property

Public Property Let AnschlussM(ByVal Value As String)
    pAnschlussM = Value
End Property

''''''''''''''''''''''
' Anschluss_VS property
''''''''''''''''''''''
Public Property Get AnschlussVS() As String
    AnschlussVS = pAnschlussVS
End Property

Public Property Let AnschlussVS(ByVal Value As String)
    pAnschlussVS = Value
End Property

Sub VB_market()
    For Each ws In ThisWorkbook.Worksheets
    ws.Activate

    'Clear all the existing formats for all the empty cells
    Range("I:Z").ClearContents
    Range("I:Z").ClearFormats
    
    'Assign headers to the corresponding columns
    Cells(1, 9).Value = "Ticker"
    Cells(1, 10).Value = "Yearly_Change"
    
... (truncated)