Office (OLE) malware analysis — malicious · ff0ef9cda2216faa

MALICIOUS

Office (OLE)

219.5 KB Created: 2019-05-18 07:27:21 Authoring application: Microsoft Excel First seen: 2021-04-10

MD5: 8bedf242b85ebf4fee8675e1c4953643 SHA-1: e4bf4942f70b4a7bb68357846159f5056eb32911 SHA-256: ff0ef9cda2216faa837aeec4c69b5cb77712557746fddc1939b032db910a6efd

104 Risk Score

Heuristics 4

ClamAV: Doc.Dropper.Agent-7054691-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-7054691-0
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://t2.symcb.com0 In document text (OLE body)
- http://tl.symcd.com0&In document text (OLE body)
- http://109.94.209.178/r3�In document text (OLE body)
- http://t1.symcb.com/ThawtePCA.crl0In document text (OLE body)
- http://tl.symcb.com/tl.crl0In document text (OLE body)
- https://www.thawte.com/cps0/In document text (OLE body)
- https://www.thawte.com/repository0WIn document text (OLE body)
- http://tl.symcb.com/tl.crt0In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

Filename	Kind	Source	Size
`macros.bas`🔏 SignedVBA project digital signature Covers VBA source only — not the compiled p-code. A digital signature does not by itself mean the macro is safe.	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1891 bytes
SHA-256: `3e2ec79e8f18c1ec165fd3fd9fa9153c45bd4ebc1ec96dbaf1216a9b0bd3c192`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'Macro code was removed by Symantec Disarm Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'Macro code was removed by Symantec Disarm Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{CFFBB507-3B94-4F4B-A9F9-2C5045B1B254}{FAD88DF7-53DC-4595-8A07-C2C7C0722568}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm Attribute VB_Name = "Class1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm Attribute VB_Name = "Module1" 'Macro code was removed by Symantec Disarm Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{D1F7FF9E-3782-47C4-A9BB-507DE37C07B2}{9CF3D2CD-7CA6-42E0-BC61-F693F234F7E9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Macro code was removed by Symantec Disarm

macros.bas🔏 Signed

vba-macro

oletools.olevba.extract_macros (decoded VBA source)

1891 bytes

SHA-256: 3e2ec79e8f18c1ec165fd3fd9fa9153c45bd4ebc1ec96dbaf1216a9b0bd3c192

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{CFFBB507-3B94-4F4B-A9F9-2C5045B1B254}{FAD88DF7-53DC-4595-8A07-C2C7C0722568}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "Module1"
'Macro code was removed by Symantec Disarm

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{D1F7FF9E-3782-47C4-A9BB-507DE37C07B2}{9CF3D2CD-7CA6-42E0-BC61-F693F234F7E9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Macro code was removed by Symantec Disarm

Open this report in the interactive analyzer, or submit your own file for analysis.