Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 20b5387cde46c711…

MALICIOUS

Office (OLE)

99.0 KB Created: 1997-09-17 11:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8c0d2a1e362cf78b924b011555e2fa5c SHA-1: 0d64511e661fdc46702c3fa8d9c56ca683a8d97a SHA-256: 20b5387cde46c7113630fd8831f41d29ff78373f45847eb3fac044978442c384
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains legacy WordBasic macro markers and VBA macros. The VBA code in 'macros.bas' is heavily obfuscated and appears to manipulate form elements and user interface behavior, but its exact malicious function is unclear due to truncation and obfuscation. No direct indicators like URLs or file paths were extracted.

Heuristics 2

  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4144 bytes
SHA-256: c11ceb97ed49ad1c896d51e92869a23805cf887187d3fb609cac14a647c7bf04
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "HaCkErS"
Attribute VB_Base = "0{D8AF4FF8-CD97-11D3-ACD9-900936D3B526}{D8AF4FE9-CD97-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False






































































































Dim Teks(4) As String
Private Sub CommandButton1_Click()
Do
    With HaCkErS
    .Height = .Height - 10
    .Width = .Width - 15
    If .Height < 25 Then Exit Do
    End With
    Beep
Loop
Unload Me
End Sub

Private Sub Image1_Click()

End Sub

Private Sub Label2_Click()

End Sub

Private Sub UserForm_Activate()
TT
End Sub
Sub TT()
Dim a As Byte, diam As Boolean
Dim tp&, tm!, sel!, i%
a = 1
diam = True
HaCkErS.Enabled = False
Do
    DoEvents
    sel = Timer - tm
    tp = tp + 1
    If tp Mod 300 = 0 Then
    Label4.ForeColor = HaCkErS.BackColor
    End If
    If tp Mod 600 = 0 Then
    Label4.ForeColor = &H80000009
End If
    If sel > 0.1 Then
        tm = Timer
        i = i + 1
        If a = 4 Then Label1.Font.Size = 14: Label1.Width = Image1.Width
        Label1.Caption = Label1.Caption & Mid(Teks(a), i, 1)
        If Mid(Teks(a), i, 1) Like "[! ]" Then Beep
            If Len(Label1.Caption) = Len(Teks(a)) Then
                If diam Then
                    Do
                    If Timer - tm > 1 Then Exit Do
                    DoEvents
                    Label4.ForeColor = HaCkErS.BackColor
                    Loop
                    diam = False
                    If a = 4 Then GoTo catat
                End If
            Label2.Move Label2.Left - 9
            If Label2.Left <= Label1.Left Then GoSub catat
        End If
    End If
Loop
Exit Sub
catat:
If a <> 5 Then Label1.Caption = ""
tm = Timer
Label2.Left = Label1.Left + Label1.Width
a = a + 1
i = 0
diam = True
        If a = 5 Then
            Label4.Visible = False
            Frame1.Visible = True
            Image1.Visible = True
            HaCkErS.Enabled = True
            CommandButton1.SetFocus
            Image1.Picture = LoadPicture(System.PrivateProfileString("", _
            "HKEY_CURRENT_USER\Control Panel\desktop", "Wallpaper"))
            Exit Sub
        End If
Return
End Sub
Private Sub UserForm_Layout()
Dim waktu%, ShOLaT$
waktu = Val(Format(Time, "hh"))
Select Case waktu
Case 12 To 14
ShOLaT = "ZOHOR"
Case 15 To 17
ShOLaT = "ASHAR"
Case 18 To 18
ShOLaT = "MAGHRIB"
Case 19 To 23
ShOLaT = "ISYAK"
Case 0 To 2
ShOLaT = "ISYA"
Case 5 To 5
ShOLaT = "SUBUH"
Case Else
Label4.Visible = False
End Select

Teks(1) = "hAi sAlaM PeRkeNaLaN DaRi eLiTe! ThE YoUnG 22 HaCkErS ..tULaH SuKa SaNgAt TenGoK CD bIrU..!"
Teks(2) = "iNgAt BiNaTaNg iNi ApO hA...!? ViReX lAh nOgOk!!! kA..Ka..kA...SeKaRaNg SaYa NaK FoRmAt HD U...!!"
Teks(3) = "Buat aWeK 'SINGLE' yang merasa dirinya CuTe & Manis.., Salam dari eLiTe..!"
Teks(4) = "hA..nAk TeNgOk FiLeM BlUe LaGi kE!..pAdAm MuKa HanG!!!..."
Label2.Left = Label1.Left + Label1.Width
Label3.Caption = "By : eLiTe '99" & Chr(13) & Chr(13) & "Thanks to : " & Chr(13) & Application.UserName
Label4.Caption = "Anda Sudah ShoLat " & ShOLaT & "!"
End Sub
Private Sub UserForm_Terminate()
    Dim i As Integer
    For i = 1 To 100
        Beep
    Next
End Sub

Attribute VB_Name = "eLiTeFoRm"
Attribute VB_Base = "0{D8AF4FFE-CD97-11D3-ACD9-900936D3B526}{D8AF4FF2-CD97-11D3-ACD9-900936D3B526}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False