Office (OLE) malware analysis — malicious · 4485692e66d0453e

MALICIOUS

Office (OLE)

84.5 KB Created: 2004-04-26 11:12:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: be8375e0628b48af8ae0f62a923bcd32 SHA-1: 2cc0ee8ea1c0a92b7d92880ded86976d1bd04a21 SHA-256: 4485692e66d0453ea655e2718549434dbbc4769929ab14e8c8befe6a8c45f6e8

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The document body contains invoice-like text, suggesting a lure to trick the user into interacting with the malicious content. The presence of VBA macros indicates a likely initial access vector via spearphishing attachment.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36153 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36153 bytes
SHA-256: `c62191293afbe308beeb7893f4e22b65483c3346e6b8a7b137c7a431ea0991ab`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next Dim MyData As DataObject Set MyData = New DataObject MyData.Clear End Sub Private Sub Document_New() PegarInformaciondelPortapapeles PegarInformacionPlantillas PegarInformacionPathServidor End Sub Private Sub Document_Open() On Error Resume Next PegarInformaciondelPortapapeles PegarInformacionPlantillas PegarInformacionPathServidor End Sub Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{BDE08A30-888C-47CD-AC7E-A3EE0D0AC368}{0564B0A6-1E76-4D74-BACA-B01B077290C1}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() Unload Me End Sub Private Sub ListBox1_Click() End Sub Private Sub ListBox1_DblClick(ByVal Cancel As MSForms.ReturnBoolean) Dim Str As String Dim I As Integer 'Debo Cambiar espacios por subrayado ActiveDocument.MailMerge.Fields.Add Range:=Selection.Range, Name:=ListBox1 Unload Me End Sub Private Sub ListBox1_KeyDown(ByVal KeyCode As MSForms.ReturnInteger, ByVal Shift As Integer) Dim Str As String Dim I As Integer If KeyCode = 13 Then 'Str = Reemplazar(ListBox1, " ", "¸") ActiveDocument.MailMerge.Fields.Add Range:=Selection.Range, Name:=ListBox1 Unload Me End If If KeyCode = 27 Then Unload Me End If End Sub Private Sub UserForm_Activate() On Error GoTo fin Dim I As Integer I = 1 'Meter campos en la Lista While campos(I) <> "" ListBox1.AddItem campos(I) I = I + 1 Wend fin: ListBox1.SetFocus ListBox1.ListIndex = 0 Exit Sub Err1: Resume fin End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "NewMacros" Sub AbrirFormulario() Attribute AbrirFormulario.VB_Description = "Macro grabada el 08/03/04 por Carlos" Attribute AbrirFormulario.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Macro4" Load UserForm1 UserForm1.Show End Sub Sub Fundir() Dim I As Integer Dim j As Integer Dim k As Integer Dim HuboError As Boolean On Error GoTo fin Dim infocampo As String 'Macro1 Macro 'Macro grabada el 30/01/04 por Carlos 'Result me devulve el Nombre del campo 'Lo hago varias veces porque la coleccion Fields se reindexa y si se me repite un 'campo varias veces podria no fundirse For j = 1 To ActiveDocument.Fields.Count If ActiveDocument.Fields(j).Type = 59 Then 'Es de usuario I = 1 Do While campos(I) <> "" infocampo = RTrim(Mid(ActiveDocument.Fields(j).Code, 13, 300)) 'MERGEFIELD CAMPO If campos(I) = infocampo Then If UCase(Datos(I)) <> "VACIO" And UCase(Datos(I)) <> "CERO" And UCase(Datos(I)) <> "NULL" Then ActiveDocument.Fields(j).Result.Text = Datos(I) Else 'Selection.Text = "" ActiveDocument.Fields(j).Result.Text = "" End If Exit Do End If I = I + 1 Loop End If Next j ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Dim cont As Integer cont = 1 'Ahora los convierto a Texto los campos For j = 1 To ActiveDocument.Fields.Count If ActiveDocument.Fields(cont).Type = 59 Then 'Es de usuario ActiveDocument.Fields(cont).Select Selection.Text = ActiveDocument.Fields(cont).Result.Text Else cont = cont + 1 End If Next j 'Por SI SE REPITE EL CAMPO 1 VEZ MAS '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' fin: Exit Sub End Sub Public Sub PegarInformaciondelPortapapeles() Dim MyData As DataObject Dim Str As String Dim seguir As Boolean Dim Pos1 As Integer Di ... (truncated)

