Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18898d7b087ad5d7…

MALICIOUS

Office (OLE)

32.5 KB Created: 1998-07-05 22:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 43c8791a38667592dd9826ceb0d575f3 SHA-1: 4222d9ae2ca27c4fd14270b25a14ec95e89037cf SHA-256: 18898d7b087ad5d7b4b6075821cff13418651eeaa8217035c57099021ab19824
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros that, when executed, prompt the user for input and then convert that input into a string of Chr() function calls. This converted string is then placed on the clipboard. The ClamAV detection and the presence of VBA macros indicate malicious intent, likely to prepare data for a further stage of attack.

Heuristics 2

  • ClamAV: Doc.Trojan.VVSC-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.VVSC-2
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3570 bytes
SHA-256: 4f5e70ced51de81636a6bda6c7433759c863c396b1b2a1a9da5a58e400bc22f7
Detection
ClamAV: Doc.Trojan.VVSC-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Convert()
Attribute Convert.VB_ProcData.VB_Invoke_Func = "Project.ThisDocument.Convert"
Dim this As String
Dim that As String
Dim FinalConvert As String
Set CConvert = New DataObject

this = InputBox("Enter String To Convert :", "The VicodinES VBA String Converter")
If this = "" Then
MsgBox "No valid input", vbCritical, "VVSC Error"
End
End If
length_this = Len(this)
For countout = 1 To length_this
ToConvert = Mid(this, countout, 1)

For x = 1 To 400
that = Chr(x)
If that = ToConvert Then
FinalConvert = FinalConvert + "Chr(" & x & ")"
If countout <> length_this Then FinalConvert = FinalConvert + " + "
GoTo drop
End If
Next x

drop:

Next countout

MsgBox "Your Converted Text String Is In The Clipboard" + vbCr + vbCr + " --> Paste It Now So You Don't To Lose It! <-- ", vbInformation, "String.Poppy.Utility (c)1998"
CConvert.SetText FinalConvert
CConvert.PutInClipboard

End Sub


' Processing file: /opt/analyzer/scan_staging/568c6a71bcff4d3cae516794e68c7bc5.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4575 bytes
' Line #0:
' 	FuncDefn (Sub Convert())
' Line #1:
' 	Dim 
' 	VarDefn this (As String)
' Line #2:
' 	Dim 
' 	VarDefn that (As String)
' Line #3:
' 	Dim 
' 	VarDefn FinalConvert (As String)
' Line #4:
' 	SetStmt 
' 	New <crash>
' 	Set CConvert 
' Line #5:
' Line #6:
' 	LitStr 0x0019 "Enter String To Convert :"
' 	LitStr 0x0022 "The VicodinES VBA String Converter"
' 	ArgsLd InputBox 0x0002 
' 	St this 
' Line #7:
' 	Ld this 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #8:
' 	LitStr 0x000E "No valid input"
' 	Ld vbCritical 
' 	LitStr 0x000A "VVSC Error"
' 	ArgsCall MsgBox 0x0003 
' Line #9:
' 	End 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	Ld this 
' 	FnLen 
' 	St length_this 
' Line #12:
' 	StartForVariable 
' 	Ld countout 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld length_this 
' 	For 
' Line #13:
' 	Ld this 
' 	Ld countout 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St ToConvert 
' Line #14:
' Line #15:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0190 
' 	For 
' Line #16:
' 	Ld x 
' 	ArgsLd Chr 0x0001 
' 	St that 
' Line #17:
' 	Ld that 
' 	Ld ToConvert 
' 	Eq 
' 	IfBlock 
' Line #18:
' 	Ld FinalConvert 
' 	LitStr 0x0004 "Chr("
' 	Add 
' 	Ld x 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	St FinalConvert 
' Line #19:
' 	Ld countout 
' 	Ld length_this 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld FinalConvert 
' 	LitStr 0x0003 " + "
' 	Add 
' 	St FinalConvert 
' 	EndIf 
' Line #20:
' 	GoTo drop 
' Line #21:
' 	EndIfBlock 
' Line #22:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #23:
' Line #24:
' 	Label drop 
' Line #25:
' Line #26:
' 	StartForVariable 
' 	Ld countout 
' 	EndForVariable 
' 	NextVar 
' Line #27:
' Line #28:
' 	LitStr 0x002E "Your Converted Text String Is In The Clipboard"
' 	Ld vbCr 
' 	Add 
' 	Ld vbCr 
' 	Add 
' 	LitStr 0x002F " --> Paste It Now So You Don't To Lose It! <-- "
' 	Add 
' 	Ld vbInformation 
' 	LitStr 0x001C "String.Poppy.Utility (c)1998"
' 	ArgsCall MsgBox 0x0003 
' Line #29:
' 	Ld FinalConvert 
' 	Ld CConvert 
' 	ArgsMemCall SetText 0x0001 
' Line #30:
' 	Ld CConvert 
' 	ArgsMemCall PutInClipboard 0x0000 
' Line #31:
' Line #32:
' 	EndSub 
' Line #33: