Office (OLE) malware analysis — malicious · cf7fe48b7a5c2b9b

MALICIOUS

Office (OLE)

33.5 KB Created: 1999-06-11 16:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8fca267d78e1c5e7ff3c61f8c729c3b0 SHA-1: 91aee742a192da03d39a026731cf2ce9a555dd3a SHA-256: cf7fe48b7a5c2b9bc7d88bd5f17c4171d727c91a6ea14aa59b2a24fb3962fa26

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is an Office document containing VBA macros. The 'SomePolymorphicSystem' subroutine within the 'SPS' module exhibits polymorphic behavior by adding or removing 'Rem' lines, likely to evade signature-based detection. While no direct payload or network communication is evident from the provided script, this obfuscation technique strongly suggests malicious intent, possibly to download and execute a second-stage payload.

Heuristics 2

ClamAV: Win.Tool.W97M-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Tool.W97M-4
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4530 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4530 bytes
SHA-256: `7855ba1d64903c2be1279e23b86877015190fceb1360e7eb2021dcdf9b99bf9a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SPS" Sub SomePolymorphicSystem() Randomize AktuelleZeilenAnzahl = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines If AktuelleZeilenAnzahl > 76 Then Kleiner = Int(Rnd * (AktuelleZeilenAnzahl - 26)) For ii = 1 To AktuelleZeilenAnzahl If Left(Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.Lines(ii, 1), 3) = "Rem" Then Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.DeleteLines ii x = x + 1 If x = Kleiner Then Exit For End If Next Else PolySize = Int(Rnd * 10) + 1 For PolyMorphic = 1 To PolySize PolyString = "" PolyLines = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines RndLine = Int(Rnd * PolyLines) + 1 StringSize = Int(Rnd * 39) + 1 For SomeString = 1 To StringSize PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) Next SomeString Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.InsertLines RndLine, "Rem " & PolyString Next PolyMorphic End If End Sub ' Processing file: /opt/analyzer/scan_staging/e2e2371f048544a7b77f6846bb670392.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1199 bytes ' Macros/VBA/SPS - 5948 bytes ' Line #0: ' FuncDefn (Sub SomePolymorphicSystem()) ' Line #1: ' ArgsCall Read 0x0000 ' Line #2: ' LitStr 0x0003 "SPS" ' Ld Application ' MemLd VBE ' MemLd ActiveVBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St AktuelleZeilenAnzahl ' Line #3: ' Ld AktuelleZeilenAnzahl ' LitDI2 0x004C ' Gt ' IfBlock ' Line #4: ' Ld Rnd ' Ld AktuelleZeilenAnzahl ' LitDI2 0x001A ' Sub ' Paren ' Mul ' FnInt ' St Kleiner ' Line #5: ' StartForVariable ' Ld ii ' EndForVariable ' LitDI2 0x0001 ' Ld AktuelleZeilenAnzahl ' For ' Line #6: ' Ld ii ' LitDI2 0x0001 ' LitStr 0x0003 "SPS" ' Ld Application ' MemLd VBE ' MemLd ActiveVBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0003 ' ArgsLd LBound 0x0002 ' LitStr 0x0003 "Rem" ' Eq ' IfBlock ' Line #7: ' Ld ii ' LitStr 0x0003 "SPS" ' Ld Application ' MemLd VBE ' MemLd ActiveVBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0001 ' Line #8: ' Ld x ' LitDI2 0x0001 ' Add ' St x ' Line #9: ' Ld x ' Ld Kleiner ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #10: ' EndIfBlock ' Line #11: ' StartForVariable ' Next ' Line #12: ' ElseBlock ' Line #13: ' Ld Rnd ' LitDI2 0x000A ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St PolySize ' Line #14: ' StartForVariable ' Ld PolyMorphic ' EndForVariable ' LitDI2 0x0001 ' Ld PolySize ' For ' Line #15: ' LitStr 0x0000 "" ' St PolyString ' Line #16: ' LitStr 0x0003 "SPS" ' Ld Application ' MemLd VBE ' MemLd ActiveVBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd CountOfLines ' St PolyLines ' Line #17: ' Ld Rnd ' Ld PolyLines ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St RndLine ' Line #18: ' Ld Rnd ' LitDI2 0x0027 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St StringSize ' Line #19: ' StartForVariable ' Ld SomeString ' EndForVariable ' LitDI2 0x0001 ' Ld StringSize ' For ' Line #20: ' Ld PolyString ' LitDI2 0x0041 ' Ld Rnd ' LitDI2 0x0016 ' Mul ' FnInt ' Add ' ArgsLd Chr 0x0001 ' Concat ' LitDI2 0x007A ' Ld Rnd ' LitDI2 0x0016 ' Mul ' FnInt ' Sub ' ArgsLd Chr 0x0001 ' Concat ' St PolyString ' Line #21: ' StartForVariable ' ... (truncated)

