Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a2ef2010b2d3ecf6…

MALICIOUS

Office (OLE)

46.5 KB Created: 1998-12-13 20:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 045f3c2ddecf7bc06de611a2a99f975c SHA-1: b1eec3c8f23a01eb5ebfaa9497f5ae97d2bf6eec SHA-256: a2ef2010b2d3ecf60a5618f9570a4c802d033a3d6f772678a414fe8e5a445071
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.VAMP-1'. It contains legacy WordBasic auto-execution markers and VBA macros. The VBA code appears to be obfuscated, using a custom 'VAMP' routine to modify its own code, likely to download and execute a secondary payload. The specific intent of the VAMP routine is unclear due to obfuscation, but its presence strongly suggests malicious activity.

Heuristics 3

  • ClamAV: Doc.Trojan.VAMP-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.VAMP-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5468 bytes
SHA-256: 35da4e6be0757bba45ebbeef86d4c4b51b8193a821217e09c8468085d029d7d6
Detection
ClamAV: Doc.Trojan.VAMP-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub INITALIZE_VAMP()
On Error Resume Next
Randomize
Dim r1(1 To 8) As String ' Update the array for however many variable you add - so if you have r1(20) then this line should read r1(1 to 20)
r1(1) = "VARIABLE3": r1(2) = "VARIABLE4": r1(3) = "VARIABLE5": r1(4) = "VARIABLE6": r1(5) = "VAMP": r1(6) = "INITALIZE": r1(7) = "VARIABLE2": r1(8) = "VARIABLE1"
' Add your variable names here - example the next one would be r1(9) = "MyVariable"
For x = 1 To 8 ' Change this number up to how ever many variable you add - so if you have r1(20) then this line should read x = 1 to 20
a1 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 900) & Int(Rnd * 900)
Call VAMP(a1, r1(x))
Next x
End Sub
Private Sub VAMP(VARIABLE1, VARIABLE2 As String)  'VAMP v1.0
On Error Resume Next
Dim VARIABLE3 As Long: Dim VARIABLE4 As Long: Dim VARIABLE5 As Long: Dim VARIABLE6 As Long
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
VARIABLE3 = 1: VARIABLE4 = 1: VARIABLE5 = .CountOfLines: VARIABLE6 = Len(.Lines(.CountOfLines, 1))
Do While .Find(VARIABLE2, VARIABLE3, VARIABLE4, VARIABLE5, VARIABLE6, True)
s1 = .Lines(VARIABLE3, 1)
s1 = Left(s1, VARIABLE4 - 1) & VARIABLE1 & Mid(s1, VARIABLE6)
.replaceline VARIABLE3, s1
VARIABLE3 = VARIABLE5 + 1: VARIABLE4 = 1
VARIABLE5 = .CountOfLines
VARIABLE6 = Len(.Lines(.CountOfLines, 1))
Loop
End With
End Sub

' Processing file: /opt/analyzer/scan_staging/479cd6724ba54564be51d0c97dfef39c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 14194 bytes
' Line #0:
' 	FuncDefn (Private Sub INITALIZE_VAMP())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	ArgsCall Read 0x0000 
' Line #3:
' 	Dim 
' 	LitDI2 0x0001 
' 	LitDI2 0x0008 
' 	VarDefn r1 (As String)
' 	QuoteRem 0x0019 0x0072 " Update the array for however many variable you add - so if you have r1(20) then this line should read r1(1 to 20)"
' Line #4:
' 	LitStr 0x0009 "VARIABLE3"
' 	LitDI2 0x0001 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "VARIABLE4"
' 	LitDI2 0x0002 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "VARIABLE5"
' 	LitDI2 0x0003 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "VARIABLE6"
' 	LitDI2 0x0004 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0004 "VAMP"
' 	LitDI2 0x0005 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "INITALIZE"
' 	LitDI2 0x0006 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "VARIABLE2"
' 	LitDI2 0x0007 
' 	ArgsSt r1 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x0009 "VARIABLE1"
' 	LitDI2 0x0008 
' 	ArgsSt r1 0x0001 
' Line #5:
' 	QuoteRem 0x0000 0x0052 " Add your variable names here - example the next one would be r1(9) = "MyVariable""
' Line #6:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0008 
' 	For 
' 	QuoteRem 0x000F 0x0077 " Change this number up to how ever many variable you add - so if you have r1(20) then this line should read x = 1 to 20"
' Line #7:
' 	LitDI2 0x0041 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Paren 
' 	LitDI2 0x0041 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Paren 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0384 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0384 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St a1 
' Line #8:
' 	Ld a1 
' 	Ld x 
' 	ArgsLd r1 0x0001 
' 	ArgsCall (Call) VAMP 0x0002 
' Line #9:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #10:
' 	EndSub 
' Line #11:
' 	FuncDefn (Private Sub VAMP(VARIABLE1, VARIABLE2 As String))
' 	QuoteRem 0x0032 0x0009 "VAMP v1.0"
' Line #12:
' 	OnError (Resume Next) 
' Line #13:
' 	Dim 
' 	VarDefn VARIABLE3 (As Long)
' 	BoS 0x0000 
' 	Dim 
' 	VarDefn VARIABLE4 (As Long)
' 	BoS 0x0000 
' 	Dim 
' 	VarDefn VARIABLE5 (As Long)
' 	Bo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.