Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f643712613bf611d…

MALICIOUS

Office (OLE)

175.0 KB Created: 2020-02-28 17:20:00 Authoring application: Microsoft Office Word First seen: 2020-06-01
MD5: 1862364b8ca7b8054d2ca270cfa35e5c SHA-1: 9a89d7314144b335b7469141b1dd00fd6b80f3a9 SHA-256: f643712613bf611d0f88503f85b76e5bbcc1c8aee3646049e4307f9c1f0ecd0f
264 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The file contains VBA macros, specifically a Document_Open macro that uses CreateObject to execute code. The heuristic 'OLE_VBA_SPLIT_KEYWORD_OBFUSCATION' indicates that the dangerous API name 'MSXML2' was reassembled from split string literals, a common obfuscation technique. This suggests the macro is designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Agent-7611638-0' further confirms its malicious nature as a dropper.

Heuristics 8

  • ClamAV: Doc.Dropper.Agent-7611638-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7611638-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 112648 bytes
SHA-256: bf1bfaff5fa149ede8aa5d92957b2613f8b59ed35c3ce11bcd11c79ca1dd4ea0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If Win64 Then
Private Declare PtrSafe Function WideCharToMultiByte Lib "kernel32" (ByVal codePage As LongPtr, ByVal dwFlags As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpDefaultChar As LongPtr, ByVal lpUsedDefaultChar As LongPtr) As LongPtr
Private Declare PtrSafe Function MultiByteToWideChar Lib "kernel32" (ByVal codePage As LongPtr, ByVal dwFlags As LongPtr, lpMultiByteStr As Any, ByVal cchMultiByte As LongPtr, ByVal lpWideCharStr As LongPtr, ByVal cchWideChar As LongPtr) As Long
#Else
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal codePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Private Declare Function MultiByteToWideChar Lib "kernel32" (ByVal codePage As Long, ByVal dwFlags As Long, lpMultiByteStr As Any, ByVal cchMultiByte As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long) As Long

#End If



 Dim BhyeKo As Variant
 Dim GreFvcAc As Variant
 Dim Gteres As Variant

Private Sub Class_Initialize()
    Dim rg As String
    
    Set mwb = ThisWorkbook
    Set mws = ActiveSheet
    
    Me.ScreenUpdating = True
    Me.Calculation = xlCalculationAutomatic
    mbolSheetProtected = mws.ProtectContents
    mstrdbDataValidationList = mws.Range("dbDataValidationList")
    mstrdbRecordName = mws.Range("dbRecordName")
    mstrdbSavedRecords = mws.Range("dbSavedRecords")
    mstrdbOneSide = mws.Range("dbOneSide")
    mstrdbManySide1 = mws.Range("dbManySide1")
    mstrdbManySide2 = mws.Range("dbManySide2")
    mstrdbManySide3 = mws.Range("dbManySide3")
    mstrdbManySide4 = mws.Range("dbManySide4")
    mstrdbManySideFirstColumn = mws.Range("dbManySideFirstColumn")
    mintdbRecordsFirstRow = mws.Range("dbRecordsFirstRow")
    mintdbOneSideColumnsCount = mws.Range("dbOneSideColumnsCount")
    mintdbManySideRowsCount = mws.Range("dbManySideRowsCount")
    mintdbManySideColumnsCount = mws.Range("dbManySideColumnsCount")
    mstrdbManySidePrefix = mws.Range("dbManySidePrefix")
    mintdbRangeOffset = mws.Range("dbRangeOffset")
    
    Set rg = mws.Range(mstrdbSavedRecords).Find(mws.Range(mstrdbDataValidationList), , , xlWhole)
    If Not rg Is Nothing Then
        Call SetAbsolutePosition(rg)
    End If
End Sub

Private Sub Class_Terminate()
    MsgBox "The SheetDBEngine Class for " & mws.Name & " sheet tab stop to run...", vbCritical, "Database Engine Fail"
End Sub

Public Property Let ScreenUpdating(Enabled As Boolean)
    mbolScreenUpdating = Enabled
    Application.ScreenUpdating = Enabled
End Property

Public Property Get ScreenUpdating() As Boolean
    ScreenUpdating = mbolScreenUpdating
End Property

Public Property Let Calculation(CalculateMethod As String)
    mlngCalculation = CalculateMethod
    Application.Calculation = xlCalculationAutomatic
End Property

Public Property Get Calculation() As String
    Calculation = mlngCalculation
End Property

Private Sub SetAbsolutePosition(rg As String)
    mlngAbsolutePosition = (rg.Row - mintdbRecordsFirstRow)
End Sub

Public Property Get AbsolutePosition() As Long
    AbsolutePosition = mlngAbsolutePosition
End Property

Public Property Get BOF() As Boolean
    BOF = mbolBOF
End Property

Public Property Get Dirty() As Boolean
    Dirty = mbolDirty
End Property
 
Public Property Get EOF() As Boolean
    EOF = mbolEOF
End Property

Public Property Get NewRecord() As Boolean
    NewRecord = mbolNewRecord
End Property

Public Property Get RecordCount() As Long
    RecordCount = mws.Range(mstrdbSavedRecords).Rows.Count - 1
En
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.