SHA-256: 7855ba1d64903c2be1279e23b86877015190fceb1360e7eb2021dcdf9b99bf9a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SPS"
Sub SomePolymorphicSystem()
Randomize
AktuelleZeilenAnzahl = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines
If AktuelleZeilenAnzahl > 76 Then
    Kleiner = Int(Rnd * (AktuelleZeilenAnzahl - 26))
        For ii = 1 To AktuelleZeilenAnzahl
            If Left(Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.Lines(ii, 1), 3) = "Rem" Then
                Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.DeleteLines ii
                x = x + 1
                If x = Kleiner Then Exit For
            End If
        Next
Else
PolySize = Int(Rnd * 10) + 1
    For PolyMorphic = 1 To PolySize
        PolyString = ""
        PolyLines = Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.CountOfLines
        RndLine = Int(Rnd * PolyLines) + 1
        StringSize = Int(Rnd * 39) + 1
            For SomeString = 1 To StringSize
                PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
            Next SomeString
        Application.VBE.ActiveVBProject.VBComponents("SPS").CodeModule.InsertLines RndLine, "Rem " & PolyString
    Next PolyMorphic
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/e2e2371f048544a7b77f6846bb670392.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1199 bytes
' Macros/VBA/SPS - 5948 bytes
' Line #0:
' 	FuncDefn (Sub SomePolymorphicSystem())
' Line #1:
' 	ArgsCall Read 0x0000 
' Line #2:
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St AktuelleZeilenAnzahl 
' Line #3:
' 	Ld AktuelleZeilenAnzahl 
' 	LitDI2 0x004C 
' 	Gt 
' 	IfBlock 
' Line #4:
' 	Ld Rnd 
' 	Ld AktuelleZeilenAnzahl 
' 	LitDI2 0x001A 
' 	Sub 
' 	Paren 
' 	Mul 
' 	FnInt 
' 	St Kleiner 
' Line #5:
' 	StartForVariable 
' 	Ld ii 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AktuelleZeilenAnzahl 
' 	For 
' Line #6:
' 	Ld ii 
' 	LitDI2 0x0001 
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Rem"
' 	Eq 
' 	IfBlock 
' Line #7:
' 	Ld ii 
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0001 
' Line #8:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Add 
' 	St x 
' Line #9:
' 	Ld x 
' 	Ld Kleiner 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ExitFor 
' 	EndIf 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	StartForVariable 
' 	Next 
' Line #12:
' 	ElseBlock 
' Line #13:
' 	Ld Rnd 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St PolySize 
' Line #14:
' 	StartForVariable 
' 	Ld PolyMorphic 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld PolySize 
' 	For 
' Line #15:
' 	LitStr 0x0000 ""
' 	St PolyString 
' Line #16:
' 	LitStr 0x0003 "SPS"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St PolyLines 
' Line #17:
' 	Ld Rnd 
' 	Ld PolyLines 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St RndLine 
' Line #18:
' 	Ld Rnd 
' 	LitDI2 0x0027 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St StringSize 
' Line #19:
' 	StartForVariable 
' 	Ld SomeString 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld StringSize 
' 	For 
' Line #20:
' 	Ld PolyString 
' 	LitDI2 0x0041 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x007A 
' 	Ld Rnd 
' 	LitDI2 0x0016 
' 	Mul 
' 	FnInt 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St PolyString 
' Line #21:
' 	StartForVariable 
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.