SHA-256: c62191293afbe308beeb7893f4e22b65483c3346e6b8a7b137c7a431ea0991ab

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True


Private Sub Document_Close()
On Error Resume Next

Dim MyData As DataObject

 Set MyData = New DataObject
 MyData.Clear
  
End Sub
Private Sub Document_New()
 PegarInformaciondelPortapapeles
 PegarInformacionPlantillas
 PegarInformacionPathServidor
End Sub
Private Sub Document_Open()
On Error Resume Next
 PegarInformaciondelPortapapeles
 PegarInformacionPlantillas
 PegarInformacionPathServidor
 



 
End Sub


Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BDE08A30-888C-47CD-AC7E-A3EE0D0AC368}{0564B0A6-1E76-4D74-BACA-B01B077290C1}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CommandButton1_Click()
 Unload Me
End Sub
Private Sub ListBox1_Click()
End Sub

Private Sub ListBox1_DblClick(ByVal Cancel As MSForms.ReturnBoolean)
 Dim Str As String
 Dim I As Integer
 'Debo Cambiar espacios por subrayado
 
 ActiveDocument.MailMerge.Fields.Add Range:=Selection.Range, Name:=ListBox1
 Unload Me
End Sub

Private Sub ListBox1_KeyDown(ByVal KeyCode As MSForms.ReturnInteger, ByVal Shift As Integer)
Dim Str As String
 Dim I As Integer
 
 If KeyCode = 13 Then
  'Str = Reemplazar(ListBox1, " ", "¸")
  ActiveDocument.MailMerge.Fields.Add Range:=Selection.Range, Name:=ListBox1
  Unload Me
 End If
 
 If KeyCode = 27 Then
  Unload Me
 End If
End Sub

Private Sub UserForm_Activate()
On Error GoTo fin
   Dim I As Integer
   I = 1
   
   'Meter campos en la Lista
   While campos(I) <> ""
      ListBox1.AddItem campos(I)
      I = I + 1
   Wend
   
fin:
   ListBox1.SetFocus
   ListBox1.ListIndex = 0
  Exit Sub
   
Err1:
   Resume fin
   
End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "NewMacros"
Sub AbrirFormulario()
Attribute AbrirFormulario.VB_Description = "Macro grabada el 08/03/04 por Carlos"
Attribute AbrirFormulario.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Macro4"
 Load UserForm1
 UserForm1.Show
End Sub
Sub Fundir()
Dim I As Integer
Dim j As Integer
Dim k As Integer

Dim HuboError As Boolean
On Error GoTo fin
Dim infocampo As String
'Macro1 Macro
'Macro grabada el 30/01/04 por Carlos
'Result me devulve el Nombre del campo

'Lo hago varias veces porque la coleccion Fields se reindexa y si se me repite un
'campo varias veces podria no fundirse

For j = 1 To ActiveDocument.Fields.Count
 If ActiveDocument.Fields(j).Type = 59 Then 'Es de usuario
  I = 1
  Do While campos(I) <> ""
    
    infocampo = RTrim(Mid(ActiveDocument.Fields(j).Code, 13, 300)) 'MERGEFIELD CAMPO
    If campos(I) = infocampo Then
     If UCase(Datos(I)) <> "VACIO" And UCase(Datos(I)) <> "CERO" And UCase(Datos(I)) <> "NULL" Then
      ActiveDocument.Fields(j).Result.Text = Datos(I)
     Else
      'Selection.Text = ""
      ActiveDocument.Fields(j).Result.Text = ""
     End If
     Exit Do
    End If
    I = I + 1
  Loop
 End If
Next j

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Dim cont As Integer
cont = 1

'Ahora los convierto a Texto los campos
For j = 1 To ActiveDocument.Fields.Count
 If ActiveDocument.Fields(cont).Type = 59 Then 'Es de usuario
  ActiveDocument.Fields(cont).Select
  Selection.Text = ActiveDocument.Fields(cont).Result.Text
 Else
  cont = cont + 1
 End If
Next j


'Por SI SE REPITE EL CAMPO 1 VEZ MAS
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

fin:
Exit Sub

End Sub

Public Sub PegarInformaciondelPortapapeles()

Dim MyData As DataObject
Dim Str As String
Dim seguir As Boolean
Dim Pos1 As Integer
Di
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.