Malicious Office (OOXML) — malware analysis report

Heuristics 8

• Shell() call in VBA critical OLE_VBA_SHELL
  Shell() call in VBA
• Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
  Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
• Workbook_Open macro high OLE_VBA_WBOPEN
  Workbook_Open macro
• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
• CallByName call high OLE_VBA_CALLBYNAME
  CallByName call
• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• VBA project inside OOXML medium OOXML_VBA
  Document contains a VBA project — VBA macros present
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://github.com/timhall/VBA-Dictionary

  • https://github.com/VBA-tools/VBA-Web
  • https://quickfs.net/profile
  • https://quickfs.net/account
  • https://quickfs.net/watchlist
  • https://quickfs.net/screener
  • https://quickfs.net/templates
  • https://quickfs.net/upgrade
  • https://quickfs.net/using-the-excel-add-in
  • https://api.quickfs.net/v2/tokens
  • https://beta.quickfs.net/beta
  • https://quickfs.net
  • https://api.example/com/v1/messages/123
  • http://www.outlookexchange.com/articles/toddwalker/BuiltInOLKIcons.asp
  • https://github.com/VBA-tools/VBA-Web/wiki/XML-Support-in-4.0
  • https://github.com/VBA-tools/VBA-Web/wiki/Url-Encoding
  • http://www.di-mgt.com.au/src/basMD5.bas.html
  • https://github.com/VBA-tools/VBA-JSON
  • http://www.vbaccelerator.com/home/VB/Code/Techniques/RunTime_Debug_Tracing/VB6_Tracer_Utility_zip_cStringBuilder_cls.asp
  • https://github.com/VBA-tools/VBA-JSON/pull/82
  • https://github.com/VBA-tools/VBA-UtcConverter
  • https://appletoolbox.com/2015/10/mouse-cursor-pointer-disappears-invisible-missing-fix/
  • https://github.com/VBA-tools/VBA-Webt
  • https://github.com/VBA-tools/VBA-Web/VBA-W�
  • https://quickfs.net/screener�
  • https://quickfs.net/using-the-excel-add-in�
  • https://github.com/VBA-tools/VBA-Web�
  • http://www.outlookexchange.com/articles/toddwalker/BuiltInOLKIcons.asp�
  • http://schemas.microsoft.com/office/2006/01/customui
  • http://schemas.microsoft.com/office/2009/07/customui
  • http://www.opensource.org/licenses/mit-license.php
  • http://msdn.microsoft.com/en-us/library/office/gg278481(v=office.15).aspx
  • https://www.example.com/api/
  • https://api.example.com/v1/messages
  • https://api.example.com/v1/users/id
  • https://api.example.com/v1/
  • https://msdn.microsoft.com/en-us/library/aa383770(VS.85).aspx
  • http://curl.haxx.se/libcurl/c/libcurl-errors.html
  • https://api.example.com/v1/messages/1
  • http://msdn.microsoft.com/en-us/library/windows/desktop/aa384059(v=vs.85).aspx
  • https://api.example.com/
  • https://api.example.com/messages
  • https://api.example.com/messages/123?a=1&b=2
  • https://tools.ietf.org/html/rfc6265
  • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724421.aspx
  • http://msdn.microsoft.com/en-us/library/windows/desktop/ms724949.aspx
  • http://msdn.microsoft.com/en-us/library/windows/desktop/ms725485.aspx
  • http://support.microsoft.com/kb/269370
  • https://api.example.com/v1/peeple/{id
  • https://tools.ietf.org/html/rfc3986

  +13 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.